From e6fffbd9b0d58aebb67625036c87789f6f64bc0c Mon Sep 17 00:00:00 2001 From: hadasi6 Date: Wed, 25 Mar 2026 17:40:02 +0200 Subject: [PATCH 1/2] SecurityInsights: update test recordings, fix test scripts, and resolve API issues for AutoRest v4 migration --- .../Properties/AssemblyInfo.cs | 5 +- .../SecurityInsights.Autorest/README.md | 8 + .../custom/New-AzSentinelDataConnector.ps1 | 4 +- .../docs/Az.SecurityInsights.md | 2 +- .../docs/New-AzSentinelBookmark.md | 33 +- .../docs/Update-AzSentinelBookmark.md | 36 +- .../generate-info.json | 2 +- .../Get-AzSentinelAlertRule.Recording.json | 114 +++-- ...t-AzSentinelAlertRuleAction.Recording.json | 112 +++-- ...AzSentinelAlertRuleTemplate.Recording.json | 120 ++--- ...et-AzSentinelAutomationRule.Recording.json | 116 ++--- .../Get-AzSentinelBookmark.Recording.json | 120 ++--- ...-AzSentinelBookmarkRelation.Recording.json | 112 +++-- ...Get-AzSentinelDataConnector.Recording.json | 110 +++-- .../Get-AzSentinelEnrichment.Recording.json | 60 +-- .../test/Get-AzSentinelEntity.Recording.json | 174 ++++--- ...et-AzSentinelEntityActivity.Recording.json | 60 +-- ...Get-AzSentinelEntityInsight.Recording.json | 58 ++- .../Get-AzSentinelEntityQuery.Recording.json | 112 +++-- ...SentinelEntityQueryTemplate.Recording.json | 88 ++-- ...et-AzSentinelEntityTimeline.Recording.json | 53 ++- .../Get-AzSentinelIncident.Recording.json | 120 ++--- ...Get-AzSentinelIncidentAlert.Recording.json | 57 ++- ...-AzSentinelIncidentBookmark.Recording.json | 29 +- ...t-AzSentinelIncidentComment.Recording.json | 58 +-- ...et-AzSentinelIncidentEntity.Recording.json | 57 ++- ...-AzSentinelIncidentRelation.Recording.json | 108 +++-- .../Get-AzSentinelMetadata.Recording.json | 120 ++--- ...t-AzSentinelOnboardingState.Recording.json | 108 +++-- .../test/Get-AzSentinelSetting.Recording.json | 56 ++- ...ThreatIntelligenceIndicator.Recording.json | 60 +-- ...IntelligenceIndicatorMetric.Recording.json | 30 +- ...tIntelligenceIndicatorQuery.Recording.json | 28 +- .../New-AzSentinelAlertRule.Recording.json | 27 +- ...w-AzSentinelAlertRuleAction.Recording.json | 49 +- ...ew-AzSentinelAutomationRule.Recording.json | 26 +- .../New-AzSentinelBookmark.Recording.json | 28 +- ...-AzSentinelBookmarkRelation.Recording.json | 78 ++-- ...New-AzSentinelDataConnector.Recording.json | 26 +- .../New-AzSentinelEntityQuery.Recording.json | 25 +- .../New-AzSentinelIncident.Recording.json | 24 +- ...w-AzSentinelIncidentComment.Recording.json | 50 +- ...-AzSentinelIncidentRelation.Recording.json | 77 +-- .../New-AzSentinelIncidentTeam.Recording.json | 52 ++- .../Remove-AzSentinelAlertRule.Recording.json | 78 ++-- ...e-AzSentinelAlertRuleAction.Recording.json | 78 ++-- ...ve-AzSentinelAutomationRule.Recording.json | 79 ++-- .../Remove-AzSentinelBookmark.Recording.json | 80 ++-- ...-AzSentinelBookmarkRelation.Recording.json | 78 ++-- ...ove-AzSentinelDataConnector.Recording.json | 100 ++-- .../Remove-AzSentinelDataConnector.Tests.ps1 | 23 +- ...emove-AzSentinelEntityQuery.Recording.json | 78 ++-- .../Remove-AzSentinelIncident.Recording.json | 78 ++-- ...e-AzSentinelIncidentComment.Recording.json | 77 +-- ...-AzSentinelIncidentRelation.Recording.json | 75 +-- ...e-AzSentinelOnboardingState.Recording.json | 25 +- .../Update-AzSentinelAlertRule.Recording.json | 38 -- ...e-AzSentinelAlertRuleAction.Recording.json | 78 ++-- ...te-AzSentinelAutomationRule.Recording.json | 200 ++++++-- .../Update-AzSentinelBookmark.Recording.json | 206 +++++++-- ...-AzSentinelBookmarkRelation.Recording.json | 220 ++++++--- ...ate-AzSentinelDataConnector.Recording.json | 115 ----- ...pdate-AzSentinelEntityQuery.Recording.json | 115 ----- .../Update-AzSentinelIncident.Recording.json | 198 ++++++-- ...e-AzSentinelIncidentComment.Recording.json | 171 +++++-- ...-AzSentinelIncidentRelation.Recording.json | 227 ++++++--- ...pdate-AzSentinelIncidentRelation.Tests.ps1 | 10 +- .../Update-AzSentinelSetting.Recording.json | 125 ----- .../SecurityInsights.Autorest/test/common.ps1 | 30 +- .../alertRule/template.parameters.json | 6 +- .../alertRuleAction/template.parameters.json | 12 +- .../authorization/template.parameters.json | 2 +- .../automationRule/template.parameters.json | 8 +- .../bookmark/template.parameters.json | 10 +- .../bookmarkRelation/template.parameters.json | 16 +- .../customData/alertRules.parameters.json | 8 +- .../dataConnector/template.parameters.json | 6 +- .../entityQuery/template.parameters.json | 4 +- .../incident/template.parameters.json | 4 +- .../incidentComment/template.parameters.json | 8 +- .../incidentRelation/template.parameters.json | 16 +- .../metadata/template.parameters.json | 2 +- .../template.parameters.json | 8 +- .../workspace/template.parameters.json | 6 +- .../SecurityInsights.Autorest/test/env.json | 437 +++++++++--------- .../SecurityInsights.Autorest/test/utils.ps1 | 54 ++- src/SecurityInsights/SecurityInsights.sln | 28 +- .../SecurityInsights/Az.SecurityInsights.psd1 | 12 +- .../help/New-AzSentinelBookmark.md | 34 +- .../help/Update-AzSentinelBookmark.md | 37 +- 90 files changed, 3460 insertions(+), 2632 deletions(-) delete mode 100644 src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelAlertRule.Recording.json delete mode 100644 src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelDataConnector.Recording.json delete mode 100644 src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelEntityQuery.Recording.json delete mode 100644 src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelSetting.Recording.json diff --git a/src/SecurityInsights/SecurityInsights.Autorest/Properties/AssemblyInfo.cs b/src/SecurityInsights/SecurityInsights.Autorest/Properties/AssemblyInfo.cs index 513eeb36568b..6019456e7798 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/Properties/AssemblyInfo.cs +++ b/src/SecurityInsights/SecurityInsights.Autorest/Properties/AssemblyInfo.cs @@ -20,7 +20,8 @@ [assembly: System.Reflection.AssemblyCopyrightAttribute("Copyright © Microsoft")] [assembly: System.Reflection.AssemblyProductAttribute("Microsoft Azure PowerShell")] [assembly: System.Reflection.AssemblyTitleAttribute("Microsoft Azure PowerShell - SecurityInsights")] -[assembly: System.Reflection.AssemblyFileVersionAttribute("3.2.0")] -[assembly: System.Reflection.AssemblyVersionAttribute("3.2.0")] +[assembly: System.Reflection.AssemblyFileVersionAttribute("3.2.1")] +[assembly: System.Reflection.AssemblyVersionAttribute("3.2.1")] [assembly: System.Runtime.InteropServices.ComVisibleAttribute(false)] [assembly: System.CLSCompliantAttribute(false)] + diff --git a/src/SecurityInsights/SecurityInsights.Autorest/README.md b/src/SecurityInsights/SecurityInsights.Autorest/README.md index 58b22c1c9e70..17e5e6f3edf4 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/README.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/README.md @@ -75,6 +75,14 @@ subject-prefix: Sentinel inlining-threshold: 50 directive: + # Fix Update PUT partial createdBy/updatedBy 400 error + - from: swagger-document + where: $.definitions.UserInfo + transform: >- + delete $.properties.email.readOnly; + $.properties.email['x-ms-mutability'] = ['read','update','create']; + delete $.properties.name.readOnly; + $.properties.name['x-ms-mutability'] = ['read','update','create']; # Customize # Hide Operation API # - where: diff --git a/src/SecurityInsights/SecurityInsights.Autorest/custom/New-AzSentinelDataConnector.ps1 b/src/SecurityInsights/SecurityInsights.Autorest/custom/New-AzSentinelDataConnector.ps1 index 48b2d2bc8a4a..d275a2d1c5ff 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/custom/New-AzSentinelDataConnector.ps1 +++ b/src/SecurityInsights/SecurityInsights.Autorest/custom/New-AzSentinelDataConnector.ps1 @@ -675,11 +675,11 @@ function New-AzSentinelDataConnector { } If($PSBoundParameters['PermissionResourceProvider']){ - $DataConnector.AvailabilityStatus = $PSBoundParameters['PermissionResourceProvider'] + $DataConnector.PermissionResourceProvider = $PSBoundParameters['PermissionResourceProvider'] $null = $PSBoundParameters.Remove('PermissionResourceProvider') } ElseIf($PSBoundParameters['PermissionCustom']){ - $DataConnector.AvailabilityStatus = $PSBoundParameters['PermissionCustom'] + $DataConnector.PermissionCustom = $PSBoundParameters['PermissionCustom'] $null = $PSBoundParameters.Remove('PermissionCustom') } Else { diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Az.SecurityInsights.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Az.SecurityInsights.md index a5d1a1aa224b..8659cb07807a 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Az.SecurityInsights.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Az.SecurityInsights.md @@ -1,6 +1,6 @@ --- Module Name: Az.SecurityInsights -Module Guid: 298386b9-d78e-4fbf-b690-2c7302ee3980 +Module Guid: 32ffa026-b93b-45e7-90d3-f726efee69c7 Download Help Link: https://learn.microsoft.com/powershell/module/az.securityinsights Help Version: 1.0.0.0 Locale: en-US diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelBookmark.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelBookmark.md index 3fd42d0dba6c..a2983a4669ad 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelBookmark.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelBookmark.md @@ -18,7 +18,8 @@ New-AzSentinelBookmark -ResourceGroupName -WorkspaceName [-Id [-SubscriptionId ] [-DisplayName ] [-EventTime ] [-IncidentInfoIncidentId ] [-IncidentInfoRelationName ] [-IncidentInfoSeverity ] [-IncidentInfoTitle ] [-Label ] [-Note ] [-Query ] [-QueryEndTime ] [-QueryResult ] - [-QueryStartTime ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] + [-QueryStartTime ] [-UpdatedByEmail ] [-UpdatedByName ] + [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` ### CreateViaJsonFilePath @@ -330,6 +331,36 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -UpdatedByEmail +The email of the user. + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UpdatedByName +The name of the user. + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -WorkspaceName The name of the workspace. diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelBookmark.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelBookmark.md index 206c1f97e4bf..7dfd9e2e13d3 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelBookmark.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelBookmark.md @@ -18,7 +18,8 @@ Update-AzSentinelBookmark -Id -ResourceGroupName -WorkspaceNam [-SubscriptionId ] [-DisplayName ] [-EventTime ] [-IncidentInfoIncidentId ] [-IncidentInfoRelationName ] [-IncidentInfoSeverity ] [-IncidentInfoTitle ] [-Label ] [-Note ] [-Query ] [-QueryEndTime ] [-QueryResult ] - [-QueryStartTime ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] + [-QueryStartTime ] [-UpdatedByEmail ] [-UpdatedByName ] + [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` ### UpdateViaIdentityExpanded @@ -27,7 +28,8 @@ Update-AzSentinelBookmark -InputObject [-DisplayName [-EventTime ] [-IncidentInfoIncidentId ] [-IncidentInfoRelationName ] [-IncidentInfoSeverity ] [-IncidentInfoTitle ] [-Label ] [-Note ] [-Query ] [-QueryEndTime ] [-QueryResult ] [-QueryStartTime ] - [-DefaultProfile ] [-Confirm] [-WhatIf] [] + [-UpdatedByEmail ] [-UpdatedByName ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] ``` ## DESCRIPTION @@ -303,6 +305,36 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -UpdatedByEmail +The email of the user. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UpdatedByName +The name of the user. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -WorkspaceName The name of the workspace. diff --git a/src/SecurityInsights/SecurityInsights.Autorest/generate-info.json b/src/SecurityInsights/SecurityInsights.Autorest/generate-info.json index b0152b86d2ff..5e16c0f9453a 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/generate-info.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/generate-info.json @@ -1,3 +1,3 @@ { - "generate_Id": "18426067-1362-4f74-af3c-e25624da42b2" + "generate_Id": "85decf5d-a9f2-48bb-b3a6-a8f566ef7af3" } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRule.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRule.Recording.json index cb3a1bf9660c..1d77cc433a06 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRule.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRule.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelAlertRule+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRule+[NoContext]+List+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "158" ], - "x-ms-client-request-id": [ "ce19bfa1-427c-4cb5-ad79-b773231600cc" ], + "x-ms-unique-id": [ "1" ], + "x-ms-client-request-id": [ "c8334311-f836-4b23-a357-5dc636f4fa66" ], "CommandName": [ "Get-AzSentinelAlertRule" ], "FullCommandName": [ "Get-AzSentinelAlertRule_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,37 +22,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11999" ], - "x-ms-request-id": [ "9c8fd5a8-2fc9-4dad-9f24-ed55e3a6e9a1" ], - "x-ms-correlation-request-id": [ "9c8fd5a8-2fc9-4dad-9f24-ed55e3a6e9a1" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160647Z:9c8fd5a8-2fc9-4dad-9f24-ed55e3a6e9a1" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/5cec3b9a-519b-4690-b547-62dc53402cf1" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "f5749ae0-d175-4463-ad9e-122d4b65f3cc" ], + "x-ms-correlation-request-id": [ "f5749ae0-d175-4463-ad9e-122d4b65f3cc" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074359Z:f5749ae0-d175-4463-ad9e-122d4b65f3cc" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:06:46 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 52C3D028D4B24026A4686107B5D51CF8 Ref B: AMS231020512027 Ref C: 2026-03-25T07:43:59Z" ], + "Date": [ "Wed, 25 Mar 2026 07:43:59 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "54782" ], + "Content-Length": [ "54770" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/BuiltInFusion\",\"name\":\"BuiltInFusion\",\"etag\":\"\\\"0600a340-0000-0100-0000-62fbb75d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Fusion\",\"properties\":{\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"alertRuleTemplateName\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"severity\":\"High\",\"enabled\":true,\"lastModifiedUtc\":\"2022-08-16T15:27:25.3857989Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/e1b7c244-83f3-4fbd-b2c9-d08eaa704a85\",\"name\":\"e1b7c244-83f3-4fbd-b2c9-d08eaa704a85\",\"etag\":\"\\\"0600dc40-0000-0100-0000-62fbb9d90000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT12H\",\"matchingMethod\":\"Selected\",\"groupByEntities\":[\"Account\"],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId__s\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Malicious Inbox Rule, affected user {{UserId__s}}\",\"alertDescriptionFormat\":null,\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\r\\nOfficeActivity_CL\\r\\n| where Operation_s =~ \\\"New-InboxRule\\\"\\r\\n| where Parameters_s has \\\"Deleted Items\\\" or Parameters_s has \\\"Junk Email\\\" \\r\\n| extend Events=todynamic(Parameters_s)\\r\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\r\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\r\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\r\\n| where SubjectContainsWords has_any (Keywords)\\r\\nor BodyContainsWords has_any (Keywords)\\r\\nor SubjectOrBodyContainsWords has_any (Keywords)\\r\\n| extend ClientIPAddress = case( ClientIP_s has \\\".\\\", tostring(split(ClientIP_s,\\\":\\\")[0]), ClientIP_s has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP_s,\\\"]\\\")[0]))), ClientIP_s )\\r\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\r\\n| extend RuleDetail = case(OfficeObjectId_s contains \u0027/\u0027 , tostring(split(OfficeObjectId_s, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId_s, \u0027\\\\\\\\\u0027)[-1]))\\r\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation_s, UserId__s, ClientIPAddress, ResultStatus_s, Keyword, OriginatingServer_s, OfficeObjectId_s, RuleDetail\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule - custom\",\"enabled\":true,\"description\":\"This rule is detecting on delete all traces of phishing email from user mailboxes\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:37:58.9257559Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/53274afe-2640-4c50-bd36-78c1c79f102c\",\"name\":\"53274afe-2640-4c50-bd36-78c1c79f102c\",\"etag\":\"\\\"0600dd40-0000-0100-0000-62fbb9d90000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[\"IP\"],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Medium\",\"query\":\"SigninLogs_CL\\n | where ResultType == \\\"50057\\\" \\n | where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\n disabledAccountsTargeted = dcount(UserPrincipalName_s), applicationsTargeted = dcount(AppDisplayName_s), disabledAccountSet = makeset(UserPrincipalName_s), \\n applicationSet = makeset(AppDisplayName_s)\\n by IPAddress, Type\\n | order by disabledAccountLoginAttempts desc\\n | join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n SigninLogs_CL\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName_s), successfulAccountSigninSet = makeset(UserPrincipalName_s, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on IPAddress \\n | where successfulAccountSigninCount != 0\\n | project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\n successfulAccountSigninCount, successfulAccountSigninSet, Type\\n | order by disabledAccountLoginAttempts\\n | extend timestamp = StartTime, IPCustomEntity = IPAddress\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"enabled\":true,\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"alertRuleTemplateName\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"lastModifiedUtc\":\"2022-08-16T15:37:58.9088963Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/05cd1abd-2426-4d7e-be8a-cda489ed9cce\",\"name\":\"05cd1abd-2426-4d7e-be8a-cda489ed9cce\",\"etag\":\"\\\"0600de40-0000-0100-0000-62fbb9da0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AnyAlert\",\"groupByEntities\":[],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(DnsEvents \\n | extend DNSName = Name\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = ClientIP\\n ),\\n(imDns \\n | where isnotempty(Query)\\n | where Query in~ (domains)\\n | extend DNSName = Query\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (domains) \\n | extend DNSName = Request_Name\\n | extend IPCustomEntity = ClientIP \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"enabled\":true,\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"alertRuleTemplateName\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"lastModifiedUtc\":\"2022-08-16T15:37:58.8992375Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8\",\"name\":\"cab7d557-3de0-4043-8dd4-b83629755ab8\",\"etag\":\"\\\"0600e240-0000-0100-0000-62fbba160000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRulem37adr\",\"enabled\":true,\"description\":\"GetAlertRulem37adr cab7d557-3de0-4043-8dd4-b83629755ab8\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:39:02.3687256Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/90872ee6-8ed3-48b8-8e93-2bcb1aa6825d\",\"name\":\"90872ee6-8ed3-48b8-8e93-2bcb1aa6825d\",\"etag\":\"\\\"0600e840-0000-0100-0000-62fbba370000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveAlertRule1qafoy\",\"enabled\":true,\"description\":\"RemoveAlertRule1qafoy 90872ee6-8ed3-48b8-8e93-2bcb1aa6825d\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:39:33.5961847Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/b5daebea-1da1-45a1-abb5-94ad8c8da5cb\",\"name\":\"b5daebea-1da1-45a1-abb5-94ad8c8da5cb\",\"etag\":\"\\\"0600ed40-0000-0100-0000-62fbba540000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveViaIdAlertRule81exqs\",\"enabled\":true,\"description\":\"RemoveViaIdAlertRule81exqs b5daebea-1da1-45a1-abb5-94ad8c8da5cb\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:40:04.5582676Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/e96e7960-a8a9-47a9-91f1-4207f5f82d88\",\"name\":\"e96e7960-a8a9-47a9-91f1-4207f5f82d88\",\"etag\":\"\\\"0600ef40-0000-0100-0000-62fbba750000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateAlertRulejkg1z9\",\"enabled\":true,\"description\":\"UpdateAlertRulejkg1z9 e96e7960-a8a9-47a9-91f1-4207f5f82d88\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:40:36.025072Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/658a3691-0950-4176-bc12-e3e4d4b52335\",\"name\":\"658a3691-0950-4176-bc12-e3e4d4b52335\",\"etag\":\"\\\"0600f040-0000-0100-0000-62fbba950000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateViaIdAlertRuler0cz6k\",\"enabled\":true,\"description\":\"UpdateViaIdAlertRuler0cz6k 658a3691-0950-4176-bc12-e3e4d4b52335\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:41:08.8217126Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2\",\"name\":\"3f8b701e-a084-40d7-8f4b-a6b1482e8cc2\",\"etag\":\"\\\"0600f440-0000-0100-0000-62fbbac10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetalertRuleActionRuleName2iy1g6\",\"enabled\":true,\"description\":\"GetalertRuleActionRuleName2iy1g6 3f8b701e-a084-40d7-8f4b-a6b1482e8cc2\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:41:52.5613781Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/7ebb90bb-a57a-42f6-8a23-a0393c176560\",\"name\":\"7ebb90bb-a57a-42f6-8a23-a0393c176560\",\"etag\":\"\\\"0600f740-0000-0100-0000-62fbbae20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemovealertRuleActionRuleName1ui932\",\"enabled\":true,\"description\":\"RemovealertRuleActionRuleName1ui932 7ebb90bb-a57a-42f6-8a23-a0393c176560\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:42:24.0884995Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/e5a90aef-2e88-486c-a745-66f415230a61\",\"name\":\"e5a90aef-2e88-486c-a745-66f415230a61\",\"etag\":\"\\\"0600f840-0000-0100-0000-62fbbb000000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveViaIdalertRuleActionRuleNametq71f5\",\"enabled\":true,\"description\":\"RemoveViaIdalertRuleActionRuleNametq71f5 e5a90aef-2e88-486c-a745-66f415230a61\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:42:55.4746161Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/f04b319e-dc64-427b-8640-eef21b6fb5cd\",\"name\":\"f04b319e-dc64-427b-8640-eef21b6fb5cd\",\"etag\":\"\\\"0600fc40-0000-0100-0000-62fbbb230000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdatealertRuleActionRuleNamehp3sur\",\"enabled\":true,\"description\":\"UpdatealertRuleActionRuleNamehp3sur f04b319e-dc64-427b-8640-eef21b6fb5cd\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:43:31.1186326Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/90b62f2e-9b96-4bfb-a82a-5ceed7cd487e\",\"name\":\"90b62f2e-9b96-4bfb-a82a-5ceed7cd487e\",\"etag\":\"\\\"0600fd40-0000-0100-0000-62fbbb410000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateViaIdalertRuleActionRuleNameyb5ilx\",\"enabled\":true,\"description\":\"UpdateViaIdalertRuleActionRuleNameyb5ilx 90b62f2e-9b96-4bfb-a82a-5ceed7cd487e\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:43:58.9931835Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3831a4ff-b6c9-413b-b1e1-6939da17f4b1\",\"name\":\"3831a4ff-b6c9-413b-b1e1-6939da17f4b1\",\"etag\":\"\\\"06006541-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Intrusion Detection\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Intrusion Detection Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6133876Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/278781f7-07bf-42e2-a02a-e5ab74e29991\",\"name\":\"278781f7-07bf-42e2-a02a-e5ab74e29991\",\"etag\":\"\\\"06006641-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Unified Communications \u0026 Collaboration\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) UCC Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6134901Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/7cd85217-8d3b-4ec1-b99c-589a49c492db\",\"name\":\"7cd85217-8d3b-4ec1-b99c-589a49c492db\",\"etag\":\"\\\"06006741-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Resiliency\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Resiliency Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6114797Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/b96548d0-9060-4f75-8006-28e7b7af9ce6\",\"name\":\"b96548d0-9060-4f75-8006-28e7b7af9ce6\",\"etag\":\"\\\"06006841-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027DNS\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) DNS Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6152038Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/6698a851-845e-4145-92c8-f6ec017454c6\",\"name\":\"6698a851-845e-4145-92c8-f6ec017454c6\",\"etag\":\"\\\"06006941-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Universal Security Capabilities\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Universal Security Capabilities Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6243928Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/abb6d8a7-279d-4e65-b104-c37bfdf7938a\",\"name\":\"abb6d8a7-279d-4e65-b104-c37bfdf7938a\",\"etag\":\"\\\"06006a41-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Data Protection\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Data Protection Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6176959Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/31a2f4dd-07c5-4b59-b5f5-cdb3b96090f0\",\"name\":\"31a2f4dd-07c5-4b59-b5f5-cdb3b96090f0\",\"etag\":\"\\\"06006b41-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Enterprise\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Enterprise Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.618616Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/0d6715bf-2e07-4317-8d34-ba4ec5c9e19b\",\"name\":\"0d6715bf-2e07-4317-8d34-ba4ec5c9e19b\",\"etag\":\"\\\"06006c41-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Networking\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Networking Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6176672Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/5004b7e9-d0d1-44da-ada0-a9937d21660d\",\"name\":\"5004b7e9-d0d1-44da-ada0-a9937d21660d\",\"etag\":\"\\\"06006d41-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Web\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Web Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6290249Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/1490edac-8296-457c-9acc-7ca5429e43cc\",\"name\":\"1490edac-8296-457c-9acc-7ca5429e43cc\",\"etag\":\"\\\"06006e41-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Files\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Files Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6495698Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/108bf7e1-f705-4447-9a72-9bd6f510e1c1\",\"name\":\"108bf7e1-f705-4447-9a72-9bd6f510e1c1\",\"etag\":\"\\\"06006f41-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Email\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Email Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6572279Z\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/BuiltInFusion\",\"name\":\"BuiltInFusion\",\"etag\":\"\\\"60003777-0000-0100-0000-69c38b070000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Fusion\",\"properties\":{\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Microsoft Entra ID Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"alertRuleTemplateName\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"severity\":\"High\",\"enabled\":true,\"lastModifiedUtc\":\"2026-03-25T07:13:11.3095444Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/7d7980a7-4d27-42b8-afa5-e98396b43837\",\"name\":\"7d7980a7-4d27-42b8-afa5-e98396b43837\",\"etag\":\"\\\"600007b6-0000-0100-0000-69c38d7e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AnyAlert\",\"groupByEntities\":[],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(DnsEvents \\n | extend DNSName = Name\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = ClientIP\\n ),\\n(imDns \\n | where isnotempty(Query)\\n | where Query in~ (domains)\\n | extend DNSName = Query\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (domains) \\n | extend DNSName = Request_Name\\n | extend IPCustomEntity = ClientIP \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"enabled\":true,\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"alertRuleTemplateName\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"lastModifiedUtc\":\"2026-03-25T07:23:41.4784143Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/09115ed5-df21-42aa-92a5-d7b72d8b551b\",\"name\":\"09115ed5-df21-42aa-92a5-d7b72d8b551b\",\"etag\":\"\\\"60001eb6-0000-0100-0000-69c38d7f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT12H\",\"matchingMethod\":\"Selected\",\"groupByEntities\":[\"Account\"],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId__s\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Malicious Inbox Rule, affected user {{UserId__s}}\",\"alertDescriptionFormat\":null,\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\r\\nOfficeActivity_CL\\r\\n| where Operation_s =~ \\\"New-InboxRule\\\"\\r\\n| where Parameters_s has \\\"Deleted Items\\\" or Parameters_s has \\\"Junk Email\\\" \\r\\n| extend Events=todynamic(Parameters_s)\\r\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\r\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\r\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\r\\n| where SubjectContainsWords has_any (Keywords)\\r\\nor BodyContainsWords has_any (Keywords)\\r\\nor SubjectOrBodyContainsWords has_any (Keywords)\\r\\n| extend ClientIPAddress = case( ClientIP_s has \\\".\\\", tostring(split(ClientIP_s,\\\":\\\")[0]), ClientIP_s has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP_s,\\\"]\\\")[0]))), ClientIP_s )\\r\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\r\\n| extend RuleDetail = case(OfficeObjectId_s contains \u0027/\u0027 , tostring(split(OfficeObjectId_s, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId_s, \u0027\\\\\\\\\u0027)[-1]))\\r\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation_s, UserId__s, ClientIPAddress, ResultStatus_s, Keyword, OriginatingServer_s, OfficeObjectId_s, RuleDetail\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule - custom\",\"enabled\":true,\"description\":\"This rule is detecting on delete all traces of phishing email from user mailboxes\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:23:41.4848473Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/5fa8a509-b73d-4f80-a32c-c6ff8dbbfb07\",\"name\":\"5fa8a509-b73d-4f80-a32c-c6ff8dbbfb07\",\"etag\":\"\\\"600051b6-0000-0100-0000-69c38d800000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[\"IP\"],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Medium\",\"query\":\"SigninLogs_CL\\n | where ResultType == \\\"50057\\\" \\n | where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\n disabledAccountsTargeted = dcount(UserPrincipalName_s), applicationsTargeted = dcount(AppDisplayName_s), disabledAccountSet = makeset(UserPrincipalName_s), \\n applicationSet = makeset(AppDisplayName_s)\\n by IPAddress, Type\\n | order by disabledAccountLoginAttempts desc\\n | join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n SigninLogs_CL\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName_s), successfulAccountSigninSet = makeset(UserPrincipalName_s, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on IPAddress \\n | where successfulAccountSigninCount != 0\\n | project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\n successfulAccountSigninCount, successfulAccountSigninSet, Type\\n | order by disabledAccountLoginAttempts\\n | extend timestamp = StartTime, IPCustomEntity = IPAddress\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"enabled\":true,\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"alertRuleTemplateName\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"lastModifiedUtc\":\"2026-03-25T07:23:41.4801209Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/b02e5d36-1e05-445a-a542-a588eb9c88b2\",\"name\":\"b02e5d36-1e05-445a-a542-a588eb9c88b2\",\"etag\":\"\\\"600083b7-0000-0100-0000-69c38d900000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRule9af76e\",\"enabled\":true,\"description\":\"GetAlertRule9af76e b02e5d36-1e05-445a-a542-a588eb9c88b2\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:23:59.9209504Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/f731873a-1985-4ead-8b08-66136867f476\",\"name\":\"f731873a-1985-4ead-8b08-66136867f476\",\"etag\":\"\\\"60003eb8-0000-0100-0000-69c38d980000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveAlertRuleziu23f\",\"enabled\":true,\"description\":\"RemoveAlertRuleziu23f f731873a-1985-4ead-8b08-66136867f476\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:24:07.9238609Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/cc5ff22b-1ea2-46b8-8695-791d141e393f\",\"name\":\"cc5ff22b-1ea2-46b8-8695-791d141e393f\",\"etag\":\"\\\"600026b9-0000-0100-0000-69c38da10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveViaIdAlertRule8z7jhl\",\"enabled\":true,\"description\":\"RemoveViaIdAlertRule8z7jhl cc5ff22b-1ea2-46b8-8695-791d141e393f\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:24:17.0136989Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/0cbb3d2d-91b5-45c4-8945-37d919707711\",\"name\":\"0cbb3d2d-91b5-45c4-8945-37d919707711\",\"etag\":\"\\\"600046ba-0000-0100-0000-69c38dac0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateAlertRulehfjtyo\",\"enabled\":true,\"description\":\"UpdateAlertRulehfjtyo 0cbb3d2d-91b5-45c4-8945-37d919707711\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:24:26.3633374Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/fec1ccd0-78c5-41d9-b5a8-ec9b4e63ea9a\",\"name\":\"fec1ccd0-78c5-41d9-b5a8-ec9b4e63ea9a\",\"etag\":\"\\\"60002cbb-0000-0100-0000-69c38db40000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateViaIdAlertRulegtdyv4\",\"enabled\":true,\"description\":\"UpdateViaIdAlertRulegtdyv4 fec1ccd0-78c5-41d9-b5a8-ec9b4e63ea9a\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:24:34.5271423Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/ac0954ee-b73d-4e95-8cac-f93c182a1c20\",\"name\":\"ac0954ee-b73d-4e95-8cac-f93c182a1c20\",\"etag\":\"\\\"6000ddbb-0000-0100-0000-69c38dba0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetalertRuleActionRuleNamebocexs\",\"enabled\":true,\"description\":\"GetalertRuleActionRuleNamebocexs ac0954ee-b73d-4e95-8cac-f93c182a1c20\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:24:42.0078474Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/fbfa413f-423f-4546-9399-6bb4b234b07b\",\"name\":\"fbfa413f-423f-4546-9399-6bb4b234b07b\",\"etag\":\"\\\"6000a5bc-0000-0100-0000-69c38dc30000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemovealertRuleActionRuleNamer1pwq2\",\"enabled\":true,\"description\":\"RemovealertRuleActionRuleNamer1pwq2 fbfa413f-423f-4546-9399-6bb4b234b07b\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:24:51.0044427Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/bfbfe303-5fe5-41b2-a51c-ce1c8cb99b4d\",\"name\":\"bfbfe303-5fe5-41b2-a51c-ce1c8cb99b4d\",\"etag\":\"\\\"600066bd-0000-0100-0000-69c38dcb0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveViaIdalertRuleActionRuleName7jasw6\",\"enabled\":true,\"description\":\"RemoveViaIdalertRuleActionRuleName7jasw6 bfbfe303-5fe5-41b2-a51c-ce1c8cb99b4d\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:24:58.5048729Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/0a7c15c8-9257-4a34-9097-b53e070bf76d\",\"name\":\"0a7c15c8-9257-4a34-9097-b53e070bf76d\",\"etag\":\"\\\"60003abe-0000-0100-0000-69c38dd40000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdatealertRuleActionRuleNamecwvk1g\",\"enabled\":true,\"description\":\"UpdatealertRuleActionRuleNamecwvk1g 0a7c15c8-9257-4a34-9097-b53e070bf76d\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:25:06.4152594Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/c259c27b-4474-427f-8734-a99bee6d5d06\",\"name\":\"c259c27b-4474-427f-8734-a99bee6d5d06\",\"etag\":\"\\\"6000d1be-0000-0100-0000-69c38ddb0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateViaIdalertRuleActionRuleNameg0clnz\",\"enabled\":true,\"description\":\"UpdateViaIdalertRuleActionRuleNameg0clnz c259c27b-4474-427f-8734-a99bee6d5d06\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:25:15.1810453Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/43d832f5-5628-44bc-ba0a-e722177d0e9c\",\"name\":\"43d832f5-5628-44bc-ba0a-e722177d0e9c\",\"etag\":\"\\\"600012e5-0000-0100-0000-69c38f760000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Universal Security Capabilities\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Universal Security Capabilities Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:32:06.4575029Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/9d7e762b-b900-44e3-a08e-5f0ebad7c0b2\",\"name\":\"9d7e762b-b900-44e3-a08e-5f0ebad7c0b2\",\"etag\":\"\\\"600013e5-0000-0100-0000-69c38f760000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Intrusion Detection\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Intrusion Detection Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:32:06.4598767Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/e4f5026b-8080-417e-99fe-333ec1ee538c\",\"name\":\"e4f5026b-8080-417e-99fe-333ec1ee538c\",\"etag\":\"\\\"600014e5-0000-0100-0000-69c38f760000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Data Protection\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Data Protection Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:32:06.4584968Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/1521a426-ba01-49cd-93c7-bd844059f60a\",\"name\":\"1521a426-ba01-49cd-93c7-bd844059f60a\",\"etag\":\"\\\"600015e5-0000-0100-0000-69c38f760000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Files\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Files Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:32:06.4588864Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/52c23b0b-6a0c-4ffc-bb1d-cb7cac3bfcdb\",\"name\":\"52c23b0b-6a0c-4ffc-bb1d-cb7cac3bfcdb\",\"etag\":\"\\\"600016e5-0000-0100-0000-69c38f760000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Unified Communications \u0026 Collaboration\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) UCC Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:32:06.4609651Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/b69cd91c-606b-46cb-b7d4-dfa5b1822fed\",\"name\":\"b69cd91c-606b-46cb-b7d4-dfa5b1822fed\",\"etag\":\"\\\"600017e5-0000-0100-0000-69c38f760000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027DNS\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) DNS Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:32:06.480092Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/4bb87308-b2e2-457d-92e4-b121a1931688\",\"name\":\"4bb87308-b2e2-457d-92e4-b121a1931688\",\"etag\":\"\\\"600018e5-0000-0100-0000-69c38f760000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Resiliency\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Resiliency Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:32:06.4791512Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/496e4d79-5cd7-4d6e-b2f0-0be61c26ba0f\",\"name\":\"496e4d79-5cd7-4d6e-b2f0-0be61c26ba0f\",\"etag\":\"\\\"60001ae5-0000-0100-0000-69c38f760000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Enterprise\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Enterprise Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:32:06.4961235Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/63d89b73-cfc5-4199-b765-922720095261\",\"name\":\"63d89b73-cfc5-4199-b765-922720095261\",\"etag\":\"\\\"60001be5-0000-0100-0000-69c38f760000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Web\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Web Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:32:06.5316509Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/24d18d81-0de6-4d24-9c18-3b947b38d69f\",\"name\":\"24d18d81-0de6-4d24-9c18-3b947b38d69f\",\"etag\":\"\\\"60001ce5-0000-0100-0000-69c38f760000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Email\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Email Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:32:06.5565145Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/6cbda92f-60c7-43aa-a348-7e52cbc1e627\",\"name\":\"6cbda92f-60c7-43aa-a348-7e52cbc1e627\",\"etag\":\"\\\"60001de5-0000-0100-0000-69c38f760000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Networking\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Networking Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:32:06.5988816Z\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelAlertRule+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRule+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/b02e5d36-1e05-445a-a542-a588eb9c88b2?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/b02e5d36-1e05-445a-a542-a588eb9c88b2?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "159" ], - "x-ms-client-request-id": [ "89157eb4-2bb8-4bbc-8e43-37e7b1c35ea8" ], + "x-ms-unique-id": [ "2" ], + "x-ms-client-request-id": [ "71f60d24-13b8-438c-a525-29d207568573" ], "CommandName": [ "Get-AzSentinelAlertRule" ], "FullCommandName": [ "Get-AzSentinelAlertRule_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,37 +67,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11998" ], - "x-ms-request-id": [ "3cd67556-d70f-4081-afea-78635515fd98" ], - "x-ms-correlation-request-id": [ "3cd67556-d70f-4081-afea-78635515fd98" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160648Z:3cd67556-d70f-4081-afea-78635515fd98" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/5c91f677-20b4-4ee7-8628-0217fc8656c7" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "e599b720-51cc-40a9-8aec-c313f96ed1a6" ], + "x-ms-correlation-request-id": [ "e599b720-51cc-40a9-8aec-c313f96ed1a6" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074400Z:e599b720-51cc-40a9-8aec-c313f96ed1a6" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:06:47 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 3C7364A436A94D499F486605748B0559 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:00Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:00 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1164" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8\",\"name\":\"cab7d557-3de0-4043-8dd4-b83629755ab8\",\"etag\":\"\\\"0600e240-0000-0100-0000-62fbba160000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRulem37adr\",\"enabled\":true,\"description\":\"GetAlertRulem37adr cab7d557-3de0-4043-8dd4-b83629755ab8\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:39:02.3687256Z\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/b02e5d36-1e05-445a-a542-a588eb9c88b2\",\"name\":\"b02e5d36-1e05-445a-a542-a588eb9c88b2\",\"etag\":\"\\\"600083b7-0000-0100-0000-69c38d900000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRule9af76e\",\"enabled\":true,\"description\":\"GetAlertRule9af76e b02e5d36-1e05-445a-a542-a588eb9c88b2\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:23:59.9209504Z\"}}", "isContentBase64": false } }, - "Get-AzSentinelAlertRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/b02e5d36-1e05-445a-a542-a588eb9c88b2?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/b02e5d36-1e05-445a-a542-a588eb9c88b2?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "160" ], - "x-ms-client-request-id": [ "57fe5617-25f0-498b-9598-335f6820bfbd" ], + "x-ms-unique-id": [ "3" ], + "x-ms-client-request-id": [ "dad432f5-9d98-4e5c-a378-1cf13f345b94" ], "CommandName": [ "Get-AzSentinelAlertRule" ], "FullCommandName": [ "Get-AzSentinelAlertRule_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -104,37 +112,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11997" ], - "x-ms-request-id": [ "ba7e2f26-7053-435a-8920-aec03f410ba1" ], - "x-ms-correlation-request-id": [ "ba7e2f26-7053-435a-8920-aec03f410ba1" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160648Z:ba7e2f26-7053-435a-8920-aec03f410ba1" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/dcf0d16b-6f2e-486d-9859-1aa67735e441" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "4c1e7748-0738-4c67-8672-1b71521ae158" ], + "x-ms-correlation-request-id": [ "4c1e7748-0738-4c67-8672-1b71521ae158" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074401Z:4c1e7748-0738-4c67-8672-1b71521ae158" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:06:47 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: D22AEACFDFF84735A3BFF9380F46AFDA Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:01Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:00 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1164" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8\",\"name\":\"cab7d557-3de0-4043-8dd4-b83629755ab8\",\"etag\":\"\\\"0600e240-0000-0100-0000-62fbba160000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRulem37adr\",\"enabled\":true,\"description\":\"GetAlertRulem37adr cab7d557-3de0-4043-8dd4-b83629755ab8\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:39:02.3687256Z\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/b02e5d36-1e05-445a-a542-a588eb9c88b2\",\"name\":\"b02e5d36-1e05-445a-a542-a588eb9c88b2\",\"etag\":\"\\\"600083b7-0000-0100-0000-69c38d900000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRule9af76e\",\"enabled\":true,\"description\":\"GetAlertRule9af76e b02e5d36-1e05-445a-a542-a588eb9c88b2\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:23:59.9209504Z\"}}", "isContentBase64": false } }, - "Get-AzSentinelAlertRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8?api-version=2021-09-01-preview+2": { + "Get-AzSentinelAlertRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/b02e5d36-1e05-445a-a542-a588eb9c88b2?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/b02e5d36-1e05-445a-a542-a588eb9c88b2?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "161" ], - "x-ms-client-request-id": [ "5a43283e-69d6-4a20-ba0d-f07003ca6f47" ], + "x-ms-unique-id": [ "4" ], + "x-ms-client-request-id": [ "cb04c19a-ef00-441f-b522-c1076969c0af" ], "CommandName": [ "Get-AzSentinelAlertRule" ], "FullCommandName": [ "Get-AzSentinelAlertRule_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -145,21 +157,25 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11996" ], - "x-ms-request-id": [ "bf74d2e9-1095-4dd0-a3ba-4a4b537ec3d2" ], - "x-ms-correlation-request-id": [ "bf74d2e9-1095-4dd0-a3ba-4a4b537ec3d2" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160648Z:bf74d2e9-1095-4dd0-a3ba-4a4b537ec3d2" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/f21ba371-36fe-4209-8b96-35feb751d7e0" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "dde0c235-ba42-4cee-921f-70ee60bd2efe" ], + "x-ms-correlation-request-id": [ "dde0c235-ba42-4cee-921f-70ee60bd2efe" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074402Z:dde0c235-ba42-4cee-921f-70ee60bd2efe" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:06:47 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 36AAC7B8ED654FF68C0D873B02852F49 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:01Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:01 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1164" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8\",\"name\":\"cab7d557-3de0-4043-8dd4-b83629755ab8\",\"etag\":\"\\\"0600e240-0000-0100-0000-62fbba160000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRulem37adr\",\"enabled\":true,\"description\":\"GetAlertRulem37adr cab7d557-3de0-4043-8dd4-b83629755ab8\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:39:02.3687256Z\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/b02e5d36-1e05-445a-a542-a588eb9c88b2\",\"name\":\"b02e5d36-1e05-445a-a542-a588eb9c88b2\",\"etag\":\"\\\"600083b7-0000-0100-0000-69c38d900000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRule9af76e\",\"enabled\":true,\"description\":\"GetAlertRule9af76e b02e5d36-1e05-445a-a542-a588eb9c88b2\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:23:59.9209504Z\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRuleAction.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRuleAction.Recording.json index 307b14bb07f3..72ec238ea713 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRuleAction.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRuleAction.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelAlertRuleAction+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRuleAction+[NoContext]+List+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/ac0954ee-b73d-4e95-8cac-f93c182a1c20/actions?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/ac0954ee-b73d-4e95-8cac-f93c182a1c20/actions?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "162" ], - "x-ms-client-request-id": [ "8494de4a-516c-4699-aebf-1c93f5dcea30" ], + "x-ms-unique-id": [ "5" ], + "x-ms-client-request-id": [ "1801ede2-a4c7-45de-9221-285b594f57a5" ], "CommandName": [ "Get-AzSentinelAlertRuleAction" ], "FullCommandName": [ "Get-AzSentinelAlertRuleAction_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,37 +22,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11995" ], - "x-ms-request-id": [ "98093655-efb4-4e46-86da-8b781f774b96" ], - "x-ms-correlation-request-id": [ "98093655-efb4-4e46-86da-8b781f774b96" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160649Z:98093655-efb4-4e46-86da-8b781f774b96" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/65ef3569-b09d-40f7-ab4d-414d5a3923ac" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "4ecc7669-1945-4435-b850-565046bc6b3d" ], + "x-ms-correlation-request-id": [ "4ecc7669-1945-4435-b850-565046bc6b3d" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074404Z:4ecc7669-1945-4435-b850-565046bc6b3d" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:06:48 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: C8859462A84345258EBBE7F57DC94000 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:03Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:03 GMT" ] }, "ContentHeaders": { "Content-Length": [ "727" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/asicustomalertsv3_3f8b701e-a084-40d7-8f4b-a6b1482e8cc2_0ad3cc1a-0d2e-44cc-854a-f5fa08f86098/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098\",\"name\":\"0ad3cc1a-0d2e-44cc-854a-f5fa08f86098\",\"etag\":\"\\\"be015f15-0000-0300-0000-62fbbac20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"eb03b1bc818942e0a642c05aeef2614b\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/asicustomalertsv3_ac0954ee-b73d-4e95-8cac-f93c182a1c20_a05bb49a-a48a-4284-ae4b-62f2618b2c89/actions/a05bb49a-a48a-4284-ae4b-62f2618b2c89\",\"name\":\"a05bb49a-a48a-4284-ae4b-62f2618b2c89\",\"etag\":\"\\\"0802bd79-0000-0300-0000-69c38dbb0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"fdce5d8d4e914b7b99bd10b290075cc2\",\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelAlertRuleAction+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRuleAction+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/ac0954ee-b73d-4e95-8cac-f93c182a1c20/actions/a05bb49a-a48a-4284-ae4b-62f2618b2c89?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/ac0954ee-b73d-4e95-8cac-f93c182a1c20/actions/a05bb49a-a48a-4284-ae4b-62f2618b2c89?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "163" ], - "x-ms-client-request-id": [ "651ca8ac-2c3e-400c-aa30-bbd0ce40243c" ], + "x-ms-unique-id": [ "6" ], + "x-ms-client-request-id": [ "a1510357-6d75-497f-a1c2-97c171c7dc16" ], "CommandName": [ "Get-AzSentinelAlertRuleAction" ], "FullCommandName": [ "Get-AzSentinelAlertRuleAction_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,37 +67,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11994" ], - "x-ms-request-id": [ "2f9af32a-eb7e-48c8-88b9-174412d69a51" ], - "x-ms-correlation-request-id": [ "2f9af32a-eb7e-48c8-88b9-174412d69a51" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160650Z:2f9af32a-eb7e-48c8-88b9-174412d69a51" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/06640e55-fe9c-4796-af0b-2268358b0a85" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "37aa42fc-9f4f-4b83-bfa0-485600cfb564" ], + "x-ms-correlation-request-id": [ "37aa42fc-9f4f-4b83-bfa0-485600cfb564" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074405Z:37aa42fc-9f4f-4b83-bfa0-485600cfb564" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:06:49 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 864B7FB6EFB44EC8BEE848454B3C4FE0 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:04Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:04 GMT" ] }, "ContentHeaders": { "Content-Length": [ "660" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098\",\"name\":\"0ad3cc1a-0d2e-44cc-854a-f5fa08f86098\",\"etag\":\"\\\"be015f15-0000-0300-0000-62fbbac20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"eb03b1bc818942e0a642c05aeef2614b\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/ac0954ee-b73d-4e95-8cac-f93c182a1c20/actions/a05bb49a-a48a-4284-ae4b-62f2618b2c89\",\"name\":\"a05bb49a-a48a-4284-ae4b-62f2618b2c89\",\"etag\":\"\\\"0802bd79-0000-0300-0000-69c38dbb0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"fdce5d8d4e914b7b99bd10b290075cc2\",\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", "isContentBase64": false } }, - "Get-AzSentinelAlertRuleAction+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRuleAction+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/ac0954ee-b73d-4e95-8cac-f93c182a1c20/actions/a05bb49a-a48a-4284-ae4b-62f2618b2c89?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/ac0954ee-b73d-4e95-8cac-f93c182a1c20/actions/a05bb49a-a48a-4284-ae4b-62f2618b2c89?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "164" ], - "x-ms-client-request-id": [ "6c64fdd3-d417-4739-9659-000c9bcbde9a" ], + "x-ms-unique-id": [ "7" ], + "x-ms-client-request-id": [ "5b6733dd-e764-49aa-b7dd-8fb29a9fbef6" ], "CommandName": [ "Get-AzSentinelAlertRuleAction" ], "FullCommandName": [ "Get-AzSentinelAlertRuleAction_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -104,37 +112,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11993" ], - "x-ms-request-id": [ "09604d7f-6625-4b3c-ad7c-6732ea0531d6" ], - "x-ms-correlation-request-id": [ "09604d7f-6625-4b3c-ad7c-6732ea0531d6" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160650Z:09604d7f-6625-4b3c-ad7c-6732ea0531d6" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/f9c18348-ff01-462f-a0a2-defcfca6605f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "39741283-c449-4ed0-9164-9312bbe8cb5c" ], + "x-ms-correlation-request-id": [ "39741283-c449-4ed0-9164-9312bbe8cb5c" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074405Z:39741283-c449-4ed0-9164-9312bbe8cb5c" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:06:49 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: E2BAB5A2B6774F788EDECF3F5342FDEE Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:05Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:05 GMT" ] }, "ContentHeaders": { "Content-Length": [ "660" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098\",\"name\":\"0ad3cc1a-0d2e-44cc-854a-f5fa08f86098\",\"etag\":\"\\\"be015f15-0000-0300-0000-62fbbac20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"eb03b1bc818942e0a642c05aeef2614b\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/ac0954ee-b73d-4e95-8cac-f93c182a1c20/actions/a05bb49a-a48a-4284-ae4b-62f2618b2c89\",\"name\":\"a05bb49a-a48a-4284-ae4b-62f2618b2c89\",\"etag\":\"\\\"0802bd79-0000-0300-0000-69c38dbb0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"fdce5d8d4e914b7b99bd10b290075cc2\",\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", "isContentBase64": false } }, - "Get-AzSentinelAlertRuleAction+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098?api-version=2021-09-01-preview+2": { + "Get-AzSentinelAlertRuleAction+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/ac0954ee-b73d-4e95-8cac-f93c182a1c20/actions/a05bb49a-a48a-4284-ae4b-62f2618b2c89?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/ac0954ee-b73d-4e95-8cac-f93c182a1c20/actions/a05bb49a-a48a-4284-ae4b-62f2618b2c89?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "165" ], - "x-ms-client-request-id": [ "d431e921-8af6-4b0b-a0f0-00e8a6b50c9d" ], + "x-ms-unique-id": [ "8" ], + "x-ms-client-request-id": [ "ff9baf8d-708d-4cfa-b570-f4cff742380e" ], "CommandName": [ "Get-AzSentinelAlertRuleAction" ], "FullCommandName": [ "Get-AzSentinelAlertRuleAction_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -145,21 +157,25 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11992" ], - "x-ms-request-id": [ "146450f1-0e8c-41de-98c4-b269dd19a83b" ], - "x-ms-correlation-request-id": [ "146450f1-0e8c-41de-98c4-b269dd19a83b" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160651Z:146450f1-0e8c-41de-98c4-b269dd19a83b" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/e8bc1881-33a3-42c2-bac4-6db90adab166" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "668c9f94-b909-4f49-b688-0e7c8d0eb78a" ], + "x-ms-correlation-request-id": [ "668c9f94-b909-4f49-b688-0e7c8d0eb78a" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074406Z:668c9f94-b909-4f49-b688-0e7c8d0eb78a" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:06:51 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 889DEE1D74C84671B2E87CB01D1C7E4E Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:06Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:06 GMT" ] }, "ContentHeaders": { "Content-Length": [ "660" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098\",\"name\":\"0ad3cc1a-0d2e-44cc-854a-f5fa08f86098\",\"etag\":\"\\\"be015f15-0000-0300-0000-62fbbac20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"eb03b1bc818942e0a642c05aeef2614b\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/ac0954ee-b73d-4e95-8cac-f93c182a1c20/actions/a05bb49a-a48a-4284-ae4b-62f2618b2c89\",\"name\":\"a05bb49a-a48a-4284-ae4b-62f2618b2c89\",\"etag\":\"\\\"0802bd79-0000-0300-0000-69c38dbb0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"fdce5d8d4e914b7b99bd10b290075cc2\",\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRuleTemplate.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRuleTemplate.Recording.json index 5b7c329571f3..ddd67b413082 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRuleTemplate.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRuleTemplate.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelAlertRuleTemplate+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRuleTemplate+[NoContext]+List+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "166" ], - "x-ms-client-request-id": [ "afd845c9-c2b2-4d8e-a1b5-c47350b52f42" ], + "x-ms-unique-id": [ "9" ], + "x-ms-client-request-id": [ "99919a4c-fb6e-437f-9091-8a779a23e18c" ], "CommandName": [ "Get-AzSentinelAlertRuleTemplate" ], "FullCommandName": [ "Get-AzSentinelAlertRuleTemplate_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,37 +22,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11991" ], - "x-ms-request-id": [ "68c6970a-ff2b-40ee-8f4d-f9bbe6a5eafa" ], - "x-ms-correlation-request-id": [ "68c6970a-ff2b-40ee-8f4d-f9bbe6a5eafa" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160652Z:68c6970a-ff2b-40ee-8f4d-f9bbe6a5eafa" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1098" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/642cd481-1d4c-4a12-a7f0-eb5be05314d1" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16498" ], + "x-ms-request-id": [ "3b3fa6c6-96c9-471b-a6ea-532e4f938bce" ], + "x-ms-correlation-request-id": [ "3b3fa6c6-96c9-471b-a6ea-532e4f938bce" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074408Z:3b3fa6c6-96c9-471b-a6ea-532e4f938bce" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:06:52 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 8E494AA005624A8082AFCD6E60799DA7 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:07Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:07 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1435342" ], + "Content-Length": [ "1889450" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57c7e832-64eb-411f-8928-4133f01f4a25\",\"name\":\"57c7e832-64eb-411f-8928-4133f01f4a25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where ResourceType =~ \\\"VAULTS\\\"\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where KeyVaultEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = KeyVaultEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure Key Vault logs\",\"description\":\"Identifies a match in Azure Key Vault logsfrom any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\"name\":\"f948a32f-226c-4116-bddd-d95e91d97eb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to O365 Attack Toolkit\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"name\":\"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"name\":\"87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\\n// On the downloads page, click the \u0027details\u0027 button, and then replace just the filename in the URL below\\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n[\\\"https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20220321.json\\\"]\\nwith(format=\u0027multijson\u0027)\\n| mv-expand values\\n| mv-expand values.properties.addressPrefixes\\n| mv-expand values_properties_addressPrefixes\\n| summarize by tostring(values_properties_addressPrefixes);\\nSigninLogs\\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\\n| where AppDisplayName =~ \\\"Azure Portal\\\"\\n// Only get logons where the IP address is in an Azure range\\n| evaluate ipv4_lookup(azure_ranges, IPAddress, values_properties_addressPrefixes)\\n// Limit to where the user is external to the tenant\\n| where HomeTenantId != ResourceTenantId\\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\\n| where ResourceTenantId == AADTenantId\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Portal Signin from another Azure Tenant\",\"description\":\"This query looks for sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.\",\"lastUpdatedDateUTC\":\"2022-03-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"name\":\"29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nimFileEvent\\n| where ((FilePath has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((FilePath has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\\n// Increase risk score if recent alerts for the host\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021 (ASIM Version)\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"name\":\"0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated \u003e ago(1d)\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DvcHostname\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\n A threat actor may use these policies to deploy files or scripts to all hosts in a domain.\\n This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\"name\":\"871ba14c-88ef-48aa-ad38-810f26760ca3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1d;\\nlet queryperiod = 7d;\\nOfficeActivity\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n//| where Operation in (\\\"Set-Mailbox\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\")\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1 and EndTime \u003e ago(queryfrequency)\\n| mv-expand UserId to typeof(string)\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2022-06-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"name\":\"a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT20M\",\"queryPeriod\":\"PT20M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 10;\\nlet successCountThreshold = 1;\\n// let authenticationWindow = 20m; // Implicit in the analytic rule query period \\nimAuthentication\\n| summarize \\n StartTime = min(TimeGenerated), \\n EndTime = max(TimeGenerated), \\n IpAddresses = make_set (SrcDvcIpAddr, 100),\\n ReportedBy = make_set (strcat (EventVendor, \\\"/\\\", EventProduct), 100),\\n FailureCount = countif(EventResult==\u0027Failure\u0027),\\n SuccessCount = countif(EventResult==\u0027Success\u0027)\\n by \\n TargetUserId, TargetUsername, TargetUserType \\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| extend\\n IpAddresses = strcat_array(IpAddresses, \\\", \\\"), \\n ReportedBy = strcat_array(ReportedBy, \\\", \\\")\",\"customDetails\":{\"IpAddresses\":\"IpAddresses\",\"ReportedBy\":\"ReportedBy\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUsername\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against user credentials (Uses Authentication Normalization)\",\"description\":\"Identifies evidence of brute force activity against a user based on multiple authentication failures \\nand at least one successful authentication within a given time window. Note that the query does not enforce any sequence,\\nand does not require the successful authentication to occur last.\\nThe default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"name\":\"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let DomainNames = dynamic([\u0027onetechcompany.com\u0027, \u0027reyweb.com\u0027, \u0027srfnetwork.org\u0027, \u0027sense4baby.fr\u0027, \u0027nikeoutletinc.org\u0027, \u0027megatoolkit.com\u0027]);\\nlet IPList = dynamic([\u0027185.225.69.69\u0027]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NOBELIUM - Domain and IP IOCs - March 2021\",\"description\":\"Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM.\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"name\":\"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"// Replace these with the username or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic([\u0027vip1@email.com\u0027,\u0027vip2@email.com\u0027]);\\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\\nlet allowed_users = dynamic([]);\\nLAQueryLogs\\n| where QueryText has_any (vips) or QueryText has_any (\u0027_GetWatchlist(\\\"VIPUsers\\\")\u0027, \\\"_GetWatchlist(\u0027VIPUsers\u0027)\\\")\\n| where AADEmail !in (allowed_users)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"RequestTarget\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Users searching for VIP user activity\",\"description\":\"This query monitors for users running Log Analytics queries that contain filters\\nfor specific, defined VIP user accounts or the VIPUser watchlist template.\\nUse this detection to alert for users specifically searching for activity of sensitive users.\",\"lastUpdatedDateUTC\":\"2021-11-11T00:00:00Z\",\"createdDateUTC\":\"2020-09-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\"name\":\"62085097-d113-459f-9ea7-30216f2ee6af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 3d;\\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated \u003e= ago(starttime)\\n| where EventID in (4722,4723) | where TargetUserName !endswith \\\"$\\\"\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\\nlet userEnable = SecEvents\\n| extend EventID4722Time = TimeGenerated\\n// 4722: User Account Enabled\\n| where EventID == 4722\\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\\nlet userPwdSet = SecEvents\\n// 4723: Attempt made by user to set password\\n| where EventID == 4723\\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\\n| extend PasswordSetAttemptDelta_Min = datetime_diff(\u0027minute\u0027, Time_Event4723, Time_Event4722)\\n| where PasswordSetAttemptDelta_Min \u003e 2880 or isempty(PasswordSetAttemptDelta_Min)\\n| project-away TargetAccount1, TargetSid1\\n| extend Reason = @\\\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\\\"\\n| order by Time_Event4722 asc \\n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD user enabled and password not set within 48 hours\",\"description\":\"Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which \\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\\nIt is recommended that this time period is adjusted per your internal company policy.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f9949656-473f-4503-bf43-a9d9890f7d08\",\"name\":\"f9949656-473f-4503-bf43-a9d9890f7d08\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n//Exclude local addresses, using the ipv4_is_private operator\\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AppServiceHTTPLogs | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(CIp)\\n | extend WebApp = split(_ResourceId, \u0027/\u0027)[8]\\n // renaming time column so it is clear the log this came from\\n | extend AppService_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CIp\\n| where AppService_TimeGenerated \u003c ExpirationDateTime\\n| summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp\\n| project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, \\nWebApp = split(_ResourceId, \u0027/\u0027)[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId\\n| extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AppServiceHTTPLogs\",\"description\":\"Identifies a match in AppServiceHTTPLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-04-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"name\":\"f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n | where isnotempty(Process)\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines (Normalized Process Events)\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"name\":\"c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID==4688\\n | where isnotempty(CommandLine)\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0433c8a3-9aa6-4577-beef-2ea23be41137\",\"name\":\"0433c8a3-9aa6-4577-beef-2ea23be41137\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | where TimeGenerated \u003e ago(2d)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName has \\\"Add eligible member\\\"\\n | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(userPrincipalName) in (admin_users)\\n | extend Group = tostring(TargetResources[0].displayName)\\n | extend AddedTo = iif(isnotempty(userPrincipalName), userPrincipalName, Group)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedBy = iif(isnotempty(appName), appName, UPN)\\n | mv-expand mod_props\\n | where mod_props.displayName == \\\"Role.DisplayName\\\"\\n | extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))\\n | project-reorder TimeGenerated, OperationName, AddedTo, RoleAdded, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Account Permissions Changed\",\"description\":\"Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.\\nReview any modifications to ensure they were made legitimately.\\nRef: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\"name\":\"79566f41-df67-4e10-a703-c38a6213afd8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66276b14-32c5-4226-88e3-080dacc31ce1\",\"name\":\"66276b14-32c5-4226-88e3-080dacc31ce1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet AccountAllowList = dynamic([\u0027SYSTEM\u0027]);\\nlet SubCategoryList = dynamic([\\\"Logoff\\\", \\\"Account Lockout\\\", \\\"User Account Management\\\", \\\"Authorization Policy Change\\\"]); // Add any Category in the list to be allowed or disallowed\\nlet tokens = dynamic([\\\"clear\\\", \\\"remove\\\", \\\"success:disable\\\",\\\"failure:disable\\\"]); \\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n// | where InitiatingProcessFileName =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Audit policy manipulation using auditpol utility\",\"description\":\"This detects attempt to manipulate audit policies using auditpol command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but \\nif the results show unrelated false positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"name\":\"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where ObjectServer == \u0027DS\u0027\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount\\n),\\n( WindowsEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where EventData has_all(\u0027Object Access\u0027, \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027,\u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027) \\n| extend ObjectServer = tostring(EventData.ObjectServer)\\n| where ObjectServer == \u0027DS\u0027\\n| extend OperationType = tostring(EventData.OperationType)\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| extend Properties = tostring(EventData.Properties)\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend \\n timestamp = TimeGenerated,\\n HostCustomEntity = Computer,\\n AccountCustomEntity = SubjectAccount\\n),\\n(DeviceEvents\\n| where ActionType =~ \\\"LdapSearch\\\"\\n| where AdditionalFields.AttributeList contains \\\"thumbnailPhoto\\\"\\n| where AdditionalFields.DistinguishedName contains \\\"CN=ADFS,CN=Microsoft,CN=Program Data\\\" // Filter results to show only hits related to the ADFS AD container\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS DKM Master Key Export\",\"description\":\"Identifies an export of the ADFS DKM Master Key from Active Directory.\\nReferences: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\\nTo understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:\\nhttps://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469\\nhttps://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\"name\":\"2391ce61-8c8d-41ac-9723-d945b2e90720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\\n| join kind=leftouter (\\n SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday \u003e= coalesce(CountPrev7day,0)*threshold and CountToday \u003e= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\\n| order by sum_CountToday desc nulls last \\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Process\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Windows logon failures\",\"description\":\"User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"name\":\"56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4657\\n | parse ObjectName with \\\"\\\\\\\\REGISTRY\\\\\\\\\\\" KeyPrefix \\\"\\\\\\\\\\\" RegistryKey\\n | project-reorder RegistryKey\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (\\n SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\"name\":\"4b93c5af-d20b-4236-b696-a28b8c51407f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n (union isfuzzy=true\\n (SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was created\\n| where EventID == 4720\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was created\\n| where EventID == 4720\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4720 - A user account was created.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid \\n))\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n | where EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n| where EventID == 4726\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4726 - A user account was deleted.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, AccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid))\\n) on Computer, TargetAccount\\n| where deletionTime - creationTime \u003c spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToCreate\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account created and deleted within 10 mins\",\"description\":\"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7feb859-f03e-4e8d-8b21-617be0213b13\",\"name\":\"d7feb859-f03e-4e8d-8b21-617be0213b13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where OperationName =~ \\\"Admin registered security info\\\"\\n | where ResultReason =~ \\\"Admin registered temporary access pass method for user\\\"\\n | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(userPrincipalName) in (admin_users)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Addition of a Temporary Access Pass to a Privileged Account\",\"description\":\"Detects when a Temporary Access Pass (TAP) is created for a Privileged Account.\\n A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.\\n A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.\\n Review any TAP creations to ensure they were used legitimately.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1399664f-9434-497c-9cde-42e4d74ae20e\",\"name\":\"1399664f-9434-497c-9cde-42e4d74ae20e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Impossible travel activity\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| project TimeGenerated,Account,IpAddress,CompromisedEntity,Description,ProviderName,ResourceId\\n| join kind=inner\\n(\\nOfficeActivity\\n| where Operation =~ \\\"Add-MailboxPermission\\\"\\n| extend value = tostring(parse_json(Parameters)[3].Value)\\n| where value contains \\\"FullAccess\\\"\\n| where ResultStatus == \\\"True\\\"\\n| project Parameters,TimeGenerated,value,RecordType,Operation,OrganizationId,UserType,UserKey,OfficeWorkload,ResultStatus,OfficeObjectId,UserId,ClientIP,ExternalAccess,OriginatingServer,OrganizationName,TenantId,ElevationTime,SourceSystem,OfficeId,OfficeTenantId,Type,SourceRecordId\\n) on $left.Account == $right.UserId\\n| join kind=inner\\n(\\nAuditLogs\\n| where ActivityDisplayName =~ \\\"Add eligible member to role in PIM requested (timebound)\\\"\\n| where AADOperationType =~ \\\"CreateRequestEligibleRole\\\"\\n| where TargetResources has_any (\\\"-PRIV\\\", \\\"Administrator\\\", \\\"Security\\\")\\n| extend BuiltinRole = tostring(parse_json(TargetResources[0].displayName))\\n| extend CustomGroup = tostring(parse_json(TargetResources[3].displayName))\\n| extend TargetAccount = tostring(parse_json(TargetResources[2].displayName))\\n| extend Initiatedby = Identity\\n| project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResourceId, Id\\n| sort by TimeGenerated desc\\n) on $left.UserId == $right.Initiatedby\\n| project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Detecting Impossible travel with mailbox permission tampering \u0026 Privilege Escalation attempt\",\"description\":\"This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group.\\nEnsure this impossible travel incident with increase of privileges is legitimate in your environment.\",\"lastUpdatedDateUTC\":\"2022-02-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"name\":\"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Security Group ingress and egress settings\",\"description\":\"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"name\":\"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(timeframe)\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s\\n) on Resource, TimeGenerated\\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure Key Vault access TimeSeries anomaly\",\"description\":\"Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"name\":\"6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nimAuthentication\\n| where EventType== \u0027Logon\u0027 and EventResult== \u0027Failure\u0027\\n// reason: creds \\n| where EventResultDetails in (\u0027No such user or password\u0027, \u0027Incorrect password\u0027)\\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\\n , Users = make_set(TargetUserId,100) \\n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\\n| where UserCount \u003e FailureThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack (Uses Authentication Normalization)\",\"description\":\"This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"name\":\"a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Sign-in from an infected device\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| summarize count() by AlertName, AlertSeverity, CompromisedEntity, Account, IpAddress\\n| join kind=inner \\n(\\nAzureActivity\\n| where OperationNameValue hassuffix (\\\"/workspaces/computes/delete\\\")\\n| where ActivityStatusValue =~ \\\"Succeeded\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), OperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on $left. IpAddress == $right. CallerIpAddress\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Impact\"],\"displayName\":\"Workspace deletion attempt from an infected device\",\"description\":\"This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. \\nAttackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.\",\"lastUpdatedDateUTC\":\"2022-04-11T00:00:00Z\",\"createdDateUTC\":\"2022-04-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"name\":\"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\" \\n| extend EnforceLogin = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", \\\"\\\") \\n| where EnforceLogin == \u0027false\u0027 or EnforceLoginDomain == \u0027false\u0027 or GuestAlerts == \u0027false\u0027 \\n| extend SettingChanged = case(EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"All settings changed\\\", \\n EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027, \\\"Enforced Logons and Restricted Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"Enforced Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027, \\\"Enfored Domains Changed\\\", \\n GuestAlerts == \u0027false\u0027, \\\"Guest Join Alerts Changed\\\", \\n EnforceLogin == \u0027false\u0027, \\\"Enforced Logins Changed\\\", \\n \\\"No Changes\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"External User Access Enabled\",\"description\":\"This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"name\":\"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 1h;\\nlet tls_ciphers = dynamic([\u0027RC4-SHA\u0027, \u0027DES-CBC3-SHA\u0027]);\\nProofpointPOD\\n| where EventType == \u0027message\u0027\\n| where TlsCipher in (tls_ciphers)\\n| extend IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"ProofpointPOD - Weak ciphers\",\"description\":\"Detects when weak TLS ciphers are used.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"name\":\"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n //Extract domain patterns from message\\n | extend domain = todynamic(dynamic_to_json(extract_all(@\\\"(((xn--)?[a-z0-9\\\\-]+\\\\.)+([a-z]+|(xn--[a-z0-9]+)))\\\", dynamic([1]), tolower(Entities))))\\n | mv-expand domain\\n | extend domain = tostring(domain[0])\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities)\\n | mv-apply EntitiesDynamicArray on\\n (summarize\\n HostName = take_anyif(tostring(EntitiesDynamicArray.HostName), EntitiesDynamicArray.Type == \\\"host\\\"),\\n IP_addr = take_anyif(tostring(EntitiesDynamicArray.Address), EntitiesDynamicArray.Type == \\\"ip\\\")\\n )\\n | extend Alert_TimeGenerated = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"name\":\"88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"name\":\"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 15;\\nSyslog\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\\n| where PerHourCount \u003e threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SSH - Potential Brute Force\",\"description\":\"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/55073036-bb86-47d3-a85a-b113ac3d9396\",\"name\":\"55073036-bb86-47d3-a85a-b113ac3d9396\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admins=(IdentityInfo\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let known_asns = (\\n SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admins)\\n | where AutonomousSystemNumber !in (known_asns)\\n | project-reorder TimeGenerated, UserPrincipalName, UserAgent, IpAddress, AutonomousSystemNumber\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Privileged User Logon from new ASN\",\"description\":\"Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days.\\n Monitor these logons to ensure they are legitimate and identify if there are any similar sign ins.\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7b9df32-1367-402d-b385-882daf6e3020\",\"name\":\"a7b9df32-1367-402d-b385-882daf6e3020\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==10\\n| parse EventData with * \u0027TargetImage\\\"\u003e\u0027 TargetImage \\\"\u003c\\\" * \u0027GrantedAccess\\\"\u003e\u0027 GrantedAccess \\\"\u003c\\\" * \u0027CallTrace\\\"\u003e\u0027 CallTrace \\\"\u003c\\\" * \\n| where GrantedAccess == \\\"0x1FFFFF\\\" and TargetImage == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and CallTrace has_any (\\\"dbghelp.dll\\\",\\\"dbgcore.dll\\\")\\n| parse EventData with * \u0027SourceProcessGUID\\\"\u003e\u0027 SourceProcessGUID \\\"\u003c\\\" * \u0027SourceImage\\\"\u003e\u0027 SourceImage \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"SourceImage\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Dumping LSASS Process Into a File\",\"description\":\"Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). \\nAfter a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. \\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material. \\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\\nRef: https://attack.mitre.org/techniques/T1003/001/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"name\":\"94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer , Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = EventDetail.[4].[\\\"#text\\\"]\\n| where Image has_any (file_path1) or Image has_any (file_path3)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = DestinationIP, Alert = \u0027SOURGUM IOC detected\u0027\\n), \\n(DeviceNetworkEvents\\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, Alert = \u0027SOURGUM IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source), Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\\n),\\n(DeviceRegistryEvents\\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine, Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceRegistryEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95407904-0131-4918-bc49-ebf282ce149a\",\"name\":\"95407904-0131-4918-bc49-ebf282ce149a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"135.125.147.170:80\\\",\\\"185.244.129.79:63047\\\",\\\"185.244.129.79:80\\\",\\\"45.80.149.108:63047\\\",\\\"45.80.149.108:80\\\",\\\"45.80.149.57:63047\\\",\\\"45.80.149.68:63047\\\",\\\"45.80.149.71:80\\\",\\\"185.244.129.109\\\",\\\"172.96.188.51\\\",\\\"51.83.246.73\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known POLONIUM IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the POLONIUM activity group. \\n References: BLOGURL\u0027 \",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"name\":\"ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 25; \\nlet TimeSeriesData = \\nAzureActivity \\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OperationNameValue endswith \\\"delete\\\" \\n| project TimeGenerated, Caller \\n| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Caller; \\nlet TimeSeriesAlerts = materialize(TimeSeriesData \\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, \u0027linefit\u0027) \\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long) \\n| where anomalies \u003e 0 \\n| project Caller, TimeGenerated, Total, baseline, anomalies, score \\n| where Total \u003e TotalEventsThreshold and baseline \u003e 0 ); \\nTimeSeriesAlerts \\n| where TimeGenerated \u003e (ago(endtime)) \\n| project TimeGenerated, Caller \\n| join (AzureActivity \\n| where TimeGenerated \u003e (ago(endtime)) \\n| where OperationNameValue endswith \\\"delete\\\" \\n| summarize count(), make_set(OperationNameValue), make_set(Resource) by bin(TimeGenerated, 1h), Caller) on TimeGenerated, Caller \\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Mass Cloud resource deletions Time Series Anomaly\",\"description\":\"This query generates baseline pattern of cloud resource deletions by an user and generated anomaly \\nwhen any unusual spike is detected.\\nThese anomalies from unusual or privileged users could be an indication of cloud infrastructure \\ntake-down by an adversary \",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6988c32-4f3b-4a45-8313-b46b33061a74\",\"name\":\"b6988c32-4f3b-4a45-8313-b46b33061a74\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-06-01T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"name\":\"fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let account_threshold = 5;\\nAADNonInteractiveUserSignInLogs\\n//| where ResultType == \\\"81016\\\"\\n| where ResultType startswith \\\"81\\\"\\n| summarize DistinctAccounts = dcount(UserPrincipalName), DistinctAddresses = make_set(IPAddress) by ResultType\\n| where DistinctAccounts \u003e account_threshold\\n| mv-expand IPAddress = DistinctAddresses\\n| extend IPAddress = tostring(IPAddress)\\n| join kind=leftouter (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs) on IPAddress\\n| summarize\\n StartTime = min(TimeGenerated),\\n EndTime = max(TimeGenerated),\\n UserPrincipalName = make_set(UserPrincipalName),\\n UserAgent = make_set(UserAgent),\\n ResultDescription = take_any(ResultDescription),\\n ResultSignature = take_any(ResultSignature)\\n by IPAddress, Type, ResultType\\n| project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD Seamless SSO\",\"description\":\"This query detects when there is a spike in Azure AD Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\\nAzure AD only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/825991eb-ea39-4590-9de2-ee97ef42eb93\",\"name\":\"825991eb-ea39-4590-9de2-ee97ef42eb93\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or (ProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ProcessCommandLine has (\u0027.wav\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\nor (ProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, InitiatingProcessFolderPath, ProcessId, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256, FileName\\n| extend Account = AccountName, Computer = DeviceName, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = FileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or (ActingProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ActingProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ActingProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ActingProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027.wav\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\n or (ActingProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = Hash\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027) or (CommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DnsEvents\\n| where Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, File = ProcessName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) \\n| where RemoteUrl in~ (domains) \\n| project Type, TimeGenerated, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessAccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"ACTINIUM Actor IOCs - Feb 2022\",\"description\":\"Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.\",\"lastUpdatedDateUTC\":\"2022-03-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"name\":\"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"LateralMovement\"],\"displayName\":\"Changes to Amazon VPC settings\",\"description\":\"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\\nin a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\"name\":\"f2eb15bd-8a88-4b24-9281-e133edfba315\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming time column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e715730-82c0-496c-983b-7a20c4590bd9\",\"name\":\"6e715730-82c0-496c-983b-7a20c4590bd9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let accountLookback = 3d;\\nlet requestLookback = 3d;\\nlet extraction_regex = @\\\"(?:\\\\?|\u0026)[a-zA-Z0-9\\\\%]*=([a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Collect account names and base64 encode them\\nDeviceEvents\\n| where TimeGenerated \u003e ago(accountLookback)\\n| summarize make_set(DeviceId), make_set(DeviceName) by InitiatingProcessAccountName\\n| where isnotempty(InitiatingProcessAccountName)\\n| extend base64_user = base64_encode_tostring(InitiatingProcessAccountName)\\n| join (\\n // Collect requests and extract base64 parameters\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(requestLookback)\\n | where isnotempty(RequestURL)\\n // Summarize early on the RequestURL\\n | summarize FirstRequest=min(TimeGenerated), LastRequest=max(TimeGenerated), NumberOfRequests=count() by RequestURL\\n | extend base64_candidate = extract_all(extraction_regex, RequestURL)\\n | mv-expand base64_candidate to typeof(string)\\n) on $left.base64_user == $right.base64_candidate\\n| project FirstRequest, LastRequest, NumberOfRequests, RequestURL, DeviceIds=set_DeviceId, DeviceNames=set_DeviceName, UserName=InitiatingProcessAccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Windows host username encoded in base64 web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table.\\nThis technique was seen usee by POLONIUM in their RunningRAT tool.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"name\":\"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| where OldE2ESetting =~ \u0027false\u0027 and NewE2ESetting =~ \u0027true\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Zoom E2E Encryption Disabled\",\"description\":\"This alerts when end to end encryption is disabled for Zoom meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"name\":\"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Exchange AuditLog disabled\",\"description\":\"Identifies when the exchange audit logging has been disabled which may be an adversary attempt\\nto evade detection or avoid other defenses.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/218f60de-c269-457a-b882-9966632b9dc6\",\"name\":\"218f60de-c269-457a-b882-9966632b9dc6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\\n| where dcount_Target \u003e 9\\n| join kind=rightsemi (AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Bulk Changes to Privileged Account Permissions\",\"description\":\"Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"name\":\"6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.1\",\"severity\":\"High\",\"query\":\"let IPList = externaldata(IPAddress:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//Network logs\\nlet CSlogSourceIP = CommonSecurityLog | summarize by IPAddress = SourceIP, Type;\\nlet CSlogDestIP = CommonSecurityLog | summarize by IPAddress = DestinationIP, Type;\\nlet CSlogMsgIP = CommonSecurityLog | extend MessageIP = extract(IPRegex, 0, Message) | summarize by IPAddress = MessageIP, Type;\\nlet DnsIP = DnsEvents | summarize by IPAddress = IPAddresses, Type;\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workspace, you can uncomment one or both below. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let imDnsIP = imDns (response_has_any_prefix=IPList) | summarize by IPAddress = ResponseName, Type;\\n//let imNetSessIP = imNetworkSession (dstipaddr_has_any_prefix=IPList) | summarize by IPAddress = DstIpAddr, Type;\\n//Cloud service logs\\nlet officeIP = OfficeActivity | summarize by IPAddress = ClientIP, Type;\\nlet signinIP = SigninLogs | summarize by IPAddress, Type;\\nlet nonintSigninIP = AADNonInteractiveUserSignInLogs | summarize by IPAddress, Type;\\nlet azureActIP = AzureActivity | summarize by IPAddress = CallerIpAddress, Type;\\nlet awsCtIP = AWSCloudTrail | summarize by IPAddress = SourceIpAddress, Type;\\n//Device logs\\nlet vmConnSourceIP = VMConnection | summarize by IPAddress = SourceIp, Type;\\nlet vmConnDestIP = VMConnection | summarize by IPAddress = DestinationIp, Type;\\nlet iisLogIP = W3CIISLog | summarize by IPAddress = cIP, Type;\\nlet devNetIP = DeviceNetworkEvents | summarize by IPAddress = RemoteIP, Type;\\n//need to parse to get IP\\nlet azureDiagIP = AzureDiagnostics | where ResourceType == \\\"AZUREFIREWALLS\\\" | where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\") \\n| where msg_s has_any (IPList) | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action | summarize by IPAddress = DestinationHost, Type;\\nlet sysEvtIP = Event | where Source == \\\"Microsoft-Windows-Sysmon\\\" | where EventID == 3 | where EventData has_any (IPList) | extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) | extend IPAddress = iff(SourceIP in (IPList), SourceIP, DestinationIP) | summarize by IPAddress, Type;\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP, imDnsIP, imNetSessIP\\n// If you uncomment above, then comment out the line below\\nlet ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP\\n| summarize by IPAddress\\n| where isnotempty(IPAddress) | where not(ipv4_is_private(IPAddress)) and IPAddress !in (\u00270.0.0.0\u0027,\u0027127.0.0.1\u0027);\\nlet ipMatch = ipsort | where IPAddress in (IPList);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch) or Message has_any (ipMatch)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", MessageIP in (ipMatch), \\\"Message\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"No Match\\\")\\n),\\n(OfficeActivity\\n| where ClientIP in (ipMatch)\\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(DnsEvents\\n| where IPAddresses has_any (ipMatch)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (ipMatch) or DestinationIp in (ipMatch)\\n| project TimeGenerated, Computer, SourceIp, DestinationIp, Type\\n| extend IPMatch = case( SourceIp in (ipMatch), \\\"SourceIP\\\", DestinationIp in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| where EventData has_any (ipMatch)\\n| project TimeGenerated, EventData, UserName, Computer, Type\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch)\\n| extend IPMatch = case( SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog\\n| where cIP in (ipMatch)\\n| project TimeGenerated, Computer, cIP, csUserName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity\\n| where CallerIpAddress in (ipMatch)\\n| project TimeGenerated, CallerIpAddress, Caller, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where SourceIpAddress in (ipMatch)\\n| project TimeGenerated, SourceIpAddress, UserIdentityUserName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n), \\n( \\nDeviceNetworkEvents\\n| where RemoteIP in (ipMatch)\\n| where ActionType == \\\"InboundConnectionAccepted\\\"\\n| project TimeGenerated, RemoteIP, DeviceName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\")\\n| where msg_s has_any (ipMatch)\\n| project TimeGenerated, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceIP \u0027:\u0027 SourcePort \u0027to \u0027 DestinationIP \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationIP has_any (ipMatch)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP\\n)\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//,\\n//(imDns (response_has_any_prefix=IPList)\\n//| project TimeGenerated, ResponseName, SrcIpAddr, Type\\n//| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr\\n//| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n//),\\n//(imNetworkSession (dstipaddr_has_any_prefix=IPList)\\n//| project TimeGenerated, DstIpAddr, SrcIpAddr, Type\\n//| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr\\n//)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Log4j vulnerability exploit aka Log4Shell IP IOC\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. \\n References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228\u0027 \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"name\":\"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple archived attachments to the same recipient\",\"description\":\"Detects when multiple emails where sent to the same recipient with large archived attachments.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1baaaf00-655f-4de9-8ff8-312e902cda71\",\"name\":\"1baaaf00-655f-4de9-8ff8-312e902cda71\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_locations = (\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location);\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend City = tostring(parse_json(LocationDetails).city)\\n | extend State = tostring(parse_json(LocationDetails).state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(Place) by ServicePrincipalName, Location\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Service Principal Authentication Attempt from New Country\",\"description\":\"Detects when there is a Service Principal login attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\"name\":\"39198934-62a0-4781-8416-a81265c03fd6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to PwnAuth\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"name\":\"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\n| summarize make_set(Operation);\\nOfficeActivity\\n// Only admin or global-admin can disable/remove policy\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Office policy tampering\",\"description\":\"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://learn.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\"name\":\"06a9b845-6a95-4432-a78b-83919b28c375\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n// Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal \u003e percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly detection for total volume of traffic\",\"description\":\"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\"name\":\"f110287e-1358-490d-8147-ed804b328514\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AWSCloudTrail | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| where AWSCloudTrail_TimeGenerated \u003c ExpirationDateTime\\n| summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress\\n| project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AWSCloudTrail\",\"description\":\"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\"name\":\"7249500f-3038-4b83-8549-9cd8dfa2d498\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ \u0027OATP\u0027\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Known PHOSPHORUS group domains/IP - October 2020\",\"description\":\"Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics (Azure Firewall)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\"name\":\"5ef06767-b37c-4818-b035-47de950d0046\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688\\n| where Process has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688 and EventData has_any (build_processes)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (build_processes)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663 and EventData has_any (\\\"0x6\\\", \\\"0x4\\\", \\\"0X100\\\") and EventData has_any (\\\".cs\\\", \\\".cpp\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| extend AccessMask = tostring(EventData.AccessMask) \\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\\n))\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"name\":\"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/42436753-9944-4d70-801c-daaa4d19ddd2\",\"name\":\"42436753-9944-4d70-801c-daaa4d19ddd2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Powershell\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"]\\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running PowerShell\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by PoerShell and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong PowerShell. \u003cbr\u003eYou can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56fe0db0-6779-46fa-b3c5-006082a53064\",\"name\":\"56fe0db0-6779-46fa-b3c5-006082a53064\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2022-03-31T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"name\":\"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHashValue, FileHashType\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to CommonSecurityLog Event\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"name\":\"1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"PIM\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has \\\"Disable PIM Alert\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n \u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\\n| extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Detect PIM Alert Disabling activity\",\"description\":\"Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. \\nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d99cf5c3-d660-436c-895b-8a8f8448da23\",\"name\":\"d99cf5c3-d660-436c-895b-8a8f8448da23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"},{\"identifier\":\"AadTenantId\",\"columnName\":\"AADTenantId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"MFA Rejected by User\",\"description\":\"Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"name\":\"d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where ResourceProvider == \u0027MICROSOFT.SQL\u0027\\n | where Category == \u0027SQLSecurityAuditEvents\u0027\\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\\n // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas\\n | extend ClientIP = column_ifexists(\\\"client_ip_s\\\", \\\"Not Available\\\"), Action = column_ifexists(\\\"action_name_s\\\", \\\"Not Available\\\"), \\n Application = column_ifexists(\\\"application_name_s\\\", \\\"Not Available\\\"), HostName = column_ifexists(\\\"host_name_s\\\", \\\"Not Available\\\")\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where SQLSecurityAuditEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SQLSecurityAuditEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure SQL Security Audit Events\",\"description\":\"Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"name\":\"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserId)\\n | where UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.UserId\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, UserId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\"name\":\"44a555d8-ecee-4a25-95ce-055879b4b14b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount \u003e= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High count of connections by client IP on many ports\",\"description\":\"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2de8abd6-a613-450e-95ed-08e503369fb3\",\"name\":\"2de8abd6-a613-450e-95ed-08e503369fb3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"AzureDiagnostics\\n| where details_data_s has \\\"jndi:\\\"\\n| parse details_data_s with * \u0027${\u0027 MaliciousCommand \u0027}\u0027 *\\n| extend EncodeCmd = iff(MaliciousCommand has \u0027Base64/\u0027, split(split(MaliciousCommand, \\\"Base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend EncodeCmd1 = iff(MaliciousCommand has \u0027base64/\u0027, split(split(MaliciousCommand, \\\"base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend CmdLine = iff( isnotempty(EncodeCmd), EncodeCmd, EncodeCmd1)\\n| extend DecodedCmdLine = base64_decode_tostring(tostring(CmdLine))\\n| extend DecodedCmdLine = iff( isnotempty(DecodedCmdLine), DecodedCmdLine, \\\"Unable to decode\\\")\\n| project TimeGenerated, Target=hostname_s, MaliciousHost = clientIp_s, MaliciousCommand, details_data_s, DecodedCmdLine, Message, ruleSetType_s, OperationName, SubscriptionId, details_message_s, details_file_s \\n| extend IPCustomEntity = MaliciousHost, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure WAF matching for Log4j vuln(CVE-2021-44228)\",\"description\":\"This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis.\\n Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-12-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/972c89fa-c969-4d12-932f-04d55d145299\",\"name\":\"972c89fa-c969-4d12-932f-04d55d145299\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"( union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| extend FileName = Process, ProcessCommandLine = CommandLine\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(DeviceProcessEvents\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\nor ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1 \\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\"), ProcessCommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend FileName = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"MSHTML vulnerability CVE-2021-40444 attack\",\"description\":\"This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. \\n The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : \\\".cpl:../../msword.inf\\\"\\n Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\"name\":\"4ca74dc0-8352-4ac5-893c-73571cc78331\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let keywords = dynamic([\\\"secret\\\", \\\"secrets\\\", \\\"password\\\", \\\"PAT\\\", \\\"passwd\\\", \\\"pswd\\\", \\\"pwd\\\", \\\"cred\\\", \\\"creds\\\", \\\"credentials\\\", \\\"credential\\\", \\\"key\\\"]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend Type = tostring(Data.Type)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| mv-expand Data.Variables\\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\\n| where Type != \\\"AzureKeyVault\\\"\\n| where Data_Variables !has \\\"IsSecret\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps Variable Secret Not Secured\",\"description\":\"Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \\nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"name\":\"cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName =~ \\\"Add owner to application\\\"\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AddedUser = TargetResources[0].userPrincipalName\\n | mv-expand mod_props\\n | where mod_props.displayName =~ \\\"Application.DisplayName\\\"\\n | extend AppName = tostring(parse_json(tostring(mod_props.newValue)))\\n | project-reorder TimeGenerated, OperationName, AppName, AddedUser, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Ownership\",\"description\":\"Detects changes to the ownership of an appplicaiton.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#new-owner\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15049017-527f-4d3b-b011-b0e99e68ef45\",\"name\":\"15049017-527f-4d3b-b011-b0e99e68ef45\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityEvent\\n| where EventID == 4688 and Process has_any (procList) and not (NewProcessName has (\\\"C:\\\\\\\\Windows\\\\\\\\\\\"))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SubjectUserName, NewProcessName, Process, CommandLine\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Executed from Non-Default Directory\",\"description\":\"The query detects Windows binaries, that can be executed from a non-default directory (e.g. C:\\\\Windows\\\\, C:\\\\Windows\\\\System32 etc.). \\nRef: https://lolbas-project.github.io/\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"name\":\"2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\\n//let adfsuser = \u0027adfsadmin\u0027;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe+lookback)\\n | where EventSourceName == \u0027AD FS Auditing\u0027\\n | distinct Computer\\n);\\nSecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // A token of type \u0027http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation\u0027\\n // for relying party \u0027-\u0027 was successfully authenticated.\\n | where EventID == 412\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | extend InstanceId = tostring(EventData[0])\\n| join kind=inner\\n(\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // Events to identify caller identity from event 412\\n | where EventID == 501\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | where tostring(EventData[1]) contains \u0027identity/claims/name\u0027\\n | extend InstanceId = tostring(EventData[0])\\n | extend ClaimsName = tostring(EventData[2])\\n // Filter on the use of a specific AD FS user account\\n //| where ClaimsName contains adfsuser\\n)\\non $left.InstanceId == $right.InstanceId\\n| join kind=inner\\n(\\n SecurityEvent\\n | where EventID == 5156\\n | where Computer in~ (ADFS_Servers)\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend DestPort = column_ifexists(\\\"DestPort\\\", \\\"\\\"),\\n Direction = column_ifexists(\\\"Direction\\\", \\\"\\\"),\\n Application = column_ifexists(\\\"Application\\\", \\\"\\\"),\\n DestAddress = column_ifexists(\\\"DestAddress\\\", \\\"\\\"),\\n SourceAddress = column_ifexists(\\\"SourceAddress\\\", \\\"\\\"),\\n SourcePort = column_ifexists(\\\"SourcePort\\\", \\\"\\\")\\n // Look for inbound connections from endpoints on port 80\\n | where DestPort == 80 and Direction == \u0027%%14592\u0027 and Application == \u0027System\u0027\\n | where DestAddress !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027) \\n)\\non $left.Computer == $right.Computer\\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\\n| extend HostCustomEntity = Computer, AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote Auth Sync Connection\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious authentication events on an AD FS server. The results then get\\ncorrelated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract\\nsensitive information such as AD FS certificates.\\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"name\":\"d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let IPList = dynamic([\\\"185.63.90.137\\\"]); \\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = \\ndynamic([\\\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\\\",\\n\\\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\\\",\\n\\\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\\\",\\n\\\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\\\",\\n\\\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\\\",\\n\\\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\\\",\\n\\\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\",\\n\\\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\"\\n]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost) \\n| where SourceHost in (IPList) or DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceFileEvents\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n| where FileHash in (sha256Hashes)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where CommandLine has_any (IPList) \\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n(WindowsEvent\\n| where EventID == \u00274688\u0027 and has_any_ipv4(EventData, toscalar(IPList)) \\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName in (IPList) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021\",\"description\":\"Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs\\nReference: \\nhttps://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders\\nhttps://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"name\":\"ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let SunburstURL=dynamic([\\\"panhardware.com\\\",\\\"databasegalore.com\\\",\\\"avsvmcloud.com\\\",\\\"freescanonline.com\\\",\\\"thedoccloud.com\\\",\\\"deftsecurity.com\\\"]);\\nDeviceNetworkEvents\\n| where ActionType == \\\"ConnectionSuccess\\\"\\n| where RemoteUrl in(SunburstURL)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = InitiatingProcessMD5, \\n HashAlgorithm = \u0027MD5\u0027,\\n URLCustomEntity = RemoteUrl,\\n IPCustomEntity = RemoteIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST network beacons\",\"description\":\"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/baedfdf4-7cc8-45a1-81a9-065821628b83\",\"name\":\"baedfdf4-7cc8-45a1-81a9-065821628b83\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let runningRAT_parameters = dynamic([\u0027/ui/chk\u0027, \u0027mactok=\u0027, \u0027UsRnMe=\u0027, \u0027IlocalP=\u0027, \u0027kMnD=\u0027]);\\nCommonSecurityLog\\n| where RequestMethod == \\\"GET\\\"\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\\n| where RequestURL has_any (runningRAT_parameters)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"RunningRAT request parameters\",\"description\":\"This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication\\npresence of this alert means the RunningRAT implant is likely still executing on the source host.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"name\":\"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet AuthorizedBypassers = dynamic([\u0027foo@baz.com\u0027, \u0027test@foo.com\u0027]);\\nlet historicBypassers = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| parse ScopeDisplayName with OrganizationName \u0027(Organization)\u0027\\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \\n BypassReason = Data.BypassReason, PRLink = strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_git/\u0027, Data.RepoName, \u0027/pullrequest/\u0027, Data.PullRequestId)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Pull Request Policy Bypassing - Historic allow list\",\"description\":\"This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\"name\":\"75bf9902-0789-47c1-a5d8-f57046aa72df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688 and EventData has_any (procList) and EventData has \\\":\\\\\\\\recycler\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName) \\n| extend NewProcessName = tostring(EventData.NewProcessName) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n));\\nprocessEvents};\\nProcessCreationEvents \\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin\",\"description\":\"The query detects Windows binaries, that can be used for executing malware, that have been hidden in the recycle bin. \\n The list of these binaries are sourced from https://lolbas-project.github.io/\\n References: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2399891-383c-4caf-ae67-68a008b9f89e\",\"name\":\"e2399891-383c-4caf-ae67-68a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where TI_ipEntity != \\\"NO_IP\\\";\\nlet IP_TI_list=toscalar(IP_TI | summarize NIoCs=dcount(TI_ipEntity), IoCs=make_set( TI_ipEntity)\\n | project IoCs=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs));\\nIP_TI\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique \\n (\\n union \\n (\\n _Im_NetworkSession (starttime=ago(dt_lookBack), dstipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated, IoCIP=DstIpAddr, IoCIPDirection=\u0027Destination\u0027\\n ),\\n (\\n _Im_NetworkSession (starttime=ago(dt_lookBack), srcipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(DstIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated, IoCIP=SrcIpAddr, IoCIPDirection=\u0027Source\u0027\\n )\\n)on $left.TI_ipEntity == $right.IoCIP\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\",\"IoCIPDirection\":\"IoCIPDirection\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IoCIP\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A network session {{IoCIPDirection}} address {{IoCIP}} matched an IoC.\",\"alertDescriptionFormat\":\"The {{IoCIPDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema)\",\"description\":\"This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC. \u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"name\":\"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to internet facing AWS RDS Database instances\",\"description\":\"Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-11-28T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"name\":\"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Barium activity group. \\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\u0027 \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"name\":\"595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), Account = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), File = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, Account = UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027, Type\\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, Account = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) \\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = tostring(EventDetail.[4].[\\\"#text\\\"]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessFolderPath has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlertDetail = \u0027Chia crypto IOC detected\u0027, FileHashAlgo = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| project TimeGenerated, EventDetail, UserName, Computer, Type\\n| extend Image = tostring(EventDetail.[4].[\\\"#text\\\"]), CommandLine = tostring(EventDetail.[10].[\\\"#text\\\"]), Account = UserName, FileHash = tostring(EventDetail.[17].[\\\"#text\\\"]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| where Image has_any (process)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath= replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceEvents\\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName has_any (process)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n)\\n)\\n| extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\"name\":\"dd0a6029-ecef-4507-89c4-fc355ac52111\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend DomainName = tolower(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"name\":\"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"union isfuzzy=true \\n(\\n SecurityEvent\\n | where EventID == 4738\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | where UserAccountControl has \\\"%%2089\\\" \\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\\n ),\\n (\\n WindowsEvent\\n | where EventID == 4738 and EventData has \u00272089\u0027\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | extend UserAccountControl = tostring(EventData.UserAccountControl)\\n | where UserAccountControl has \\\"%%2089\\\" \\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | extend Activity=\\\"4738 - A user account was changed.\\\"\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD account with Don\u0027t Expire Password\",\"description\":\"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 resolves to \\\"Don\u0027t Expire Password - Enabled\\\".\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"name\":\"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\nbefore conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\nits unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2559891-383c-4caf-ae67-55a008b9f89e\",\"name\":\"e2559891-383c-4caf-ae67-55a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where TI_ipEntity != \\\"NO_IP\\\";\\nlet IP_TI_list=toscalar(IP_TI | summarize NIoCs= dcount(TI_ipEntity), IoCs=make_set(TI_ipEntity) \\n | project IoCs=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs ) );\\nIP_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession (starttime=ago(dt_lookBack), srcipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SrcIpAddr\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Dvc, SrcIpAddr, DstIpAddr\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The IP {{SrcIpAddr}} of a web request to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"The source address {{SrcIpAddr}} of a web request for URL {{Url}} matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the source IP address is a known IoC. \u003cbr\u003e\u003cbr\u003eThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2022-03-15T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"name\":\"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Elastic Load Balancer security groups\",\"description\":\"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"name\":\"bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where Process hassuffix \u0027rundll32.exe\u0027\\n| where CommandLine has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"name\":\"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Extract URL from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,Entities)\\n // We only want alerts that actually contain URL data\\n | where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to SecurityAlert data\",\"description\":\"Identifies a match in SecurityAlert data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"name\":\"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nWindowsEvent\\n| where EventID == 1102 and Provider == \\\"Microsoft-Windows-Eventlog\\\" \\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend Activity= \\\"1102 - The audit log was cleared.\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"name\":\"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n //Extract the Url from a number of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url = tostring(split(Url, \u0027;\u0027)[0])\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n // Project a single user identity that we can use for entity mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))\\n) on Url\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \\nUserType, OfficeWorkload, Parameters, Url, User\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to OfficeActivity data\",\"description\":\"Identifies a match in OfficeActivity data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"name\":\"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 25;\\nlet TotalEventsThreshold = 30;\\nlet MostFrequentTimeDeltaThreshold = 25;\\nlet PercentBeaconThreshold = 80;\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where ipv4_is_private(DestinationIP)== false\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| summarize count(), sum(ReceivedBytes), sum(SentBytes)\\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents \u003e TotalEventsThreshold and MostFrequentTimeDeltaCount \u003e MostFrequentTimeDeltaThreshold\\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Palo Alto - potential beaconing detected\",\"description\":\"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"name\":\"14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService == \\\"Core Directory\\\" and OperationName == \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"NRT Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"name\":\"f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject==\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\SecurityProviders\\\\\\\\WDigest\\\\\\\\UseLogonCredential\\\" and Details !=\\\"DWORD (0x00000000)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"WDigest downgrade attack\",\"description\":\"When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory.\\nRef: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"name\":\"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime \u003e= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime \u003c ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"New UserAgent observed in last 24 hours\",\"description\":\"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\\nextracts words from user agents to build the baseline and determine rareity rather than perform a\\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments,\\nthese new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\"name\":\"155e9134-d5ad-4a6f-88f3-99c220040b66\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Set the lookback to determine if user has created pipelines before\\nlet timeback = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a list of previous Release Pipeline creators to exclude\\nlet releaseusers = AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show results where the user as AADIdP alerts\\n//| where Alerts \u003e 0\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Pipeline modified by a new user.\",\"description\":\"There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \\nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) \\nin order to show if the user conducting the action has any associated AAD IdP alerts. You can also choose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"name\":\"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was enabled\\n| where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| where TargetAccount !endswith \\\"$\\\"\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was enabled\\n| where EventID == 4722\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where TargetAccount !endswith \\\"$\\\"\\n| extend Activity=\\\"4722 - A user account was enabled.\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n))\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n| where AccountType =~ \\\"User\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(WindowsEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4725 - A user account was disabled.\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid))\\n) on Computer, TargetAccount\\n| where DisableTime - EnableTime \u003c spanoftime\\n| extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, \\nDisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\\n| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToEnable\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account enabled and disabled within 10 mins\",\"description\":\"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"name\":\"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"Event\\n| where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription startswith \\\"An unhandled exception occurred in a UM worker process\\\" or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious UM Service Error\",\"description\":\"This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"name\":\"09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let default_file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet custom_file_ext_blocklist=toscalar(_GetWatchlist(\u0027RiskyFileTypes\u0027) | extend Extension=column_ifexists(\\\"Extension\\\",\\\"\\\") | where isnotempty(Extension) | summarize make_set(Extension));\\nlet file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);\\n_Im_WebSession(url_has_any=file_ext_blocklist, eventresult=\u0027Success\u0027)\\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\\\"Path\\\"]),\u0027/\u0027)[-1])\\n| extend requestedFileExt=extract(@(\\\\.\\\\w+)$,1,requestedFileName, typeof(string))\\n| where requestedFileExtension in (file_ext_blocklist)\\n| summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url\\n| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url\",\"customDetails\":{\"requestedFileName\":\"requestedFileName\",\"requestedFileExt\":\"requestedFileExt\",\"Username\":\"SrcUsername\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Client {{SrcIpAddr}} accessed a URL with potentially harmful extension {{requestedFileExt}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} accessed the URL {{Url}} that has the extension {{requestedFileExt}}. Downloading a file with this extension may be harmful and may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"A client made a web request to a potentially harmful file (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced Security Information Model (ASIM).\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"name\":\"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserID\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, \\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, \\nDestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"name\":\"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let lookBack_long = 7d;\\nlet lookBack_med = 3d;\\nlet lookBack = 1d;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_long))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n// Create time series \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_med))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n) on UserPrincipalName, AppDisplayName\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 5\\n| top 50 by Slope desc\\n// Higher threshold requirement on last day anomaly\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous sign-in location by user account and authenticating application\",\"description\":\"This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \\nDirectory application and picks out the most anomalous change in location profile for a user within an \\nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\\nover last day but also over the last 3-day and 7-day periods.\\nPlease note that on workspaces with larger volume of Signin data (~10M+ events a day) may timeout when using this default query time period.\\nIt is recommended that you test and tune this appropriately for the workspace.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"name\":\"1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let PortScanThreshold = 50;\\n_Im_NetworkSession\\n| where ipv4_is_private(SrcIpAddr) == False\\n| summarize AttemptedPortsCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 5m)\\n| where AttemptedPortsCount \u003e PortScanThreshold\",\"customDetails\":{\"AttemptedPortsCount\":\"AttemptedPortsCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential port scan from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"A port scan has been performed from address {{SrcIpAddr}} over {{AttemptedPortsCount}} pots within 5 minutes. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Discovery\"],\"displayName\":\"Port scan detected (ASIM Network Session schema)\",\"description\":\"This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eda260eb-f4a1-4379-ad98-452604da9b3e\",\"name\":\"eda260eb-f4a1-4379-ad98-452604da9b3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let eventsThreshold = 20;\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName\\n| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has \\\"login.microsoftonline.com/consumers/oauth2/v2.0/token\\\"), graph=(RequestURL has \\\"graph.microsoft.com/v1.0/me/drive/\\\"), SourceIP, SourceHostName)\\n| summarize Events=count() by SourceIP, SourceHostName\\n| where Events \u003e= eventsThreshold\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive request URL sequence\",\"description\":\"CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths.\\nThis detecton will alert when over 20 sequences are observed in a single day.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\"name\":\"3533f74c-9207-4047-96e2-0eb9383be587\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Suspicious application consent for offline access\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"name\":\"0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserIdentityUserName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"NRT Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for administrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used\\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/269435e3-1db8-4423-9dfc-9bf59997da1c\",\"name\":\"269435e3-1db8-4423-9dfc-9bf59997da1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService == \\\"Core Directory\\\" and OperationName == \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"name\":\"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by FileHashValue\\n| project CommonSecurityLog_TimeGenerated, FileHashValue, FileHashType, Description, ThreatType, \\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Microsoft COVID-19 file hash indicator matches\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"name\":\"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n| extend Reason = coalesce(\\n column_ifexists(\\\"Reason\\\", \\\"\\\"), \\n extract(\\\"reason=(.+?)(;|$)\\\", 1, AdditionalExtensions),\\n \\\"\\\"\\n )\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \\n| where Reason !has \\\"aged-out\\\" \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where Reason !has \\\"tcp-fin\\\" \\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n// Already performed\\n//| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ \u003e= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Palo Alto - possible internal to external port scanning\",\"description\":\"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \\nresults in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication \\nof internal to external port scanning or probing attack. \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/677da133-e487-4108-a150-5b926591a92b\",\"name\":\"677da133-e487-4108-a150-5b926591a92b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.1\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256s = (iocs | where Type =~ \\\"SHA256\\\"| project IoC);\\nlet ips = (iocs | where Type =~ \\\"IP\\\"| project IoC);\\nlet IPList = dynamic([\\\"192.99.221.77\\\",\\\"83.171.237.173\\\"]);\\nlet ips_list=toscalar(ips | summarize makeset(IoC));\\nlet full_ip_list= array_concat(ips_list, IPList);\\nlet domains = (iocs | where Type =~ \\\"Domain\\\"| project IoC);\\nlet domain_list=toscalar(domains | summarize make_set(IoC));\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = dynamic([\\\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\\\",\\n\\\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\\\",\\n\\\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\\\",\\n\\\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\\\",\\n\\\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\\\",\\n\\\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (domains), \\\"RequestUrl\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=todynamic(domain_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=todynamic(full_ip_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList) or ClientIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(_Im_NetworkSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"SourceIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = SrcIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_NetworkSession(dstipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"DestinationIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = DstIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_WebSession(url_has_any=domains)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(_Im_WebSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"NOBELIUM - Domain, Hash and IP IOCs - May 2021\",\"description\":\"Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM.\\nRef: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"name\":\"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details of operations conducted by user soon after elevation of permissions\\n| join (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\\n| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New PA, PCA, or PCAS added to Azure DevOps\",\"description\":\"In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \\nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of \\nusers granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these \\nshould also be conducted.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\"name\":\"bf07ca9c-e408-443a-8939-6860a45a929e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps New Extension Added\",\"description\":\"Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \\nThis query looks for new extensions that are not from a configurable list of approved publishers.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\"name\":\"65c78944-930b-4cae-bd79-c3664ae30ba7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(AuditLogs \\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\") \\n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"MFA disabled for a user\",\"description\":\"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user \",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"name\":\"4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet parentprocess = (iocs | where Type =~ \\\"parentprocess\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (IPList), \\\"RequestUrl\\\",\\\"NoMatch\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, IPMatch == \\\"RequestUrl\\\", RequestURL, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Dev-0322 IOC match\u0027, UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where SourceHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ParentImage = EventDetail.[20].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceProcessEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Dev-0322 IOC match\u0027, IPCustomEntity = CommandLineIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"DEV-0322 Serv-U related IOCs - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to DEV-0322 targeting SolarWinds Serv-U software.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"name\":\"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"name\":\"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (DomainNames) \\n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n (_Im_Dns (domain_has_any=DomainNames)\\n | extend DNSName = DnsQuery \\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (_Im_WebSession (url_has_any=DomainNames)\\n | extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer = DeviceName \\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (DomainNames) \\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ) \\n ) \\n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium domains\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let fileAccessThrehold = 10;\\nOfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberAdded\\\"\\n | extend UPN = tostring(parse_json(Members)[0].UPN)\\n | where UPN contains (\\\"#EXT#\\\")\\n | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n | join kind = inner(\\n OfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberRemoved\\\"\\n | extend UPN = tostring(parse_json(Members)[0].UPN)\\n | where UPN contains (\\\"#EXT#\\\")\\n | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n ) on UPN\\n | where TimeDeleted \u003e TimeAdded\\n | join kind=inner \\n (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | where Operation == \\\"FileUploaded\\\"\\n | join kind = inner \\n (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where Operation == \\\"FileAccessed\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | summarize FileAccessCount = count() by OfficeObjectId\\n | where FileAccessCount \u003e fileAccessThrehold\\n ) on $left.OfficeObjectId == $right.OfficeObjectId\\n )on $left.UPN == $right.UserId\\n | extend timestamp=TimeGenerated, AccountCustomEntity = UserWhoAdded\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Accessed files shared by temporary external user\",\"description\":\"This detection identifies an external user is added to a Team or Teams chat\\nand shares a files which is accessed by many users (\u003e10) and the users is removed within short period of time. This might be\\nan indicator of suspicious activity.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2020-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"name\":\"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Changes made to AWS CloudTrail logs\",\"description\":\"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \",\"lastUpdatedDateUTC\":\"2022-01-11T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"name\":\"3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nSigninLogs\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n| where AppDisplayName =~ \\\"Windows Sign In\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against a Cloud PC\",\"description\":\"Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\"name\":\"173f8699-6af5-484a-8b06-8c47ba89b380\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| where array_length(DeletedTeams) \u003e max_delete_count\\n| extend timestamp = StartTime, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple Teams deleted by a single user\",\"description\":\"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Microsoft Sentinel.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9f9c1e51-4fb1-4510-a675-c7c2fb32f47e\",\"name\":\"9f9c1e51-4fb1-4510-a675-c7c2fb32f47e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let knotweed_sigs = dynamic([\\\"JumplumpDropper\\\", \\\"Jumplump\\\", \\\"Corelump\\\", \\\"Medcerc\\\", \\\"SuspModuleLoad\\\", \\\"Mexlib\\\"]);\\n let mde_data = (DeviceInfo\\n | extend DeviceName = tolower(DeviceName)\\n | join kind=rightouter ( SecurityAlert\\n | where ProviderName =~ \\\"MDATP\\\"\\n | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n | where ThreatFamilyName in~ (knotweed_sigs)\\n | extend CompromisedEntity = tolower(CompromisedEntity)\\n ) on $left.DeviceName == $right.CompromisedEntity);\\n let event_data = ( Event\\n | where EventID in (1006, 1009, 1116, 1119)\\n | extend ThreatData = parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_xml(EventData).DataItem)).EventData)).Data))\\n | mv-expand ThreatData\\n | where tostring(ThreatData.[\\\"@Name\\\"]) == \\\"Threat Name\\\"\\n | extend EventData = parse_xml(EventData)\\n | where tostring(ThreatData.[\\\"#text\\\"]) has_any (knotweed_sigs));\\n union mde_data, event_data\\n | extend ThreatName = iif(isnotempty(ThreatName), ThreatName, tostring(ThreatData.[\\\"#text\\\"]))\\n | extend ThreatFamilyName = iif(isnotempty(ThreatFamilyName), ThreatFamilyName, split(tostring(ThreatData.[\\\"#text\\\"]), \\\"/\\\")[-1])\\n | extend TimeGenerated = iif(isnotempty(TimeGenerated), TimeGenerated, TimeGenerated1)\\n | extend DeviceName = iif(isnotempty(DeviceName), DeviceName, Computer)\\n | project-reorder TimeGenerated, CompromisedEntity, ThreatName, ThreatFamilyName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"KNOTWEED AV Detection\",\"description\":\"This query looks for Microsoft Defender AV detections related to the KNOTWEED threat actor and the Corelump and Jumplump malware.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-27T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f171045-88ab-4634-baae-a7b6509f483b\",\"name\":\"5f171045-88ab-4634-baae-a7b6509f483b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let Dev0530_threats = dynamic([\\\"Trojan:Win32/SiennaPurple.A\\\", \\\"Ransom:Win32/SiennaBlue.A\\\", \\\"Ransom:Win32/SiennaBlue.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Dev0530_threats) or ThreatFamilyName in~ (Dev0530_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Dev-0530 actors\",\"description\":\"This query looks for Microsoft Defender AV detections related to Dev-0530 actors. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, \\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\"name\":\"fbfbf530-506b-49a4-81ad-4030885a195c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions that suit your web application environment - a sample are provided below\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData = materialize(SecurityAlert \\n| where TimeGenerated \u003e ago(alertTimeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet fileData = alertData\\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet hostData = alertData\\n// Extract server details from alerts and map to alert id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| join ( \\n// Find requests that were made to this file on the impacted server in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated \u003e ago(logTimeWindow) \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts\",\"description\":\"Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\\nhas been provided in scriptExtensions that should be tailored to your environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\"name\":\"5f0d80db-3415-4265-9d52-8466b7372e3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps PAT used with Browser.\",\"description\":\"Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \\nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \\nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/86a036b2-3686-42eb-b417-909fc0867771\",\"name\":\"86a036b2-3686-42eb-b417-909fc0867771\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/delete\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Service Delete\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\\nMore information in this blog https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"name\":\"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationNameValue =~ \\\"microsoft.authorization/roleassignments/write\\\";\\ncreateRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), \\nOperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Suspicious granting of permissions to an account\",\"description\":\"Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"name\":\"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let szOperationNames = dynamic([\\\"Microsoft.Compute/virtualMachines/write\\\", \\\"Microsoft.Resources/deployments/write\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| project ResourceGroup, Caller, OperationNameValue, CallerIpAddress\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatusValue = makeset(ActivityStatusValue), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious Resource deployment\",\"description\":\"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4902eddb-34f7-44a8-ac94-8486366e9494\",\"name\":\"4902eddb-34f7-44a8-ac94-8486366e9494\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 5000;\\n_Im_NetworkSession(eventresult=\u0027Failure\u0027)\\n| summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m)\\n| where Count \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"customDetails\":{\"NumberOfDenies\":\"Count\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of failed connections from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} generated more than {{threshold}} failures over a 5 minutes time window, which may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"Excessive number of failed connections from a single source (ASIM Network Session schema)\",\"description\":\"This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"name\":\"f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let known_locations = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | summarize by LocationDetail);\\n let known_asn = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where isempty(DeviceDetail.deviceId)\\n | where AuthenticationRequirement == \\\"singleFactorAuthentication\\\"\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomolous Single Factor Signin\",\"description\":\"Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.\\n Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"name\":\"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent = (union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * \u0027TicketEncryptionType\\\"\u003e\u0027 TicketEncryptionType \\\"\u003c\\\" *\\n| where TicketEncryptionType == \u00270x17\u0027\\n| parse EventData with * \u0027TicketOptions\\\"\u003e\u0027 TicketOptions \\\"\u003c\\\" *\\n| where TicketOptions == \u00270x40810000\u0027\\n| parse EventData with * \u0027Status\\\"\u003e\u0027 Status \\\"\u003c\\\" *\\n| where Status == \u00270x0\u0027\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\" \\n| parse EventData with * \u0027TargetUserName\\\"\u003e\u0027 TargetUserName \\\"\u003c\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * \u0027IpAddress\\\"\u003e::ffff:\u0027 ClientIPAddress \\\"\u003c\\\" *\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769 and EventData has \u00270x17\u0027 and EventData has \u00270x40810000\u0027 and EventData has \u0027krbtgt\u0027\\n| extend TicketEncryptionType = tostring(EventData.TicketEncryptionType)\\n| where TicketEncryptionType == \u00270x17\u0027\\n| extend TicketOptions = tostring(EventData.TicketOptions)\\n| where TicketOptions == \u00270x40810000\u0027\\n| extend Status = tostring(EventData.Status)\\n| where Status == \u00270x0\u0027\\n| extend ServiceName = tostring(EventData.ServiceName)\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| extend ClientIPAddress = tostring(EventData.IpAddress) \\n));\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h \u003c prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, TargetDomainName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h \u003e prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Kerberoasting\",\"description\":\"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \\na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \\nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \\nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/508cef41-2cd8-4d40-a519-b04826a9085f\",\"name\":\"508cef41-2cd8-4d40-a519-b04826a9085f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared.\\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\"name\":\"3ff0fffb-d963-40c0-b235-3404f915add7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce02935c-cc67-4b77-9b96-93d9947e119a\",\"name\":\"ce02935c-cc67-4b77-9b96-93d9947e119a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"acrobatrelay.com\\\", \\\"finconsult.cc\\\", \\\"realmetaldns.com\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where DNSName in~ (DomainNames) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n), \\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession (url_has_any=DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n| where isnotempty(DNSName) \\n| where DNSName in~ (DomainNames) \\n| extend IPAddress = RemoteIp \\n), \\n( \\n DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) \\n| where RemoteUrl has_any (DomainNames) \\n| extend IPAddress = RemoteIP \\n| extend Computer = DeviceName \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n) \\n) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"KNOTWEED C2 Domains July 2022\",\"description\":\"This query looks for references to known KNOTWEED Domains in network logs.\\n This query was published July 2022.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-27T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/594c653d-719a-4c23-b028-36e3413e632e\",\"name\":\"594c653d-719a-4c23-b028-36e3413e632e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2022-05-22T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"name\":\"50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" *\\n| where ParentCommandLine == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k DcomLaunch\\\" and CommandLine == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe -Embedding\\\"\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Lateral Movement via DCOM\",\"description\":\"This query detects a fairly uncommon attack technique using the Windows Distributed Component Object Model (DCOM) to make a remote execution call to another computer system and gain lateral movement throughout the network.\\nRef: http://thenegative.zone/incident%20response/2017/02/04/MMC20.Application-Lateral-Movement-Analysis.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"name\":\"b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet DOMAIN_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName);\\nlet DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName) \\n | project Domains=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), Domains) ));\\nDOMAIN_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession(starttime=ago(dt_lookBack), url_has_any= DOMAIN_TI_list )\\n //Extract domain patterns from syslog message\\n | extend domain = tostring(parse_url(Url)[\\\"Host\\\"])\\n | where isnotempty(domain)\\n | extend tld = tostring(split(domain, \u0027.\u0027)[-1])\\n | extend Event_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Event_TimeGenerated \u003c ExpirationDateTime\\n| summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain\\n| project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url\",\"customDetails\":{\"EventTime\":\"Event_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the target URL hostname is a known IoC. \u003cbr\u003e\u003cbr\u003eThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\"name\":\"643c2025-9604-47c5-833f-7b4b9378a1f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold\\nlet aadFunc = (tableName:string){\\nlet Suspicious_signins = \\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\nSuspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet Suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to AWS Console\",\"description\":\"Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"name\":\"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n (WindowsEvent\\n| where EventID == 4663 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\") and EventData has_any (scriptExtensions) \\n| where EventData has_any (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (scriptExtensions)\\n| extend AccessMask = tostring(EventData.AccessMask)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n and\\n TargetFileName has_any (scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where FileName has_any(scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM UM Service writing suspicious file\",\"description\":\"This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d714ef62-1a56-4779-804f-91c4158e528d\",\"name\":\"d714ef62-1a56-4779-804f-91c4158e528d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let ImagesList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\"]); \\nlet OriginalFileNameList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\",\\\"SR.exe\\\",\\\"utilman2.exe\\\",\\\"ScreenMagnifier.exe\\\"]); \\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where Image has_any (ImagesList) and not (OriginalFileName has_any (OriginalFileNameList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Modification of Accessibility Features\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\\n Two common accessibility programs are C:\\\\Windows\\\\System32\\\\sethc.exe, launched when the shift key is pressed five times and C:\\\\Windows\\\\System32\\\\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as \\\"sticky keys\\\", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1]\\nRef: https://attack.mitre.org/techniques/T1546/008/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"name\":\"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 1;\\nAzureDiagnostics\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\\n | where count_ \u003e= [\\\"threshold\\\"]\\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Several deny actions registered\",\"description\":\"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-10-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9d2eebc-5dcb-4888-8165-900db44443ab\",\"name\":\"b9d2eebc-5dcb-4888-8165-900db44443ab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of hostnames for your DC servers\\n//let DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\nSecurityEvent\\n//| where Computer in (DCServersList)\\n| where EventID == 4662 and ObjectServer == \u0027DS\u0027\\n| where AccountType != \u0027Machine\u0027\\n| where Properties has \u00271131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes\\n or Properties has \u00271131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes-All\\n or Properties has \u002789e95b76-444d-4c62-991a-0facbeda640c\u0027 //DS-Replication-Get-Changes-In-Filtered-Set\\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\\n| join kind=leftouter\\n(\\n SecurityEvent\\n //| where Computer in (DCServersList)\\n | where EventID == 4624 and LogonType == 3\\n | where AccountType != \u0027Machine\u0027\\n | project TargetLogonId, IpAddress\\n)\\non $left.SubjectLogonId == $right.TargetLogonId\\n| project-reorder TimeGenerated, Computer, Account, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, SourceAddress = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Non Domain Controller Active Directory Replication\",\"description\":\"This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\\nA domain user with privileged permissions to use directory replication services is rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"lastUpdatedDateUTC\":\"2021-11-08T00:00:00Z\",\"createdDateUTC\":\"2021-05-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"name\":\"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(domain_lookBack) and TimeGenerated \u003c ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to unpopular website (possible malicious payload delivery)\\\"\\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Connection to Unpopular Website Detected\",\"description\":\"Detects first connection to an unpopular website (possible malicious payload delivery).\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89a86f70-615f-4a79-9621-6f68c50f365f\",\"name\":\"89a86f70-615f-4a79-9621-6f68c50f365f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 7d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet HistThreshold = 25; \\nlet CurrThreshold = 10; \\nlet HistoricalThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceVendor;\\nlet CurrentHourThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(timeframe)\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceProduct, DeviceVendor;\\nCurrentHourThreats \\n| where TotalEvents \u003c CurrThreshold\\n| join kind = leftanti (HistoricalThreats \\n| where TotalEvents \u003e HistThreshold) on SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"Discovery\",\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Palo Alto Threat signatures from Unusual IP addresses\",\"description\":\"Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. \\nThis detection is also leveraged and required for MDE and PAN Fusion scenario\\nhttps://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall\",\"lastUpdatedDateUTC\":\"2022-04-20T00:00:00Z\",\"createdDateUTC\":\"2022-03-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\"name\":\"35a0792a-1269-431e-ac93-7ae2980d4dde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(EmailSenderAddress)\\n| extend TI_emailEntity = EmailSenderAddress\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcUserUpn)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientEmail = SrcUserUpn\\n\\n)\\non $left.TI_emailEntity == $right.ClientEmail\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail\\n| project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ClientEmail\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender in TI list\",\"description\":\"Email sender in TI list.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"name\":\"c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\n_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n| where isnotempty(DnsResponseCodeName)\\n//| where DnsResponseCodeName =~ \\\"NXDOMAIN\\\"\\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n ) on SrcIpAddr\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a172107d-794c-48c0-bc26-d3349fe10b4d\",\"name\":\"a172107d-794c-48c0-bc26-d3349fe10b4d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Dev-0530_July2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\n(union isfuzzy=true \\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) \\nand InitiatingProcessCommandLine has (\u0027sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID, CommandLine\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and ActingProcessCommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(EmailEvents\\n| where SenderFromAddress == \u0027H0lyGh0st@mail2tor.com\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = SenderIPv4, AccountCustomEntity = SenderFromAddress \\n),\\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) or FileHash in (sha256Hashes)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch , FileHash\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 IOC - July 2022\",\"description\":\"Identifies a IOC match related to Dev-0530 actor across various data sources.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceProcessEvents\",\"DeviceNetworkEvents\",\"EmailEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"name\":\"572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let inviting_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(invitingUser)\\n | summarize by invitingUser);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(invitingUser) and invitingUser !in (inviting_users)\\n | extend invitedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"invitingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"invitedUserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Guest Users Invited to Tenant by New Inviters\",\"description\":\"Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts added should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\"name\":\"500415fb-bba7-4227-a08a-9857fb61b6a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", OfficeObjectId,\\n Operation =~ \\\"New-TransportRule\\\", ParsedParameters.Name,\\n \\\"Unknown\\\")\\n| mv-expand ExpandedParameters = todynamic(Parameters)\\n| where ExpandedParameters.Name in~ (\\\"BlindCopyTo\\\", \\\"RedirectMessageTo\\\") and isnotempty(ExpandedParameters.Value)\\n| extend RedirectTo = ExpandedParameters.Value\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, Operation, RuleName, Parameters\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Mail redirect via ExO transport rule\",\"description\":\"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\"lastUpdatedDateUTC\":\"2022-04-18T00:00:00Z\",\"createdDateUTC\":\"2020-05-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\"name\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\" \\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \\napplicationSet = make_set(AppDisplayName) by IPAddress, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n table(tableName)\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n) on IPAddress \\n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts.\\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"name\":\"e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n | where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n | parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" *\\n | where ParentImage has \\\"svchost.exe\\\" and Image has \\\"rundll32.exe\\\" and CommandLine has \\\"{c08afd90-f2a1-11d1-8455-00a0c91f3880}\\\"\\n | parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Detecting Macro Invoking ShellBrowserWindow COM Objects\",\"description\":\"This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-doc-with-macro-invoking.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"name\":\"c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where ScanStatus == \\\"Failed\\\"\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"displayName\":\"AppServices AV Scan Failure\",\"description\":\"Identifies if an AV scan fails in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"name\":\"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Oct 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"name\":\"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nSyslog\\n| where Facility =~ \\\"authpriv\\\"\\n| where SyslogMessage has \\\"authentication failure\\\" and SyslogMessage has \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" RemoteIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID\\n| join kind=innerunique (\\n // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\n Syslog \\n | where Facility =~ \\\"authpriv\\\"\\n | where SyslogMessage has \\\"user unknown\\\"\\n | project Computer, HostIP, ProcessID\\n ) on Computer, HostIP, ProcessID\\n// Count the number of failed logon attempts by External IP and internal machine\\n| summarize FirstLogonAttempt = min(TimeGenerated), LatestLogonAttempt = max(TimeGenerated), TotalLogonAttempts = count() by Computer, HostIP, RemoteIP\\n// Calculate the time between first and last logon attempt (AttemptPeriodLength)\\n| extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt\\n| where TotalLogonAttempts \u003e= threshold\\n| project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, DestinationHost = Computer, DestinationAddress = HostIP\\n| sort by DestinationHost asc nulls last\\n| extend timestamp = FirstLogonAttempt, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts in authpriv\",\"description\":\"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \\nisn\u0027t provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren\u0027t authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\"name\":\"f041e01d-840d-43da-95c8-4188f6cef546\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | distinct Country, Actor, TimeGenerated\\n) on Actor \\n| where set_Country !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"GitHub Activites from a New Country\",\"description\":\"Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\"name\":\"40ba9493-4183-4eee-974f-87fe39c8f267\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Identity alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Identity\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (AATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"name\":\"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from a new IP\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via previously unseen IPs\",\"description\":\"Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds a threshold (default is 50).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\"name\":\"4a3073ac-7383-48a9-90a8-eb6716183a54\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-02-01T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"name\":\"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where NetworkBytes \u003e msgszthreshold\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple large emails to the same recipient\",\"description\":\"Detects when multiple emails with large size where sent to the same recipient.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6dd2629c-534b-4275-8201-d7968b4fa77e\",\"name\":\"6dd2629c-534b-4275-8201-d7968b4fa77e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 4657\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\"), OperationType = column_ifexists(\u0027OperationType\u0027, \\\"\\\"), ObjectValueName = column_ifexists(\u0027ObjectValueName\u0027, \\\"\\\")\\n| where ObjectName has \u0027Schedule\\\\\\\\TaskCache\\\\\\\\Tree\u0027 and ObjectValueName == \\\"SD\\\" and OperationType == \\\"%%1906\\\" // %%1906 - Registry value deleted\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Scheduled Task Hide\",\"description\":\"This query detects attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task disappearing from schtasks /query and Task Scheduler.\\n The query requires auditing to be turned on for HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree registry hive as well as audit policy for registry auditing to be turned on.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\\n Reference: https://4sysops.com/archives/audit-changes-in-the-windows-registry/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"name\":\"3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Hacking Tool\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running a hacking tool\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by a hacking tool and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"A host is potentially running a hacking tool (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.\u003cbr\u003eYou can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\"name\":\"738702fd-0a66-42c7-8586-e30f0583f8fe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName contains \\\"svchost.exe\\\" and FileName contains \\\"NetSetupSvc.dll\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \\\"SHA1\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"TEARDROP memory-only dropper\",\"description\":\"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window\u0027s defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"name\":\"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, \u0027|\u0027, 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity == $right.PIP\\n| where AzureNetworkAnalytics_CL_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId, PIP\\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\"description\":\"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/968358d6-6af8-49bb-aaa4-187b3067fb95\",\"name\":\"968358d6-6af8-49bb-aaa4-187b3067fb95\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let successCodes = dynamic([200, 302, 401]);\\nW3CIISLog\\n| where scStatus has_any (successCodes)\\n| where ipv4_is_private(cIP) == False\\n| where csUriStem hasprefix \\\"/autodiscover/autodiscover.json\\\"\\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\\n| where (csUriQuery !has \\\"Protocol\\\" and isnotempty(csUriQuery))\\nor (csUriQuery has_any(\\\"/mapi/\\\", \\\"powershell\\\"))\\nor (csUriQuery contains \\\"@\\\" and csUriQuery matches regex @\\\"\\\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\\\/)\\\")\\nor (csUriQuery contains \\\":\\\" and csUriQuery matches regex @\\\"\\\\:[0-9]{2,4}\\\\/\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange SSRF Autodiscover ProxyShell - Detection\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit patterns recently\\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"name\":\"999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet DomainTIs= ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | where Active == true\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \\n | project DomainList = iff(NDomains \u003e HAS_ANY_MAX, dynamic([]), DomainsList) ;\\nDomainTIs\\n | join (\\n _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.DnsQuery\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"DnsQuery\":\"DnsQuery\",\"QueryType\":\"DnsQueryType\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any Domain IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\"name\":\"f2dd4a3a-ebac-4994-9499-1a859938c947\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false\\n| extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where ipv4_is_private(DestinationIP) == false\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where ipv4_is_private(DestinationIP) == false\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false | extend DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly for data size transferred to public internet\",\"description\":\"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"name\":\"06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\MicrosoftOnline\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n ( WindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n( WindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Service Agents Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent.\\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\"name\":\"a35f2c18-1b97-458f-ad26-e033af18eb99\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.2\",\"severity\":\"Low\",\"query\":\"// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nunion isfuzzy=true \\n(\\nSecurityEvent \\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account added to built in domain local or global group\",\"description\":\"Identifies when a user account has been added to a privileged built in domain local group or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"name\":\"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"W3CIISLog\\n| where csMethod == \u0027GET\u0027\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"CommandAndControl\"],\"displayName\":\"SUPERNOVA webshell\",\"description\":\"Identifies SUPERNOVA webshell based on W3CIISLog data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-01-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\"name\":\"223db5c1-1bf8-47d8-8806-bed401b356a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet aadFunc = (tableName:string){\\nlet azPortalSignins = materialize(table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70044\\\", \\\"70043\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins \\n) on UserPrincipalName\\n| where TimeGenerated \u003e TimeGenerated1 or isempty(TimeGenerated1)\\n| project-away TimeGenerated1, UserPrincipalName1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend FullLocation = strcat(Region,\u0027|\u0027, State, \u0027|\u0027, City)\\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\\n| where (IPAddressCount \u003e= threshold_IPAddressCount and FailedLogonCount \u003e= threshold_Failed) or FailedLogonCount \u003e= threshold_FailedwithSingleIP\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed login attempts to Azure Portal\",\"description\":\"Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to \u0027Keep me signed in\u0027 interrupt when the user was signing-in.\",\"lastUpdatedDateUTC\":\"2022-04-21T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acc4c247-aaf7-494b-b5da-17f18863878a\",\"name\":\"acc4c247-aaf7-494b-b5da-17f18863878a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OperationName in (\\\"Invite external user\\\", \\\"Bulk invite users - started (bulk)\\\", \\\"Invite external user with reset invitation status\\\")\\n| extend InitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n// Uncomment the following line to filter events where the inviting user was a guest user\\n//| where InitiatedBy has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend InvitedUser = TargetResources[0].userPrincipalName\\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\\n| where UserToCompare has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend\\n parsedUser = replace_string(tolower(iff(UserToCompare startswith \\\"live.com#\\\", tostring(split(UserToCompare, \\\"#\\\")[1]), tostring(split(UserToCompare, \\\"#EXT#\\\")[0]))), \\\"@\\\", \\\"_\\\"),\\n InvitationTime = TimeGenerated\\n| join (\\n (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where UserType != \\\"Member\\\"\\n | where AppId has_any\\n (\\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\",// Azure Active Directory PowerShell\\n \\\"04b07795-8ddb-461a-bbee-02f9e1bf7b46\\\",// Microsoft Azure CLI\\n \\\"1950a258-227b-4e31-a9cf-717495945fc2\\\",// Microsoft Azure PowerShell\\n \\\"a0c73c16-a7e3-4564-9a95-2bdf47383716\\\",// Microsoft Exchange Online Remote PowerShell\\n \\\"fb78d390-0c51-40cd-8e17-fdbfab77341b\\\",// Microsoft Exchange REST API Based Powershell\\n \\\"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\\\",// Microsoft Intune PowerShell\\n \\\"9bc3ab49-b65d-410a-85ad-de819febfddc\\\",// Microsoft SharePoint Online Management Shell\\n \\\"12128f48-ec9e-42f0-b203-ea49fb6af367\\\",// MS Teams Powershell Cmdlets\\n \\\"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\\\",// Power BI PowerShell\\n \\\"31359c7f-bd7e-475c-86db-fdb8c937548e\\\",// PnP Management Shell\\n \\\"90f610bf-206d-4950-b61d-37fa6fd1b224\\\" // Aadrm Admin Powershell\\n )\\n | summarize arg_min(TimeGenerated, *) by UserPrincipalName\\n | extend\\n parsedUser = replace_string(UserPrincipalName, \\\"@\\\", \\\"_\\\"),\\n SigninTime = TimeGenerated\\n )\\n on parsedUser\\n| project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InvitedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"External guest invitation followed by Azure AD PowerShell signin\",\"description\":\"By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests\\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\\nRef : \u0027https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"name\":\"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 1;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend ConditionalAccessPolicies = todynamic(ConditionalAccessPolicies)\\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status), StatusDetails = make_list(StatusDetails), IPAddresses = make_list(IPAddress), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId) \\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, Type\\n| where IPAddressCount \u003e threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = make_set(IPAddresses), Status = make_set(Status), CorrelationIds = make_set(CorrelationIds) \\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount, Type\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Attempt to bypass conditional access rule in Azure AD\",\"description\":\"Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b904747-1336-4363-8d84-df2710bfe5e7\",\"name\":\"0b904747-1336-4363-8d84-df2710bfe5e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\", \\\"AzureFirewallNetworkRuleLog\\\")\\n | parse kind=regex flags=U msg_s with Protocol \u0027request from \u0027 SourceHost \u0027to \u0027 DestinationHost @\u0027\\\\.? Action: \u0027 Firewall_Action @\u0027\\\\.\u0027 Rest_msg\\n | extend SourceAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, SourceHost)\\n | extend DestinationAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, DestinationHost)\\n | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, \\\"\\\")\\n // Traffic that involves a public address, and in case this is the source address then the traffic was not denied\\n | where isnotempty(RemoteIP)\\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where AzureFirewall_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated,\\nTI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureFirewall\",\"description\":\"Identifies a match in AzureFirewall (NetworkRule \u0026 ApplicationRule Logs) from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"name\":\"4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of decoy users (usernames) \\\"Case Sensitive\\\"\\nlet MaliciousServiceArtifacts = dynamic ([\\\"fgexec\\\",\\\"cachedump\\\",\\\"mimikatz\\\",\\\"mimidrv\\\",\\\"wceservice\\\",\\\"pwdump\\\"]);\\nEvent\\n| where Source == \\\"Service Control Manager\\\" and EventID == 7045\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" * \u0027ImagePath\\\"\u003e\u0027 ImagePath \\\"\u003c\\\" *\\n| where ServiceName has_any (MaliciousServiceArtifacts) or ImagePath has_any (MaliciousServiceArtifacts)\\n| parse EventData with * \u0027AccountName\\\"\u003e\u0027 AccountName \\\"\u003c\\\" *\\n|summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ServiceName, ImagePath, AccountName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountName\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ImagePath\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - Service Installation\",\"description\":\"This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz.\\nRef: https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"name\":\"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\\nlet allowed_sources = dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// Look for feeds created or modified at either the organization or project level\\n| where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and locations in the allow list\\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"External Upstream Source Added to Azure DevOps Feed\",\"description\":\"The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \\nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"name\":\"feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let VIPUsers = (IdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| summarize by tolower(AccountUPN));\\nAuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName =~ \\\"User registered security info\\\"\\n| where LoggedByService =~ \\\"Authentication Methods\\\"\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| where AccountCustomEntity in (VIPUsers)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Method Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indicated of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"name\":\"2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| where ObjectClass == \\\"computer\\\" and AttributeLDAPDisplayName == \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN, AttributeLDAPDisplayName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Possible Resource-Based Constrained Delegation Abuse\",\"description\":\"This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. \\nThis query checks for event id 5136 that the Object Class field is \\\"computer\\\" and the LDAP Display Name is \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\" which is an indicator of Resource-based constrained delegation.\\nRef: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html\",\"lastUpdatedDateUTC\":\"2022-01-19T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"name\":\"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT4H\",\"queryPeriod\":\"PT4H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Change to true to monitor for Project Administrator adds to *any* project\\nlet MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\\nlet ProjectsToMonitor = dynamic([\u0027\u003cproject_X\u003e\u0027,\u0027\u003cproject_Y\u003e\u0027]);\\nAzureDevOpsAuditing\\n| where Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has \u0027Administrators\u0027\\n| where Details has \\\"was added as a member of group\\\" and (Details endswith \u0027\\\\\\\\Project Administrators\u0027 or Details endswith \u0027\\\\\\\\Project Collection Administrators\u0027)\\n| parse Details with AddedIdentity \u0027 was added as a member of group [\u0027 EntityName \u0027]\\\\\\\\\u0027 GroupName\\n| extend Level = iif(GroupName == \u0027Project Collection Administrators\u0027, \u0027Organization\u0027, \u0027Project\u0027), AddedIdentityId = Data.MemberId\\n| extend Severity = iif(Level == \u0027Organization\u0027, \u0027High\u0027, \u0027Medium\u0027), AlertDetails = strcat(\u0027At \u0027, TimeGenerated, \u0027 UTC \u0027, ActorUPN, \u0027/\u0027, ActorDisplayName, \u0027 added \u0027, AddedIdentity, \u0027 to the \u0027, EntityName, \u0027 \u0027, Level)\\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == \u0027Organization\u0027\\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Administrator Group Monitoring\",\"description\":\"This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"name\":\"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let servicelist = dynamic([\u0027Services\\\\\\\\HealthService\u0027, \u0027Services\\\\\\\\Sense\u0027, \u0027Services\\\\\\\\WinDefend\u0027, \u0027Services\\\\\\\\MsSecFlt\u0027, \u0027Services\\\\\\\\DiagTrack\u0027, \u0027Services\\\\\\\\SgrmBroker\u0027, \u0027Services\\\\\\\\SgrmAgent\u0027, \u0027Services\\\\\\\\AATPSensorUpdater\u0027 , \u0027Services\\\\\\\\AATPSensor\u0027, \u0027Services\\\\\\\\mpssvc\u0027]);\\nlet filename = dynamic([\\\"subinacl.exe\\\",\u0027SetACL.exe\u0027]);\\nlet parameters = dynamic ([\u0027/deny=SYSTEM\u0027, \u0027/deny=S-1-5-18\u0027, \u0027/grant=SYSTEM=r\u0027, \u0027/grant=S-1-5-18=r\u0027, \u0027n:SYSTEM;p:READ\u0027, \u0027n1:SYSTEM;ta:remtrst;w:dacl\u0027]);\\nlet FullAccess = dynamic([\u0027A;CI;KA;;;SY\u0027, \u0027A;ID;KA;;;SY\u0027, \u0027A;CIID;KA;;;SY\u0027]);\\nlet ReadAccess = dynamic([\u0027A;CI;KR;;;SY\u0027, \u0027A;ID;KR;;;SY\u0027, \u0027A;CIID;KR;;;SY\u0027]);\\nlet DenyAccess = dynamic([\u0027D;CI;KR;;;SY\u0027, \u0027D;ID;KR;;;SY\u0027, \u0027D;CIID;KR;;;SY\u0027]);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName has_any (servicelist)\\n| parse EventData with * \u0027OldSd\\\"\u003e\u0027 OldSd \\\"\u003c\\\" *\\n| parse EventData with * \u0027NewSd\\\"\u003e\u0027 NewSd \\\"\u003c\\\" *\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670 and EventData has_any (servicelist) and EventData has \u0027Key\u0027\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (servicelist)\\n| extend OldSd = tostring(EventData.OldSd)\\n| extend NewSd = tostring(EventData.NewSd)\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend ProcessId = tostring(EventData.ProcessId)\\n| extend Activity= \\\"4670 - Permissions on an object were changed.\\\"\\n| extend HandleId = tostring(EventData.HandleId)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688 and EventData has_any (filename) and EventData has_any (servicelist) and EventData has_any (parameters)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountDomain = tostring(EventData.AccountDomain)\\n| extend Activity=\\\"4688 - A new process has been created.\\\"\\n| extend EventSourceName=Provider\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename) \\n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Service Registry ACL Modification\",\"description\":\"Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. \\n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. \\n Reference on guidance for enabling registry auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule \\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-01-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"name\":\"29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let UserAgentString = dynamic ([\\\"${jndi:ldap:/\\\", \\\"${jndi:rmi:/\\\", \\\"${jndi:ldaps:/\\\", \\\"${jndi:dns:/\\\", \\\"${jndi:iiop:/\\\",\\\"${jndi:\\\",\\\"${jndi:nds:/\\\",\\\"${jndi:corba/\\\"]);\\nlet UARegexMinimalString=dynamic([\u0027{\u0027,\u0027%7b\u0027, \u0027%7B\u0027]);\\nlet UARegex = @\u0027(\\\\\\\\$|%24)(\\\\\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\\\\\$|%24|}|%7D)\u0027;\\n(union isfuzzy=true\\n(OfficeActivity\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, Operation\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(AzureDiagnostics\\n| where Category in (\\\"FrontdoorWebApplicationFirewallLog\\\", \\\"FrontdoorAccessLog\\\", \\\"ApplicationGatewayFirewallLog\\\", \\\"ApplicationGatewayAccessLog\\\")\\n| where userAgent_s has_any (UserAgentString) or userAgent_s matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = userAgent_s, SourceIP = clientIP_s, Type, host_s, requestUri_s, httpStatus_d\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, UrlCustomEntity = requestUri_s\\n),\\n(\\nW3CIISLog\\n| where csUserAgent has_any (UserAgentString) or csUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(SigninLogs\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(_Im_WebSession (httpuseragent_has_any=array_concat(UserAgentString,UARegexMinimalString))\\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, Url, Type\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User agent search for log4j exploitation attempt\",\"description\":\"This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in \\n many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation.\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"name\":\"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated \u003e ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// where destination IPs are public\\n| where ipv4_is_private(DestinationIP) == false\\n// sort into source-\u003edestination \u0027sessions\u0027\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds \u003e TimeDeltaThresholdInSeconds\\n// summarize the deltas by source-\u003edestination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers \u003e 1.5 or outliers \u003c -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev \u003c MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount \u003e TotalBeaconsThreshold and (sum_SentBytes \u003e 0 or sum_ReceivedBytes \u003e 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity \u003e= (10*TimeDeltaThresholdInSeconds)\\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Fortinet - Beacon pattern detected\",\"description\":\"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\\n detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\\n automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-03-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\"name\":\"80733eb7-35b2-45b6-b2b8-3c51df258206\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"name\":\"3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1\\n| mv-expand UserId to typeof(string)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"NRT Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination.\\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2022-06-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"name\":\"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName), \\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\\n| where applicationCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Attempts to sign in to disabled accounts\",\"description\":\"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"name\":\"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let s_threshold = 30;\\nlet l_threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName, Type \\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount \u003e s_threshold and LocationCount \u003e= l_threshold\\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Distributed Password cracking attempts in AzureAD\",\"description\":\"Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"name\":\"7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection.\\nThe first CommandLine component is looking for Python decoding base64.\\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"name\":\"95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"imAuthentication\\n| where EventResult ==\u0027Failure\u0027\\n| where EventResultDetails == \u0027User disabled\u0027\\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\\n , applicationsTargeted = dcount(TargetAppName)\\n , applicationSet = make_set(TargetAppName) \\n by SrcDvcIpAddr, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind=leftouter \\n (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n imAuthentication\\n | where EventResult==\u0027Success\u0027\\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on SrcDvcIpAddr\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"name\":\"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"CommonSecurityLog \\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - threat detection message fired\",\"description\":\"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"name\":\"1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Tarrask_threats = dynamic([\\\"HackTool:Win64/Tarrask!MS\\\", \\\"HackTool:Win64/Ligolo!MSR\\\", \\\"Behavior:Win32/ScheduledTaskHide.A\\\", \\\"Tarrask\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=rightouter ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Tarrask_threats) or ThreatFamilyName in~ (Tarrask_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AV detections related to Tarrask malware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel the SecurityAlerts table \\n includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. \\n This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\"name\":\"157c0cfc-d76d-463b-8755-c781608cdc1a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| where ipv4_is_private(SourceIP) == false\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n table(tableName)\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco - firewall block but success logon to Azure AD\",\"description\":\"Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \\nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\\nand could indicate credential compromise for the user account.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"name\":\"875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| where AttributeLDAPDisplayName == \\\"servicePrincipalName\\\" and ObjectClass == \\\"user\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeValue\\\"\u003e\u0027 AttributeValue \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Name (SPN) Assigned to User Account\",\"description\":\"This query identifies whether a Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. \\nThis query checks for event id 5136 that the Object Class field is \\\"user\\\" and the LDAP Display Name is \\\"servicePrincipalName\\\".\\nRef: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf\",\"lastUpdatedDateUTC\":\"2022-02-02T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45076281-35ae-45e0-b443-c32aa0baf965\",\"name\":\"45076281-35ae-45e0-b443-c32aa0baf965\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nimProcessCreate\\n//looks for execution from a shell\\n| where ActingProcessName has_any (parentProcesses)\\n| extend ActingProcessFileName = tostring(split(ActingProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ActingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where Process hassuffix \\\"AdFind.exe\\\" or TargetProcessSHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or CommandLine has_any (args)\\n| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, CommandLineCustomEntity = CommandLine, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = TargetProcessSHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLineCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage (Normalized Process Events)\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-09T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\"name\":\"910124df-913c-47e3-a7cd-29e1643fa55e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AWS Console logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a779e2d5-9109-4f0a-a75e-f3d4f3c58560\",\"name\":\"a779e2d5-9109-4f0a-a75e-f3d4f3c58560\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let sha256Hashes = dynamic([\\\"78c255a98003a101fa5ba3f49c50c6922b52ede601edac5db036ab72efc57629\\\", \\\"0588f61dc7e4b24554cffe4ea56d043d8f6139d2569bc180d4a77cf75b68792f\\\", \\\"441a3810b9e89bae12eea285a63f92e98181e9fb9efd6c57ef6d265435484964\\\", \\\"cbae79f66f724e0fe1705d6b5db3cc8a4e89f6bdf4c37004aa1d45eeab26e84b\\\", \\\"fd6515a71530b8329e2c0104d0866c5c6f87546d4b44cc17bbb03e64663b11fc\\\", \\\"5d169e083faa73f2920c8593fb95f599dad93d34a6aa2b0f794be978e44c8206\\\", \\\"7f29b69eb1af1cc6c1998bad980640bfe779525fd5bb775bc36a0ce3789a8bfc\\\", \\\"02a59fe2c94151a08d75a692b550e66a8738eb47f0001234c600b562bf8c227d\\\", \\\"7f84bf6a016ca15e654fb5ebc36fd7407cb32c69a0335a32bfc36cb91e36184d\\\", \\\"afab2e77dc14831f1719e746042063a8ec107de0e9730249d5681d07f598e5ec\\\", \\\"894138dfeee756e366c65a197b4dbef8816406bc32697fac6621601debe17d53\\\", \\\"4611340fdade4e36f074f75294194b64dcf2ec0db00f3d958956b4b0d6586431\\\", \\\"c96ae21b4cf2e28eec222cfe6ca903c4767a068630a73eca58424f9a975c6b7d\\\", \\\"fa30be45c5c5a8f679b42ae85410f6099f66fe2b38eb7aa460bcc022babb41ca\\\", \\\"e64bea4032cf2694e85ede1745811e7585d3580821a00ae1b9123bb3d2d442d6\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"KNOTWEED File Hashes July 2022\",\"description\":\"This query looks for references to known KNOTWEED file hashes in various logs.\\n This query was published July 2022.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-27T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"name\":\"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@\u0027\\\\A(.*?)@\u0027, 1, SrcUserUpn)\\n| extend sender_domain = extract(@\u0027@(.*)$\u0027, 1, SrcUserUpn)\\n| extend recipient = extract(@\u0027\\\\A(.*?)@\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| extend recipient_domain = extract(@\u0027@(.*)$\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Possible data exfiltration to private email\",\"description\":\"Detects when sender sent email to the non-corporate domain and recipient\u0027s username is the same as sender\u0027s username.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"name\":\"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex emailregex\\n | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming timestamp column so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.EmailSenderAddress == $right.UserPrincipalName\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, UserPrincipalName\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"name\":\"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has_any (\\\".decode(\u0027base64\u0027)\\\", \\\"base64 --decode\\\", \\\".decode64(\\\" )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend FileName=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, CommandLine, ParentProcessName\\n));\\nprocessEvents;\\n};\\nProcessCreationEvents \\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\"name\":\"a04cf847-a832-4c60-b687-b0b6147da219\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Collection\"],\"displayName\":\"Known Manganese IP and UserAgent activity\",\"description\":\"Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\\nReferences: \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/74ed028d-e392-40b7-baef-e69627bf89d1\",\"name\":\"74ed028d-e392-40b7-baef-e69627bf89d1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\n before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\n its unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a356c8bd-c81d-428b-aa36-83be706be034\",\"name\":\"a356c8bd-c81d-428b-aa36-83be706be034\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// AADJoined or Register Device Registry Keys\\nlet aadJoinRoot = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\CloudDomainJoin\\\\\\\\JoinInfo\\\\\\\\\\\";\\nlet aadRegisteredRoot = \\\"\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\WorkplaceJoin\\\";\\n// Transport Key Registry Key\\nlet keyTransportKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\Cryptography\\\\\\\\Ngc\\\\\\\\KeyTransportKey\\\\\\\\\\\";\\n(union isfuzzy=true\\n(\\n// Access to Object Requested\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData contains aadJoinRoot or EventData contains aadRegisteredRoot\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadJoinRoot and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274656\u0027\\n | where EventData contains keyTransportKey\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName startswith keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, tostring(Process), ProcessName, ProcessId, EventID\\n),\\n// Accessing Object\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where (ObjectName startswith aadJoinRoot or ObjectName contains aadRegisteredRoot) and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend Account = SubjectAccount\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274663\u0027\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName contains keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend Account = SubjectAccount\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, Process, ProcessName, ProcessId, EventID\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"AAD Local Device Join Information and Transport Key Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts by the same process\\n to registry keys that provide information about an AAD joined or registered devices and Transport keys (tkpub / tkpriv).\\n This information can be used to export the Device Certificate (dkpub / dkpriv) and Transport key (tkpub/tkpriv).\\n These set of keys can be used to impersonate existing Azure AD joined devices.\\n This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable objects:\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\CloudDomainJoin (AAD joined devices)\\n HKCU:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\WorkplaceJoin (AAD registered devices)\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Cryptography\\\\Ngc\\\\KeyTransportKey (Transport Key)\\n Make sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n Reference: https://o365blog.com/post/deviceidentity/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"name\":\"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let schedule_lookback = 14d; \\nlet join_lookback = 1d; \\n// If you want to whitelist specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet meetings = ( \\nZoomLogs \\n| where TimeGenerated \u003e= ago(schedule_lookback) \\n| where Event =~ \\\"meeting.created\\\" \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); \\nZoomLogs \\n| where TimeGenerated \u003e= ago(join_lookback) \\n| where Event =~ \\\"meeting.participant_joined\\\" \\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) \\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId \\n| where SchedTimezone != JoinedTimeZone \\n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1 \\n| extend timestamp = TimeGenerated, AccountCustomEntity = JoiningUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"User joining Zoom meeting from suspicious timezone\",\"description\":\"The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"name\":\"a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName =~ \\\"Update user\\\"\\n | where Result =~ \\\"success\\\"\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"TargetId.UserType\\\"\\n | extend UpdatingServicePrincipal = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend UpdatingUserPrincipal = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatingUser = iif(isnotempty(UpdatingServicePrincipal), UpdatingServicePrincipal, UpdatingUserPrincipal)\\n | extend UpdatedUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n | project-reorder TimeGenerated, UpdatedUserPrincipalName, UpdatingUser\\n | where parse_json(tostring(TargetResources_modifiedProperties.newValue)) =~ \\\"\\\\\\\"Member\\\\\\\"\\\" and parse_json(tostring(TargetResources_modifiedProperties.oldValue)) =~ \\\"\\\\\\\"Guest\\\\\\\"\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedUserPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User State changed from Guest to Member\",\"description\":\"Detects when a guest account in a tenant is converted to a member of the tenant.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts converted to members should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"name\":\"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"Cisco Umbrella - Windows PowerShell User-Agent Detected\",\"description\":\"Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"name\":\"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = \u0027FileUploaded\u0027;\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic([\u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027]);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated \u003e= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount \u003e threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, \u0027/\u0027)[-2])\\n| extend UserIdUserFolderFormat = tolower(replace(\u0027@|\\\\\\\\.\u0027, \u0027_\u0027,UserId))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has \u0027/personal/\u0027 and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"New executable via Office FileUploaded Operation\",\"description\":\"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes \u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027 file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\"name\":\"69a45b05-71f5-45ca-8944-2e038747fb39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\\nlet threshold = 5;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 // Labeling the first RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account)\\n))\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10 // Labeling the second RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n))\\n) on Account\\n// Make sure that the first connection is after the second connection --\u003e SecondHop \u003e FirstHop\\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --\u003e FirstComputer != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --\u003e FirstIPAddress != SecondIPAddress\\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop \u003e FirstHop\\n// where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop \u003c= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 \\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n))\\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"RDP Nesting\",\"description\":\"Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system\\nto another system with the same account within the 60 minutes. Additionally, if historically daily\\nRDP connections are indicated by the logged EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\"name\":\"884c4957-70ea-4f57-80b9-1bca3890315b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"\u0026\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"\u0026\\\")[0]),tostring(split(csUriQuery, \\\"\u0026\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed logons by a user\",\"description\":\"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"name\":\"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add = \\n(union isfuzzy=true \\n(SecurityEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n),\\n(WindowsEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend AddingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupAddedTo = TargetUserName\\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n)\\n);\\nlet AC_Remove = \\n( union isfuzzy=true \\n(SecurityEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n),\\n(WindowsEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend RemovingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupRemovedFrom = TargetUserName\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n)); \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed = datetime_diff (\u0027second\u0027, AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed \u003e 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Account added and removed from privileged groups\",\"description\":\"Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.\u0027 \",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f68a5046-b7eb-4f69-9519-1e99708bb9e0\",\"name\":\"f68a5046-b7eb-4f69-9519-1e99708bb9e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"DeviceFileEvents\\n | where ActionType =~ \\\"FileCreated\\\"\\n | where FolderPath has \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\\\\\\\\\" \\n | where FileName endswith \\\".exe\\\" or FileName endswith \\\".dll\\\"\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"PE file dropped in Color Profile Folder\",\"description\":\"This query looks for writes of PE files to C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\.\\n This is a common directory used by malware, as well as some legitimate programs, and writes of PE files to the folder should be monitored.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-26T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"name\":\"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Alert1 = \\nSecurityAlert\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[3].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[3].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[3].Location)).City))\\n| extend CurrentIPAddress = tostring(parse_json(Entities)[2].Address)\\n| extend PreviousIPAddress = tostring(parse_json(Entities)[3].Address)\\n;\\nAlert1\\n| join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff(\u0027minute\u0027, Alert1Time, Alert2Time)) \u003c=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = CurrentIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Correlate Unfamiliar sign-in properties and atypical travel alerts\",\"description\":\"The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.\",\"lastUpdatedDateUTC\":\"2021-12-07T00:00:00Z\",\"createdDateUTC\":\"2020-09-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed8c9153-6f7a-4602-97b4-48c336b299e1\",\"name\":\"ed8c9153-6f7a-4602-97b4-48c336b299e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let guids = dynamic([\\\"{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\",\\\"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\",\\\"{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\", \\\"{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\", \\\"{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\"]);\\n let mde_data = DeviceRegistryEvents\\n | where ActionType =~ \\\"RegistryValueSet\\\"\\n | where RegistryKey contains \\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Classes\\\\\\\\CLSID\\\"\\n | where RegistryKey has_any (guids)\\n | where RegistryValueData has \\\"System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\";\\n let event_data = SecurityEvent\\n | where EventID == 4657\\n | where ObjectName contains \\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Classes\\\\\\\\CLSID\\\"\\n | where ObjectName has_any (guids)\\n | where NewValue has \\\"System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\"\\n | extend RegistryKey = ObjectName, RegistryValueData = NewValue, DeviceName=Computer, InitiatingProcessFileName = Process, InitiatingProcessAccountName=SubjectAccount;\\n union mde_data, event_data\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"RegistryKey\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"InitiatingProcessFileName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"COM Registry Key Modified to Point to File in Color Profile Folder\",\"description\":\"This query looks for changes to COM registry keys to point to files in C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\.\\n This can be used to enable COM hijacking for persistence.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-26T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceRegistryEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"name\":\"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = (union isfuzzy=true \\n(SecurityEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = Account, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid\\n));\\nlet GroupCreated = (union isfuzzy=true \\n(SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid\\n),\\n(WindowsEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\", \\\"Machine\\\", iff(SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", iff(isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")))\\n| where AccountType =~ \\\"User\\\"\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName) \\n| extend TargetSid = tostring(EventData.TargetSid) \\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid\\n));\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"GroupCreateSubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Group created then added to built in domain local or global group\",\"description\":\"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \\nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b443f22-9be9-4c35-ac70-a94757748439\",\"name\":\"3b443f22-9be9-4c35-ac70-a94757748439\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nDeviceProcessEvents\\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\\n| extend DvcId = DeviceId\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"name\":\"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where CommandLine has_all (cmdList)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where EventData has_all (cmdList)\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_all (cmdList)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessCommandLine has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Email access via active sync\",\"description\":\"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\n- Note that this query can be changed to use the KQL \\\"has_all\\\" operator, which hasn\u0027t yet been documented officially, but will be soon.\\n In short, \\\"has_all\\\" will only match when the referenced field has all strings in the list.\\n- Refer to Set-CASMailbox syntax: https://learn.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps \",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"name\":\"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total \u003e TotalEventsThreshold);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Process execution frequency anomaly\",\"description\":\"Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"name\":\"694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"High\",\"query\":\"let queryperiod = 14d;\\nlet queryfrequency = 2h;\\nlet security_info_actions = dynamic([\\\"User registered security info\\\", \\\"User changed default security info\\\", \\\"User deleted security info\\\", \\\"Admin updated security info\\\", \\\"User reviewed security info\\\", \\\"Admin deleted security info\\\", \\\"Admin registered security info\\\"]);\\nlet VIPUsers = (\\n IdentityInfo\\n | where TimeGenerated \u003e ago(queryperiod)\\n | mv-expand AssignedRoles\\n | where AssignedRoles matches regex \u0027Admin\u0027\\n | summarize by tolower(AccountUPN));\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName in (security_info_actions)\\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\\n| extend IP = tostring(InitiatedBy.user.ipAddress)\\n| extend Target = tolower(tostring(TargetResources[0].userPrincipalName))\\n| where Target in (VIPUsers)\\n// Uncomment the line below if you are experiencing high volumes of Target entities. If this is uncommented, the Target column will not be mapped to an entity.\\n//| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result\\n// Comment out this line below, if line above is used.\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8) by Initiator, IP, Result, Targets = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Targets\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Methods Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"name\":\"6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| where AlertName =~ \\\"mass download by a single user\\\"\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project timestamp=TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| join kind=inner\\n( \\nDeviceEvents\\n| where ActionType == \\\"PnpDeviceConnected\\\"\\n| extend parsed = parse_json(AdditionalFields)\\n| project DeviceId, DriveClass = tostring(parsed.ClassName), UsbDeviceId = tostring(parsed.DeviceId), ClassId = tostring(parsed.DeviceId), DeviceDescription = tostring(parsed.DeviceDescription), VendorIds = tostring(parsed.VendorIds), AccountDomain,AccountName,TimeGenerated, ActionType, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, Type\\n| where DriveClass == \u0027USB\u0027 and DeviceDescription == \u0027USB Mass Storage Device\u0027\\n) on $left.Account == $right.AccountName\\n| join kind=inner \\n(\\nDeviceFileEvents\\n| where FolderPath !startswith \\\"c\\\" and FolderPath !startswith @\\\"\\\\\\\"\\n) on DeviceId\\n| project TimeGenerated, ActionType, Computer, FileName, FileSize, IpAddress, InitiatingProcessCommandLine, InitiatingProcessFileName, Account\\n| extend timestamp = TimeGenerated, CompromisedEntity = Computer, AccountCustomEntity=Account, ProcessCustomEntity = InitiatingProcessFileName, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Mass Download \u0026 copy to USB device by single user\",\"description\":\"This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. \\nThis query could also reveal unintentional insider that had no intention of malicious activity but their actions may impact an organizations security posture.\\nReference:https://docs.microsoft.com/defender-cloud-apps/policy-template-reference\",\"lastUpdatedDateUTC\":\"2022-05-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3edb7215-250b-40c0-8b46-79093949242d\",\"name\":\"3edb7215-250b-40c0-8b46-79093949242d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| where Severity_s == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/492fbe35-cbac-4a8c-9059-826782e6915a\",\"name\":\"492fbe35-cbac-4a8c-9059-826782e6915a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | extend Action = tostring(mod_props.displayName)\\n | where Action contains \\\"Url\\\"\\n | extend OldURL = tostring(mod_props.oldValue)\\n | extend NewURL = tostring(mod_props.newValue)\\n | project-reorder TimeGenerated, OperationName, Action, AppName, OldURL, NewURL, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"OldURL\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURL\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Logout URL\",\"description\":\"Detects changes to an applications sign out URL.\\n Look for any modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#logout-url-modified-or-removed\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"name\":\"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, CallerIpAddress\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, \\nCaller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"name\":\"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA265 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known ZINC related maldoc hash\",\"description\":\"Document hash used by ZINC in highly targeted spear phishing campaign.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"name\":\"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"name\":\"0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName =~ \\\"Update role setting in PIM\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, OperationName, ResultReason, userPrincipalName, ipAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Changes to PIM Settings\",\"description\":\"PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.\\n Monitor these changes to ensure they are being made legitimately and don\u0027t confer more privileges than expected or reduce the security of a PIM elevation.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"name\":\"c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft 365 Insider Risk Management\",\"displayName\":\"(Private Preview) Create incidents based on Microsoft 365 Insider Risk Management\",\"description\":\"Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management\",\"lastUpdatedDateUTC\":\"2021-05-13T00:00:00Z\",\"createdDateUTC\":\"2021-05-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeIRM\",\"dataTypes\":[\"SecurityAlert (OfficeIRM)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\"name\":\"09551db0-e147-4a0c-9e7b-918f88847605\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.2\",\"severity\":\"High\",\"query\":\"let tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic([\u0027codevexillium.org\u0027, \u0027angeldonationblog.com\u0027, \u0027investbooking.de\u0027, \u0027krakenfolio.com\u0027]);\\nlet SHA256Hash = dynamic([\u002758a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495\u0027,\u0027e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e\u0027,\u00273d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9\u0027, \u00270a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4\u0027, \u002796d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe\u0027,\u0027dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c\u0027, \u002746efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a\u0027, \u002795e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008\u0027, \u00279d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5\u0027, \u00279fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3\u0027, \u0027ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720\u0027, \u0027edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee\u0027, \u002733665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998\u0027, \u00273ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c\u0027, \u0027b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c\u0027, \u002753f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5\u0027, \u002799c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777\u0027, \u0027f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef\u0027, \u00272cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da\u0027, \u0027079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447\u0027]);\\nlet SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(_Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend Type = \\\"imDns\\\", IPAddress = SrcIpAddr, Computer=Dvc\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hash)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| where EventID == 4688\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n( WindowsEvent\\n| where EventID == 4688\\n| where EventData has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\") and EventData has_any (tokens, \\\"Debug\\\\\\\\Browse\\\",\\\"is64bitoperatingsystem\\\" ) \\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"Known ZINC Comebacker and Klackring malware hashes\",\"description\":\"ZINC attacks against security researcher campaign malware hashes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"name\":\"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// Look for agents being added to a pool of a OS type not seen with that pool before\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, OsDescription),\\n// Look for users addeing agents to a pool that they have not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New Agent Added to Pool by New User or Added to a New OS Type.\",\"description\":\"As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \\nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have \\nnot added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a \\nconfigurable allow list to allow for certain users to be excluded from the logic.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"name\":\"05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated \u003e ago(1d)\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n // This will likely apply to multiple hosts so summarize these data\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, NewProcessName, CommandLine, Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\nA threat actor may use these policies to deploy files or scripts to all hosts in a domain.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"name\":\"c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppCert DLL Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec.\\nRef: https://attack.mitre.org/techniques/T1546/009/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"name\":\"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\u0027127.0.0.1\u0027, \u0027::1\u0027)\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons = (union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason\\n),\\n(WindowsEvent\\n| where EventID == 4624 and has_any_ipv4(EventData, toscalar(suspicious_signins))\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend Activity = \\\"4624 - An account was successfully logged on.\\\"\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend AccountType =case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, TargetUserSid, Reason\\n)\\n);\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to host\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\"name\":\"46ac55ae-47b8-414a-8f94-89ccd1962178\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let queryperiod = 1d;\\nlet mode = \u0027Blocked\u0027;\\nlet successCode = dynamic([\u0027200\u0027, \u0027101\u0027,\u0027204\u0027, \u0027400\u0027,\u0027504\u0027,\u0027304\u0027,\u0027401\u0027,\u0027500\u0027]);\\nlet sessionBin = 30m;\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where Category == \u0027ApplicationGatewayFirewallLog\u0027 and action_s == mode\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\\n| extend SessionBlockedStarted = row_window_session(TimeGenerated, queryperiod, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| summarize SessionBlockedEnded = max(TimeGenerated), SessionBlockedCount = count() by hostname_s, clientIp_s, SessionBlockedStarted\\n| extend TimeKey = range(bin(SessionBlockedStarted, sessionBin), bin(SessionBlockedEnded, sessionBin), sessionBin)\\n| mv-expand TimeKey to typeof(datetime)\\n| join kind = inner(\\n AzureDiagnostics\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where Category == \u0027ApplicationGatewayAccessLog\u0027 and (isempty(httpStatus_d) or httpStatus_d in (successCode))\\n | extend TimeKey = bin(TimeGenerated, sessionBin)\\n) on TimeKey, $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s\\n| where TimeGenerated between (SessionBlockedStarted..SessionBlockedEnded)\\n| extend\\n originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", \\\"\\\"),\\n serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", \\\"\\\")\\n| summarize\\n SuccessfulAccessCount = count(),\\n UserAgents = make_set(userAgent_s, 250),\\n RequestURIs = make_set(requestUri_s, 250),\\n OriginalRequestURIs = make_set(originalRequestUriWithArgs_s, 250),\\n SuccessCodes = make_set(httpStatus_d, 250),\\n SuccessCodes_BackendServer = make_set(serverStatus_s, 250),\\n take_any(SessionBlockedEnded, SessionBlockedCount)\\n by hostname_s, clientIp_s, SessionBlockedStarted\\n| where SessionBlockedCount \u003e SuccessfulAccessCount\\n| extend timestamp = SessionBlockedStarted, IPCustomEntity = clientIp_s\\n| extend BlockvsSuccessRatio = SessionBlockedCount/toreal(SuccessfulAccessCount)\\n| sort by BlockvsSuccessRatio desc, timestamp asc\\n| project-reorder SessionBlockedStarted, SessionBlockedEnded, hostname_s, clientIp_s, SessionBlockedCount, SuccessfulAccessCount, BlockvsSuccessRatio, SuccessCodes, RequestURIs, OriginalRequestURIs, UserAgents\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"A potentially malicious web request was executed against a web server\",\"description\":\"Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \\nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \\na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \\nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \\nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d173248-439b-4741-8b37-f63ad0c896ae\",\"name\":\"4d173248-439b-4741-8b37-f63ad0c896ae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\nWindowsEvent\\n| where EventID == \u00274688\u0027 and EventData has_any (process)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName has_any (process)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n , Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n , NewProcessId = tostring(EventData.NewProcessId)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n| project TimeGenerated, timestamp, File, AlertDetail, FilePath,Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2022-05-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"name\":\"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\"name\":\"ef88eb96-861c-43a0-ab16-f3835a97c928\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker\\\\(\\\\$Volume\\\\){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\n(union isfuzzy=true\\n (SecurityEvent\\n| where EventID == 4688\\n//consider filtering on filename if perf issues occur\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4688 \\n| where EventData has_any (\\\"-encodedCommand\\\", \\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(EventData has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n//consider filtering on filename if perf issues occur\\n//extend NewProcessName = tostring(EventData.NewProcessName)\\n//extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n//FileName = Process\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"Powershell Empire cmdlets seen in command line\",\"description\":\"Identifies instances of PowerShell Empire cmdlets in powershell process command line data.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"name\":\"cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let lookback = 7d; \\nlet timeframe = 1h; \\nlet GlobalAdminsRemoved = AuditLogs \\n| where TimeGenerated \u003e ago(timeframe) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Unassign\\\", \\\"RemoveEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Remove member from role\\\", \\\"Remove eligible member from role\\\") \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) \\n| where displayName_ =~ \\\"Role.DisplayName\\\" \\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.oldValue))) \\n| where RoleName == \\\"Global Administrator\\\" // Add other Privileged role if applicable \\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| extend Target = tostring(TargetResources.userPrincipalName) \\n| summarize RemovedGlobalAdminTime = max(TimeGenerated), TargetAdmins = make_set(Target) by OperationName, RoleName, Initiator, Result; \\nlet GlobalAdminsAdded = AuditLogs \\n| where TimeGenerated \u003e ago(lookback) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\") and Result == \\\"success\\\" \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) \\n| where displayName_ =~ \\\"Role.DisplayName\\\" \\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue))) \\n| where RoleName == \\\"Global Administrator\\\" // Add other Privileged role if applicable \\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| extend Target = tostring(TargetResources.userPrincipalName) \\n| summarize AddedGlobalAdminTime = max(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result \\n| extend AccountCustomEntity = Target; \\nGlobalAdminsAdded \\n| join kind= inner GlobalAdminsRemoved on $left.Target == $right.Initiator \\n| where AddedGlobalAdminTime \u003c RemovedGlobalAdminTime \\n| extend NoofAdminsRemoved = array_length(TargetAdmins) \\n| where NoofAdminsRemoved \u003e 1\\n| project AddedGlobalAdminTime, Initiator, Target, AccountCustomEntity, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple admin membership removals from newly created admin.\",\"description\":\"This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \\n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"name\":\"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\"name\":\"45b903c5-6f56-4969-af10-ae62ac709718\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 \\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n))\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n))\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)\\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Rare RDP Connections\",\"description\":\"Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2020-01-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1080fc1-13d1-479b-8340-255f0290d96c\",\"name\":\"a1080fc1-13d1-479b-8340-255f0290d96c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend AddingUser = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), \\\"\\\")\\n | extend AddingApp = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)) , tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName), \\\"\\\")\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingApp)\\n | project-away AddingApp, AddingUser\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, AddedBy, UserAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application Redirect URL Update\",\"description\":\"Detects the redirect URL of an app being changed.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e42e889a-caaf-4dbb-aec6-371b37d64298\",\"name\":\"e42e889a-caaf-4dbb-aec6-371b37d64298\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\")\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserOrApp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b79f6190-d104-4691-b7db-823e05980895\",\"name\":\"b79f6190-d104-4691-b7db-823e05980895\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"OriginatingServer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"NRT Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.\\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"name\":\"9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category == \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | where mod_props.displayName has \\\"AppIdentifierUri\\\"\\n | extend OldURI = tostring(mod_props.oldValue)\\n | extend NewURI = tostring(mod_props.newValue)\\n | project-reorder TimeGenerated, OperationName, AppName, OldURI, NewURI, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURI\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application ID URI Changed\",\"description\":\"Detects changes to an Application ID URI.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"name\":\"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n// Look for specific Directory Service Changes and parse data\\n| where EventID == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where changes relate to Exchange OAB\\n| extend ObjectClass = column_ifexists(\\\"ObjectClass\\\", \\\"\\\")\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// Look for InternalHostName or ExternalHostName properties being changed\\n| extend AttributeLDAPDisplayName = column_ifexists(\\\"AttributeLDAPDisplayName\\\", \\\"\\\")\\n| where AttributeLDAPDisplayName in (\\\"msExchExternalHostName\\\", \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| extend AttributeValue = column_ifexists(\\\"AttributeValue\\\", \\\"\\\")\\n| where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| extend ObjectDN = column_ifexists(\\\"ObjectDN\\\", \\\"\\\")\\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange OAB Virtual Directory Attribute Containing Potential Webshell\",\"description\":\"This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\\nwhere the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"name\":\"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Cloud App Security\",\"displayName\":\"Create incidents based on Microsoft Cloud App Security alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud Apps\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert (MCAS)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"name\":\"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Binary file in attachment\",\"description\":\"Detects when email received with binary file as attachment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"name\":\"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"union isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has \\\"vmware-vmdmp.log\\\"\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(imFileEvent\\n| where TargetFileName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\\n)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT log file creation\",\"description\":\"This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b6ae038-f66e-4f74-9315-df52fd492be4\",\"name\":\"5b6ae038-f66e-4f74-9315-df52fd492be4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"imProcess\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-s\\\", \\\"-r\\\", \\\"-q\\\")\\n | where Process !endswith \\\"sdelete.exe\\\"\\n | where CommandLine !has \\\"sdelete\\\"\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage (ASIM Version)\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\\nThis detection uses the ASIM imProcess parser, this will need to be deployed before use - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"name\":\"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(lookBack) and TimeGenerated \u003c ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Rare User Agent Detected\",\"description\":\"Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"name\":\"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let logonDiff = 10m;\\nlet aadFunc = (tableName:string){\\ntable(tableName) \\n| where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1]), Type\\n| join kind= inner (\\n table(tableName)\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription, Type\\n) on UserPrincipalName, AppDisplayName \\n| where SuccessLogonTime \u003c FailedLogonTime and FailedLogonTime - SuccessLogonTime \u003c= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription, Type\\n| extend timestamp = SuccessLogonTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuccessIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Successful logon from IP and failure from a different IP\",\"description\":\"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"name\":\"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\"name\":\"78422ef2-62bf-48ca-9bab-72c69818a425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Low\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account, IpAddress, AccountType, Activity, LogonTypeName),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account, IpAddress, AccountType, Activity, LogonTypeName)\\n)\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress)\\n)\\n) on Account, IpAddress\\n| extend Ratio = iff(isempty(ComputerCountPrev7Days), toreal(ComputerCountToday), ComputerCountToday / (ComputerCountPrev7Days * 1.0))\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Multiple RDP connections from Single System\",\"description\":\"Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days.\\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"name\":\"4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-38647\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to OMIGOD CVE-2021-38647\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \\n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\"name\":\"d3980830-dd9d-40a5-911f-76b44dfdce16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppDisplayName == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\\n| where CountOfLocations \u003e 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"GitHub Signin Burst from Multiple Locations\",\"description\":\"This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25a7f951-54b7-4cf5-9862-ebc04306c590\",\"name\":\"25a7f951-54b7-4cf5-9862-ebc04306c590\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | summarize by userPrincipalName);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CAPolicyName = tostring(TargetResources[0].displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | where userPrincipalName !in (known_users)\\n | extend NewPolicyValues = TargetResources[0].modifiedProperties[0].newValue\\n | extend OldPolicyValues = TargetResources[0].modifiedProperties[0].oldValue\\n | project-reorder TimeGenerated, OperationName, CAPolicyName, userPrincipalName, ipAddress, NewPolicyValues, OldPolicyValues\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Conditional Access Policy Modified by New User\",\"description\":\"Detects a Conditional Access Policy being modified by a user who has not modified a policy in the last 14 days.\\n A threat actor may try to modify policies to weaken the security controls in place.\\n Investigate any change to ensure they are approved.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"name\":\"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost \\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"THALLIUM domains included in DCU takedown\",\"description\":\"THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-01-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"name\":\"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId, \\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\"name\":\"50574fac-f8d1-4395-81c7-78a463ff0c52\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\\n| extend Status = todynamic(Status)\\n| where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\\n| order by TimeGenerated desc\\n// New entity mapping\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Active Directory PowerShell accessing non-AAD resources\",\"description\":\"This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://learn.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"name\":\"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.Caller\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, Caller\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, EmailSenderName, EmailRecipient, \\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, \\nResourceGroup, SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"name\":\"9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"beesweiserdog.com\\\", \\n \\\"bluehostfit.com\\\", \\n \\\"business-toys.com\\\", \\n \\\"cleanskycloud.com\\\", \\n \\\"cumberbat.com\\\", \\n \\\"czreadsecurity.com\\\", \\n \\\"dgtresorgouv.com\\\", \\n \\\"dimediamikedask.com\\\", \\n \\\"diresitioscon.com\\\", \\n \\\"elcolectador.com\\\", \\n \\\"elperuanos.org\\\", \\n \\\"eprotectioneu.com\\\", \\n \\\"fheacor.com\\\", \\n \\\"followthewaterdata.com\\\", \\n \\\"francevrteepress.com\\\", \\n \\\"futtuhy.com\\\", \\n \\\"gardienweb.com\\\", \\n \\\"heimflugaustr.com\\\", \\n \\\"ivpsers.com\\\", \\n \\\"jkeducation.org\\\", \\n \\\"micrlmb.com\\\", \\n \\\"muthesck.com\\\", \\n \\\"netscalertech.com\\\", \\n \\\"newgoldbalmap.com\\\", \\n \\\"news-laestrella.com\\\", \\n \\\"noticialif.com\\\", \\n \\\"opentanzanfoundation.com\\\", \\n \\\"optonlinepress.com\\\", \\n \\\"palazzochigi.com\\\", \\n \\\"pandemicacre.com\\\", \\n \\\"papa-ser.com\\\", \\n \\\"pekematclouds.com\\\", \\n \\\"pipcake.com\\\", \\n \\\"popularservicenter.com\\\", \\n \\\"projectsyndic.com\\\", \\n \\\"qsadtv.com\\\", \\n \\\"sankreal.com\\\", \\n \\\"scielope.com\\\", \\n \\\"seoamdcopywriting.com\\\", \\n \\\"slidenshare.com\\\", \\n \\\"somoswake.com\\\", \\n \\\"squarespacenow.com\\\", \\n \\\"subapostilla.com\\\", \\n \\\"suzukicycles.net\\\", \\n \\\"tatanotakeeps.com\\\", \\n \\\"tijuanazxc.com\\\", \\n \\\"transactioninfo.net\\\", \\n \\\"eurolabspro.com\\\", \\n \\\"adelluminate.com\\\", \\n \\\"headhunterblue.com\\\", \\n \\\"primenuesty.com\\\" \\n ]);\\nlet SHA256Hashes = dynamic ([\\\"02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2\\\", \\n \\\"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c\\\", \\n \\\"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c\\\", \\n \\\"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95\\\", \\n \\\"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21\\\", \\n \\\"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49\\\", \\n \\\"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844\\\", \\n \\\"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef\\\", \\n \\\"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822\\\", \\n \\\"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2\\\", \\n \\\"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838\\\", \\n \\\"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65\\\", \\n \\\"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6\\\", \\n \\\"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1\\\", \\n \\\"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90\\\", \\n \\\"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b\\\", \\n \\\"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce\\\", \\n \\\"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0\\\", \\n \\\"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c\\\", \\n \\\"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a\\\", \\n \\\"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b\\\", \\n \\\"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a\\\", \\n \\\"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124\\\", \\n \\\"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa\\\", \\n \\\"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda\\\", \\n \\\"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94\\\", \\n \\\"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6\\\", \\n \\\"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce\\\", \\n \\\"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6\\\", \\n \\\"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba\\\"\\n ]);\\nlet SigNames = dynamic([\\\"Backdoor:Win32/Leeson\\\", \\\"Trojan:Win32/Kechang\\\", \\\"Backdoor:Win32/Nightimp!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"TrojanSpy:Win32/KeyLogger\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns(domain_has_any = DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(_Im_WebSession(url_has_any = DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hashes) \\n| extend Account = UserName\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hashes)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known NICKEL domains and hashes\",\"description\":\"IOC domains and hash values for tools and malware used by NICKEL. \\n Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/720d12c6-a08c-44c4-b18f-2236412d59b0\",\"name\":\"720d12c6-a08c-44c4-b18f-2236412d59b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process !~ \\\"sdelete.exe\\\"\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-r\\\", \\\"-s\\\", \\\"-q\\\", \\\"c:/\\\")\\n | where CommandLine !has (\\\"sdelete\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"name\":\"009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has \\\"Consent to application\\\"\\n | where Result =~ \\\"failure\\\"\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend userAgent = iif(AdditionalDetails[0].key == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))\\n | where isnotempty(TargetResources)\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"MethodExecutionResult.\\\"\\n | extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\\n | where FailureReason contains \\\"Risky\\\"\\n | project-reorder TimeGenerated, OperationName, Result, AppName, FailureReason, userPrincipalName, userAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"End-user consent stopped due to risk-based consent\",\"description\":\"Detects a user\u0027s consent to an OAuth application being blocked due to it being too risky.\\n These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"name\":\"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"DeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName has \\\"Solorigate\\\"\\n| extend HostCustomEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.HostCustomEntity\\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity\\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Solorigate Defender Detections\",\"description\":\"Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as \\n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"name\":\"9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet querystarttime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the cisco umbrella top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n | extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n | extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n | mvexpand Trigram=AllTriGrams to typeof(string)\\n | summarize triCount=count() by Trigram\\n | sort by triCount desc\\n | where triCount \u003e triThreshold\\n | distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = _Im_WebSession \\n| where isnotempty(Url) \\n| extend Name = tolower(tostring(parse_url(Url)[\\\"Host\\\"]))\\n| summarize NameCount=count() by Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n _Im_WebSession\\n | where isnotempty(Url)\\n | extend Url = tolower(Url)\\n | summarize arg_max(TimeGenerated, EventVendor, SrcIpAddr) by Url\\n | extend Name=tostring(parse_url(Url)[\\\"Host\\\"])\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SrcIpAddr, Url\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SrcIpAddr, Url, NameCount\",\"customDetails\":{\"DGAPattern\":\"DGADomain\",\"NameCount\":\"NameCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential communication from {{SrcIpAddr} with a Domain Generation Algorithm (DGA) based host {{Name}}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} communicated with host {{Name}} that have a domain name that might have been generated by a Domain Generation Algorithm (DGA), identified by the pattern {{DGADomain}}. DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like and uses the model to identify domains that may have been randomly generated by an algorithm.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema)\",\"description\":\"This rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA). DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like nad uses the model to identify domains that may have been randomly generated by an algorithm. You can modify the triThreshold and dgaLengthThreshold query parameters to change Analytic Rule sensitivity. The higher the numbers, the less noisy the rule is. \u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f819c592-c5f9-4d5c-a79f-1e6819863533\",\"name\":\"f819c592-c5f9-4d5c-a79f-1e6819863533\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Microsoft Online\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n (\\nWindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Monitoring Agent Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent.\\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"name\":\"066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\nWindowsEvent\\n| where EventID == 4688 and (EventData has_any (file_path1) or EventData has_any (file_path2) or EventData has_any (file_path3) or EventData has_any (\u0027reg add\u0027) or EventData has_any (reg_key) )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where (CommandLine has_any (file_path1)) or\\n (CommandLine has_any (file_path3)) or\\n (CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or \\n (NewProcessName has_any (file_path1)) or\\n (NewProcessName has_any (file_path3)) or\\n (ParentProcessName has_any (file_path1)) or \\n (ParentProcessName has_any (file_path3)) \\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| extend IPCustomEntity = tostring(EventData.IpAddress)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, IPCustomEntity\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2022-05-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6116dc19-475a-4148-84b2-efe89c073e27\",\"name\":\"6116dc19-475a-4148-84b2-efe89c073e27\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"name\":\"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events for ToR proxies\",\"description\":\"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"name\":\"70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId,\\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"NRT User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5239248b-abfb-4c6a-8177-b104ade5db56\",\"name\":\"5239248b-abfb-4c6a-8177-b104ade5db56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let RunCommandData = materialize ( AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Success\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n| join kind=leftouter (\\n DeviceFileEvents\\n | where InitiatingProcessFileName == \\\"RunCommandExtension.exe\\\"\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\\n) on VirtualMachineName\\n// We need to filter by time sadly, this is the only way to link events\\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath\\n| join kind=inner(\\n DeviceEvents\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | where InitiatingProcessCommandLine has \\\"-File\\\"\\n // Extract the script name based on the structure used by the RunCommand extension\\n | extend PowershellFileName = extract(@\\\"\\\\-File\\\\s(script[0-9]{1,9}\\\\.ps1)\\\", 1, InitiatingProcessCommandLine)\\n // Discard results that didn\u0027t successfully extract, these are not run command related\\n | where isnotempty(PowershellFileName)\\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\\n | where PSCommand != PowershellFileName \\n // Now we normalise the cmdlets, we\u0027re aiming to hash them to find scripts using rare combinations\\n | extend PSCommand = toupper(PSCommand)\\n | order by PSCommand asc\\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\\n) on $left.FileName == $right.PowershellFileName\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName\\n| order by StartTime asc \\n// We generate the hash based on the cmdlets called and the size of the powershell script\\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\\nlet totals = toscalar (RunCommandData\\n| summarize count());\\nlet hashTotals = RunCommandData\\n| summarize HashCount=count() by ScriptFingerprintHash;\\nRunCommandData\\n| join kind=leftouter (\\nhashTotals\\n) on ScriptFingerprintHash\\n// Calculate prevalence, while we don\u0027t need this, it may be useful for responders to know how rare this script is in relation to normal activity\\n| extend Prevalence = toreal(HashCount) / toreal(totals) * 100\\n// Where the hash was only ever seen once.\\n| where HashCount == 1\\n| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName\\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\",\"Execution\"],\"displayName\":\"Azure VM Run Command operations executing a unique PowerShell script\",\"description\":\"Identifies when Azure Run command is used to execute a PowerShell script on a VM that is unique.\\nThe uniqueness of the PowerShell script is determined by taking a combined hash of the cmdLets it imports\\nand the file size of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed\\nin your environment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"name\":\"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(ClientIP)\\n | extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]%]+)(%\\\\d+)?\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n | extend IPAddress = tostring(ClientIPValues[0])\\n // renaming time column so it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = TI_ipEntity, AccountCustomEntity = UserId, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"name\":\"a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Extracts plaintext IPv4 addresses\\nlet ipv4_plaintext_extraction_regex = @\\\"((?:(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(?:\\\\.)){3}(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]){1,3})\\\";\\n// Identified base64 encoded IPv4 addresses\\nlet ipv4_encoded_identification_regex = @\\\"\\\\=([a-zA-Z0-9\\\\/\\\\+]*(?:(?:MC|Au|wL|MS|Eu|xL|Mi|Iu|yL|My|Mu|zL|NC|Qu|0L|NS|Uu|1L|Ni|Yu|2L|Ny|cu|3L|OC|gu|4L|OS|ku|5L){1}[a-zA-Z0-9\\\\/\\\\+]{2,4}){3}[a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Extractes IPv4 addresses as hex values\\nlet ipv4_decoded_hex_extract = @\\\"((?:(?:61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|2f|2b|3d),){7,15})\\\";\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n// Identify requests with encoded IPv4 addresses\\n| where RequestURL matches regex ipv4_encoded_identification_regex\\n| project TimeGenerated, RequestURL\\n// Extract IP candidates in their base64 encoded format, significantly reducing the dataset\\n| extend extracted_encoded_ip_candidate = extract_all(ipv4_encoded_identification_regex, RequestURL)\\n// We could have more than one candidate, expand them out\\n| mv-expand extracted_encoded_ip_candidate to typeof(string)\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), make_set(RequestURL) by extracted_encoded_ip_candidate\\n// Pad if we need to\\n| extend extracted_encoded_ip_candidate = iff(strlen(extracted_encoded_ip_candidate) % 2 == 0, extracted_encoded_ip_candidate, strcat(extracted_encoded_ip_candidate, \\\"=\\\"))\\n// Now decode the candidate to a long array, we cannot go straight to string as it cannot handle non-UTF8, we need to strip that first\\n| extend extracted_encoded_ip_candidate = tostring(base64_decode_toarray(extracted_encoded_ip_candidate))\\n// Extract the IP candidates from the array\\n| extend hex_extracted = extract_all(ipv4_decoded_hex_extract, extracted_encoded_ip_candidate)\\n// Expand, it\u0027s still possible that we might have more than 1 IP\\n| mv-expand hex_extracted\\n// Now we should have a clean string. We need to put it back into a dynamic array to convert back to a string.\\n| extend hex_extracted = trim_end(\\\",\\\", tostring(hex_extracted))\\n| extend hex_extracted = strcat(\\\"[\\\",hex_extracted,\\\"]\\\")\\n| extend hex_extracted = todynamic(hex_extracted)\\n| extend extracted_encoded_ip_candidate = todynamic(extracted_encoded_ip_candidate)\\n// Convert the array back into a string\\n| extend decoded_ip_candidate = make_string(hex_extracted)\\n| summarize by decoded_ip_candidate, tostring(set_RequestURL), Start, End\\n// Now the IP candidates will be in plaintext, extract the IPs using a regex\\n| extend ipmatch = extract_all(ipv4_plaintext_extraction_regex, decoded_ip_candidate)\\n// If it\u0027s not an IP, throw it out\\n| where isnotnull(ipmatch)\\n| mv-expand ipmatch to typeof(string)\\n// Join with DeviceNetworkEvents to find instances where an IP of a machine in our MDE estate sent it\u0027s IP in a base64 encoded string\\n| join (\\n DeviceNetworkEvents\\n | summarize make_set(DeviceId), make_set(DeviceName) by RemoteIP\\n) on $left.ipmatch == $right.RemoteIP\\n| project Start, End, IPmatch=ipmatch, RequestURL=set_RequestURL, DeviceNames=set_DeviceName, DeviceIds=set_DeviceId, RemoteIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPmatch\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"IP address of Windows host encoded in web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded IP addresses. After identifying candidates the query\\njoins with DeviceNetworkEvents to idnetify any machine within the network using that IP address. Alerts indicate that the IP address of a machine\\nwithin your network was seen with it\u0027s IP address base64 encoded in an outbounf web request. This method of egressing the IP was seen used in POLONIUM\u0027s\\nRunningRAT tool, however the detection is generic.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"name\":\"cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where OriginalFileName has_any (procList) and not (Image has_any (procList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Lolbins Renamed\",\"description\":\"This query detects the execution of renamed Windows binaries (Lolbins). This is a common technique used by adversaries to evade detection. \\nRef: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/execution-of-renamed-lolbin.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"name\":\"3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 50;\\nlet aadFunc = (tableName:string){\\n // Failed Signins attempts with reasoning related to conditional access policies.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultDescription has_any (\\\"conditional access\\\", \\\"CA\\\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\nallSignins\\n| make-series DailyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1d by UserPrincipalName\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(DailyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand DailyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n// Filtering low count events per baselinethreshold\\n| where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n| extend AnomalyHour = TimeGenerated\\n| project UserPrincipalName, AnomalyHour, TimeGenerated, DailyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Accounts - Sign in Failure due to CA Spikes\",\"description\":\" Identifies spike in failed sign-ins from user accounts due to conditional access policied.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"name\":\"b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let oneDriveCalls = dynamic([\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content\u0027,\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/response.json:/content\u0027]);\\nlet oneDriveCallsRegex = dynamic([@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Uploaded\\\\/.*\\\\:\\\\/content\u0027,@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Downloaded\\\\/.*\\\\:\\\\/content\u0027]);\\nCommonSecurityLog\\n| where RequestURL has_any (oneDriveCalls) or RequestURL matches regex tostring(oneDriveCallsRegex[0]) or RequestURL matches regex tostring(oneDriveCallsRegex[1])\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive URLs\",\"description\":\"CreepyDrive uses OneDrive for command and control. This detection identifies URLs specific to CreepyDrive.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/011c84d8-85f0-4370-b864-24c13455aa94\",\"name\":\"011c84d8-85f0-4370-b864-24c13455aa94\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| extend timestamp = TimeGenerated, Account, MachineName = Computer, IpAddress\\n| join kind=inner\\n(\\nCoreAzureBackup\\n| where State =~ \\\"Deleted\\\"\\n| where OperationName =~ \\\"BackupItem\\\"\\n| extend data = split(BackupItemUniqueId, \\\";\\\")\\n| extend AzureLocation = data[0], VaultId=data[1], MachineName=data[2], DrivesBackedUp=data[3]\\n| project timestamp = TimeGenerated, AzureLocation, VaultId, tostring(MachineName), DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\\n)\\non MachineName\\n| project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"CoreBackUp Deletion in correlation with other related security alerts\",\"description\":\"This query will help detect attackers attempt to delete backup containers in correlation with other alerts that could have triggered to help possibly reveal more details of attacker activity. \\nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.\",\"lastUpdatedDateUTC\":\"2021-11-05T00:00:00Z\",\"createdDateUTC\":\"2021-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\"name\":\"1218175f-c534-421c-8070-5dcaabf28067\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 3; \\nZoomLogs \\n| where Event =~ \\\"chat_message.sent\\\" \\n| extend Channel = tostring(parse_json(ChatEvents).Channel) \\n| extend Message = tostring(parse_json(ChatEvents).Message) \\n| where Message matches regex \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\" \\n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\\n| extend ChannelCount = arraylength(Channels) \\n| where ChannelCount \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Suspicious link sharing pattern\",\"description\":\"Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. \\nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"name\":\"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"name\":\"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| join kind=rightanti (\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM New UM Service Child Process\",\"description\":\"This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\"name\":\"f845881e-2500-44dc-8ed7-b372af3e1e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog \\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) \u003c= short_uaLength or string_size(csUserAgent) \u003e= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount \u003c c_threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous User Agent connection attempt\",\"description\":\"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"name\":\"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend Alert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.EntityEmail\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, \\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"name\":\"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory has_any (\u0027Dynamic and Residential\u0027, \u0027Personal VPN\u0027)\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Cisco Umbrella - Connection to non-corporate private network\",\"description\":\"IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/631d02df-ab51-46c1-8d72-32d0cfec0720\",\"name\":\"631d02df-ab51-46c1-8d72-32d0cfec0720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nimProcessCreate\\n| where Process hassuffix \u0027solarwinds.businesslayerhost.exe\u0027\\n| where not(Process has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = ActorUsername,\\n HostCustomEntity = User,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes (Normalized Process Events)\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\"name\":\"0bd65651-1404-438b-8f63-eecddcec87b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = ( union isfuzzy=true\\n( Event\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and EventData has \\\"0x3e4\\\" and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 and LogonType == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nWindowsEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where EventData has \u0027wmiprvse.exe\u0027 and EventData has_any (\u0027rundll32\u0027) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 3\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where Account !endswith \\\"$\\\"\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, Image, Computer, UserName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via Remote WMI Execution\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\n Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d71fc38-f249-454e-8479-0a358382ef9a\",\"name\":\"3d71fc38-f249-454e-8479-0a358382ef9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-44228\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to log4j CVE-2021-44228\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228. Log4j is an open-source Apache logging library that is used in \\n many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\\n Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"name\":\"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center for IoT\",\"displayName\":\"Create incidents based on Microsoft Defender for IOT alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for IOT\",\"lastUpdatedDateUTC\":\"2019-12-24T00:00:00Z\",\"createdDateUTC\":\"2019-12-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"IoT\",\"dataTypes\":[\"SecurityAlert (ASC for IoT)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2e8fd50-8d66-11ec-b909-0242ac120002\",\"name\":\"d2e8fd50-8d66-11ec-b909-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID in (4624,4625) and LogonType in (10) and IpAddress in (\\\"::1\\\",\\\"127.0.0.1\\\")\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, TargetUserName, TargetLogonId, LogonType, IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential Remote Desktop Tunneling\",\"description\":\"This query detects remote desktop authentication attempts with a localhost source address which can indicate a tunneled login.\\nRef: https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c37711a4-5f44-4472-8afc-0679bc0ef966\",\"name\":\"c37711a4-5f44-4472-8afc-0679bc0ef966\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type == \\\"sha256\\\" | project IoC);\\nlet FilePaths = (iocs | where Type =~ \\\"FilePath\\\" | project IoC);\\nlet POST_URI = (iocs | where Type =~ \\\"URI1\\\" | project IoC);\\nlet GET_URI = (iocs | where Type =~ \\\"URI2\\\" | project IoC);\\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\\nlet ADFS_Servers1 = datatable(Computer:string)\\n[ \\\"\u003cADFS01\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\",\\n\\\"\u003cADFS02\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\"\\n];\\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \\\"Microsoft.IdentityServer.ServiceHost.exe\\\".\\nlet ADFS_Servers2 = \\n(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( WindowsEvent\\n| where EventID == 4688 and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\" and EventData has \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName == \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| distinct Computer\\n),\\n(DeviceProcessEvents\\n| where InitiatingProcessFileName == \u0027Microsoft.IdentityServer.ServiceHost.exe\u0027\\n| extend Computer = DeviceName\\n| distinct Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n);\\nlet ADFS_Servers =\\nADFS_Servers1\\n| union (ADFS_Servers2 | distinct Computer);\\n(union isfuzzy=true\\n(DeviceNetworkEvents\\n| where DeviceName in (ADFS_Servers)\\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" and EventID == \u00277\u0027\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ImageLoaded = EventDetail.[5].[\\\"#text\\\"], Hashes = EventDetail.[11].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\\n| extend Type = strcat(Type,\\\":\\\",EventID, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where DeviceName in (ADFS_Servers)\\n| extend FilePath = strcat(FolderPath, \u0027\\\\\\\\\u0027, FileName)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceImageLoadEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where EventDetail has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(W3CIISLog \\n| where ( csMethod == \u0027GET\u0027 and csUriStem has_any (GET_URI)) or (csMethod == \u0027POST\u0027 and csUriStem has_any (POST_URI))\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \\nby cIP, cIP_MethodCountType = \\\"Count of repeated entries, this is to reduce rowsets returned\\\", csMethod, \\ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\\n),\\n(imFileEvent\\n| where DvcHostname in (ADFS_Servers)\\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"NOBELIUM IOCs related to FoggyWeb backdoor\",\"description\":\"Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM.\\n FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server.\\n It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.\\n Reference: https://aka.ms/nobelium-foggy-web\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/61988db3-0565-49b5-b8e3-747195baac6e\",\"name\":\"61988db3-0565-49b5-b8e3-747195baac6e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]); \\nimProcessCreate\\n| where CommandLine has \\\"recycler\\\"\\n| where Process has_any (procList)\\n| extend FileName = tostring(split(Process, \u0027\\\\\\\\\u0027)[-1])\\n| where FileName in~ (procList)\\n| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin (Normalized Process Events)\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2021-06-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"name\":\"ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"name\":\"32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of malicious file artifacts\\nlet MaliciousFileArtifacts = dynamic ([\\\"lsass.dmp\\\",\\\"test.pwd\\\",\\\"lsremora.dll\\\",\\\"lsremora64.dll\\\",\\\"fgexec.exe\\\",\\\"pwdump\\\",\\\"kirbi\\\",\\\"wce_ccache\\\",\\\"wce_krbtkts\\\",\\\"wceaux.dll\\\",\\\"PwHashes\\\",\\\"SAM.out\\\",\\\"SECURITY.out\\\",\\\"SYSTEM.out\\\",\\\"NTDS.out\\\" \\\"DumpExt.dll\\\",\\\"DumpSvc.exe\\\",\\\"cachedump64.exe\\\",\\\"cachedump.exe\\\",\\\"pstgdump.exe\\\",\\\"servpw64.exe\\\",\\\"servpw.exe\\\",\\\"pwdump.exe\\\",\\\"fgdump-log\\\"]);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==11\\n| parse EventData with * \u0027TargetFilename\\\"\u003e\u0027 TargetFilename \\\"\u003c\\\" *\\n| where TargetFilename has_any (MaliciousFileArtifacts)\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, Image, ProcessGuid, TargetFilename\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetFilename\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Image\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - File Artifacts\",\"description\":\"This query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names.\\nRef: https://jpcertcc.github.io/ToolAnalysisResultSheet/\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/983a6922-894d-413c-9f04-d7add0ecc307\",\"name\":\"983a6922-894d-413c-9f04-d7add0ecc307\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let referencestarttime = 10d;\\nlet referenceendtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \\n {_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027, starttime=stime, endtime=etime)\\n | where DnsQueryTypeName in (\\\"A\\\", \\\"AAAA\\\")\\n | where ipv4_is_match(\\\"127.0.0.1\\\", SrcIpAddr) == False\\n | where DnsQuery !contains \\\"/\\\" and DnsQuery contains \\\".\\\"};\\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold\\n // Filter out previously seen IPs\\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold ) on SrcIpAddr\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected (ASIM DNS Schema)\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18dbdc22-b69f-4109-9e39-723d9465f45f\",\"name\":\"18dbdc22-b69f-4109-9e39-723d9465f45f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet AVHits = (iocs | where Type =~ \\\"AVDetection\\\"| project IoC);\\nSecurityAlert\\n| where ProviderName == \u0027MDATP\u0027\\n| extend ThreatName_ = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName_ has_any (AVHits)\\n| extend Directory = tostring(parse_json(Entities)[0].Directory), SHA256 = tostring(parse_json(tostring(parse_json(Entities)[0].FileHashes))[2].Value), FileName = tostring(parse_json(Entities)[0].Name), Hostname = tostring(parse_json(Entities)[6].FQDN)| extend AccountName = tostring(parse_json(tostring(parse_json(Entities)[6].LoggedOnUsers))[0].AccountName)\\n| project TimeGenerated, AlertName, ThreatName_, ProviderName, AlertSeverity, Description, RemediationSteps, ExtendedProperties, Entities, FileName,SHA256, Directory, Hostname, AccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Hostname , AccountCustomEntity = AccountName, FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"ACTINIUM AV hits - Feb 2022\",\"description\":\"Identifies a match in the Security Alert table for MDATP hits related to the ACTINIUM actor\",\"lastUpdatedDateUTC\":\"2022-02-04T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"name\":\"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet disallowed_ext = dynamic([\u0027ps1\u0027, \u0027exe\u0027, \u0027vbs\u0027, \u0027js\u0027, \u0027scr\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedExt = todynamic(MsgParts)[0][\u0027detectedExt\u0027]\\n| where attachedExt in (disallowed_ext)\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Suspicious attachment\",\"description\":\"Detects when email contains suspicious attachment (file type).\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\"name\":\"707494a5-8e44-486b-90f8-155d1797a8eb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetResourceType = tostring(target.type)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend isAdminConsent = targetModifiedProp[0].newValue\\n| extend Consent_ServicePrincipalNames = targetModifiedProp[5].newValue\\n| extend Consent_Permissions = targetModifiedProp[4].newValue\\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend Credential_KeyDescription = targetModifiedProp[0].newValue\\n| extend UpdatedProperties = targetModifiedProp[1].newValue\\n| extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent \u003e TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential added after admin consented to Application\",\"description\":\"This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11bda520-a965-4654-9a45-d09f372f71aa\",\"name\":\"11bda520-a965-4654-9a45-d09f372f71aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Success\\\"\\n// Extract data from the Authorization field\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n// Create a join key using the Caller (UPN)\\n| extend joinkey = tolower(Caller)\\n// Join the Run Command actions to UEBA data\\n| join kind = inner (\\n BehaviorAnalytics\\n // We are specifically interested in unusual logins\\n | where EventSource == \\\"Azure AD\\\" and ActivityInsights.ActionUncommonlyPerformedByUser == \\\"True\\\"\\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\\n | extend joinkey = tolower(UserPrincipalName)\\n) on joinkey\\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\\n| extend UEBAWindowStart = UEBAEventTime - 1h, UEBAWindowEnd = UEBAEventTime + 6h\\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n| extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operation executed during suspicious login window\",\"description\":\"Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address \\nthat has resulted in a recent user entity behaviour alert.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fe3c520-04f1-44b8-8398-782ed21435f8\",\"name\":\"3fe3c520-04f1-44b8-8398-782ed21435f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Low\",\"query\":\"let torProxies=dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\n_Im_Dns(domain_has_any=torProxies)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"name\":\"d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\\n// Azure Active Directory Connect - cb1056e2-e479-49de-ae31-7812af012ed8\\nlet appList = dynamic([\u0027cf6d7e68-f018-4e0a-a7b3-126e053fb88d\u0027,\u0027cb1056e2-e479-49de-ae31-7812af012ed8\u0027]);\\nlet operationNamesList = dynamic([\u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027,\u0027Microsoft.ADHybridHealthService/services/delete\u0027]);\\nAzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue in~ (operationNamesList)\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| where AppId !in (appList)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Suspicious Application\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance.\\nUsually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"name\":\"9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where NumberOfInfectedFiles \u003e 0\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"displayName\":\"AppServices AV Scan with Infected Files\",\"description\":\"Identifies if an AV scan finds infected files in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2199398-8942-4b8c-91a9-b0a707c5d147\",\"name\":\"b2199398-8942-4b8c-91a9-b0a707c5d147\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/HiveRansomwareJuly2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Hive Ransomware IOC - July 2022\",\"description\":\"Identifies a hash match related to Hive Ransomware across various data sources.\",\"lastUpdatedDateUTC\":\"2022-07-05T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ff56009-db01-4615-8211-d4fda21da02d\",\"name\":\"1ff56009-db01-4615-8211-d4fda21da02d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where AADOperationType =~ \\\"Assign\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ has_any (\\\"AppRole.Value\\\",\\\"DelegatedPermissionGrant.Scope\\\")\\n| extend Permission = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where Permission has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\\n| extend TargetId = iif(displayName_ =~ \u0027DelegatedPermissionGrant.Scope\u0027,\\n tostring(parse_json(tostring(TargetResources.modifiedProperties[2].newValue))),\\n tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue))))\\n| summarize by bin(TimeGenerated, 1h), OperationName, Initiator, Target, TargetId, Result\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Target\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure AD Role Management Permission Grant\",\"description\":\"Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company\u0027s directory.\\nAn adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"name\":\"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| where Data.NewValue == 1 or Data.NewValue \u003c Data.OldValue/2\\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Retention Reduced\",\"description\":\"AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.\",\"lastUpdatedDateUTC\":\"2021-11-02T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"name\":\"979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\DsrmAdminLogonBehavior\\\") and Details == \\\"DWORD (0x00000002)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"DSRM Account Abuse\",\"description\":\"This query detects an abuse of the DSRM account in order to maintain persistence and access to the organization\u0027s Active Directory.\\nRef: https://adsecurity.org/?p=1785\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82eb796-d1eb-43c8-a813-325ce3417cef\",\"name\":\"d82eb796-d1eb-43c8-a813-325ce3417cef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(DeviceFileEvents\\n| where ActionType == \\\"FileCreated\\\"\\n| where FileName endswith \\\".h0lyenc\\\" or FolderPath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), HostCustomEntity = DeviceName, Type, InitiatingProcessId, FileName, FolderPath, EventType = ActionType, Commandline = InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessSHA256, FileHashCustomEntity = SHA256\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\" \\n| where TargetFilePath endswith \\\".h0lyenc\\\" or TargetFilePath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname, DvcId, Type, EventType, FileHashCustomEntity = TargetFileSHA256, Hash, TargetFilePath, Commandline = ActingProcessCommandLine\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 File Extension Rename\",\"description\":\"Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\"name\":\"ba144bf8-75b8-406f-9420-ed74397f9479\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins = \\n table(tableName)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize count() by IPAddress\\n | where count_ \u003e signin_threshold\\n | summarize make_set(IPAddress);\\n suspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\u0027User name: ([^,]+)\u0027, 1, Message) \\n | extend ClientOS = extract(\u0027Client OS version: ([^,\\\\\\\"]+)\u0027, 1, Message)\\n | extend Location = extract(\u0027Source region: ([^,]{2})\u0027,1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\"description\":\"This query creates a list of IP addresses with a number failed login attempts to AAD \\nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\\nof these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\"name\":\"32555639-b639-4c2b-afda-c0ae0abefa55\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| sort by EndTime desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Monitor AWS Credential abuse or hijacking\",\"description\":\"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\"name\":\"53e936c6-6c30-4d12-8343-b8a0456e8429\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT malware hashes\",\"description\":\"This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceImageLoadEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"name\":\"fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let querystarttime = 2d;\\nlet queryendtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\n_Im_NetworkSession(starttime=querystarttime, endtime=queryendtime)\\n| where not(ipv4_is_private(DstIpAddr))\\n| project TimeGenerated, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\\n| sort by SrcIpAddr asc,TimeGenerated asc, DstIpAddr asc, DstPortNumber asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSrcIpAddr = next(SrcIpAddr, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SrcIpAddr == nextSrcIpAddr\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| project TimeGenerated, TimeDeltainSeconds, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\\n| summarize count(), sum(DstBytes), sum(SrcBytes), make_list(TimeDeltainSeconds) \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSrcBytes = sum(sum_SrcBytes), TotalDstBytes = sum(sum_DstBytes) \\nby bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber\\n| where TotalEvents \u003e TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\",\"customDetails\":{\"DstPortNumber\":\"DstPortNumber\",\"FrequencyCount\":\"TotalSrcBytes\",\"FrequencyTime\":\"MostFrequentTimeDeltaCount\",\"TotalDstBytes\":\"TotalDstBytes\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}} over port {{DstPortNumber}}\",\"alertDescriptionFormat\":\"Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/). The recurring frequency, reported as FrequencyTime in the custom details, and the total transferred volume reported as TotalDstBytes in the custom details, can help to determine the significance of this incident.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential beaconing activity (ASIM Network Session schema)\",\"description\":\"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\\\\\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"name\":\"b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let query_frequency = 15m;\\nlet missing_period = 1h;\\n//Enter a reference list of hostnames for your DC servers\\nlet DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\n//Alternatively, a Watchlist can be used\\n//let DCServersList = _GetWatchlist(\u0027HostName-DomainControllers\u0027) | project HostName;\\nHeartbeat\\n| summarize arg_max(TimeGenerated, *) by Computer\\n| where Computer in (DCServersList)\\n//You may specify the OS type of your Domain Controllers\\n//| where OSType == \u0027Windows\u0027\\n| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))\\n| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions\\n| sort by TimeGenerated asc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\",\"DefenseEvasion\"],\"displayName\":\"Missing Domain Controller Heartbeat\",\"description\":\"This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-11-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"name\":\"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous RDP Login Detections\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2020-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"name\":\"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name\\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"name\":\"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n//Exclude local addresses, using the ipv4_is_private operator\\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n W3CIISLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n //Exclude local addresses, using the ipv4_is_private operator\\n | where ipv4_is_private(cIP) == false and cIP !startswith \\\"fe80\\\" and cIP !startswith \\\"::\\\" and cIP !startswith \\\"127.\\\"\\n // renaming time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| where W3CIISLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId, cIP\\n| project W3CIISLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to W3CIISLog\",\"description\":\"Identifies a match in W3CIISLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-04-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\"name\":\"d564ff12-8f53-41b8-8649-44f76b37b99f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// How many greater than Service Connections you want to view per build/release\\nlet ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iif(\\n Type == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\n strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Abuse\",\"description\":\"Flags builds/releases that use a large number of service connections if they aren\u0027t manually in the allow list.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse \\nor dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"name\":\"01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let discord=dynamic([\\\"cdn.discordapp.com\\\", \\\"media.discordapp.com\\\"]);\\n _Im_WebSession(url_has_any=discord, eventresult=\u0027Success\u0027)\\n | where Url has \\\"attachments\\\"\\n | extend DiscordServerId = extract(@\\\"\\\\/attachments\\\\/([0-9]+)\\\\/\\\", 1, Url)\\n | summarize dcount(Url), make_set(SrcUsername), make_set(SrcIpAddr), make_set(Url), min(TimeGenerated), max(TimeGenerated), make_set(EventResult) by DiscordServerId\\n | mv-expand set_SrcUsername to typeof(string), set_Url to typeof(string), set_EventResult to typeof(string), set_SrcIpAddr to typeof(string)\\n | summarize by DiscordServerId, dcount_Url, set_SrcUsername, min_TimeGenerated, max_TimeGenerated, set_EventResult, set_SrcIpAddr, set_Url\\n | project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, Result=set_EventResult, SourceUser=set_SrcUsername, SourceIP=set_SrcIpAddr, RequestURL=set_Url\\n | where RequestURL has_any (\\\".bin\\\",\\\".exe\\\",\\\".dll\\\",\\\".bin\\\",\\\".msi\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Discord CDN Risky File Download (ASIM Web Session Schema)\",\"description\":\"Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment. Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads.\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"name\":\"4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Hive_threats = dynamic([\\\"Ransom:Win64/Hive\\\", \\\"Ransom:Win32/Hive\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Hive_threats) or ThreatFamilyName in~ (Hive_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Hive Ransomware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Hive Ransomware . In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device,\\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2022-07-11T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"name\":\"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let szOperationNames = dynamic([\\\"microsoft.compute/virtualMachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2\\n| join kind=leftsemi (\\n// Last day\u0027s activity is anomalous\\nAzureActivity\\n| where TimeGenerated \u003e= startofday(ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious number of resource creation or deployment activities\",\"description\":\"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"name\":\"050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n// Uncomment below to not alert for PIM activations\\n//| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Assigned Privileged Role\",\"description\":\"Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn\u0027t the responsibility of the account holder, investigate.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\"name\":\"48607a29-a26a-4abf-8078-a06dbdd174a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet aadFunc = (tableName:string){\\nlet identityLookup = table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\\n// collect window threshold breaches\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\\n| where FailedPrincipalCount \u003e= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend LocationDetails = todynamic(LocationDetails)\\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName, Type\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\\n| join kind= inner (\\ntable(tableName) // get data on success vs. failure history for each IP\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress, Type\\n| where GlobalFailPrincipalCount \u003e GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD application\",\"description\":\"Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2022-02-16T00:00:00Z\",\"createdDateUTC\":\"2020-03-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"name\":\"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host, AccountCustomEntity=User\\n),\\n(_Im_WebSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(SigninLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known IRIDIUM IP\",\"description\":\"IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"name\":\"d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Administrative roles to look for, default is all admin roles\\nlet roles = dynamic([\\\"Administrator\\\", \\\"Admin\\\"]);\\n// The maximum distances between and invite and acceptance\\nlet maxTimeBetweenInviteAccept = 30min;\\n// The delta (minutes) between the invite being sent and the account being escalated\\nlet deltaBetweenInviteEscalation = 60;\\n// Collect external user invitations\\nlet invite = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Invite external user\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"userPrincipalName\\\"])\\n| extend InviteInitiator = tostring(InitiatedBy.[\\\"user\\\"].[\\\"userPrincipalName\\\"])\\n| where isnotempty(InviteInitiator);\\n// Collect redeem events\\nlet redeem = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Redeem external user invite\\\"\\n| where Result =~ \\\"success\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"displayName\\\"]) | extend Target = tostring(extract(@\\\"UPN\\\\:\\\\s(.+)\\\\,\\\\sEmail\\\",1,Target))\\n| where isnotempty(Target);\\n// Union the inivtation and redeem data then run the sequence_detect kusto plugin\\ninvite\\n| union redeem\\n| order by TimeGenerated\\n| project TimeGenerated, Target, InviteInitiator, OperationName, TenantId\\n| evaluate sequence_detect(TimeGenerated, maxTimeBetweenInviteAccept, maxTimeBetweenInviteAccept, invite=(OperationName has \\\"Invite external user\\\"), redeem=(OperationName has \\\"Redeem external user invite\\\"), Target)\\n| join (\\nAuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n// Limit to external accounts\\n| where TargetResources.userPrincipalName has \\\"EXT\\\"\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n// Perform check for admin roles\\n| where RoleName has_any(roles)\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by TimeGenerated, OperationName, RoleName, Target, Initiator, Result\\n) on Target\\n// Calculate delta between the invite and the account escalation\\n| extend delta = datetime_diff(\\\"minute\\\", TimeGenerated, invite_TimeGenerated)\\n| where delta \u003c= deltaBetweenInviteEscalation\\n| project InvitationTime=invite_TimeGenerated, RedeemTime=redeem_TimeGenerated, GrantTime=TimeGenerated, ExternalUser=Target, RoleGranted=RoleName, AdminInitiator=Initiator, MinsBetweenInviteAndEscalation=delta\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ExternalUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AdminInitiator\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"New External User Granted Admin\",\"description\":\"This query will detect instances where a newly invited external user is granted an administrative role. By default this query\\nwill alert on any granted administrative role, however this can be modified using the roles variable if false positives occur\\nin your environment. The maximum delta between invite and escalation to admin is 60 minues, this can be configured using the \\ndeltaBetweenInviteEscalation variable.\",\"lastUpdatedDateUTC\":\"2022-06-16T00:00:00Z\",\"createdDateUTC\":\"2022-06-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"name\":\"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory contains \u0027Adult Themes\u0027 or\\n UrlCategory contains \u0027Adware\u0027 or\\n UrlCategory contains \u0027Alcohol\u0027 or\\n UrlCategory contains \u0027Illegal Downloads\u0027 or\\n UrlCategory contains \u0027Drugs\u0027 or\\n UrlCategory contains \u0027Child Abuse Content\u0027 or\\n UrlCategory contains \u0027Hate/Discrimination\u0027 or\\n UrlCategory contains \u0027Nudity\u0027 or\\n UrlCategory contains \u0027Pornography\u0027 or\\n UrlCategory contains \u0027Proxy/Anonymizer\u0027 or\\n UrlCategory contains \u0027Sexuality\u0027 or\\n UrlCategory contains \u0027Tasteless\u0027 or\\n UrlCategory contains \u0027Terrorism\u0027 or\\n UrlCategory contains \u0027Web Spam\u0027 or\\n UrlCategory contains \u0027German Youth Protection\u0027 or\\n UrlCategory contains \u0027Illegal Activities\u0027 or\\n UrlCategory contains \u0027Lingerie/Bikini\u0027 or\\n UrlCategory contains \u0027Weapons\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request Allowed to harmful/malicious URI category\",\"description\":\"It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"name\":\"ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// Add the environments expected username format regex below before deploying\\n let user_regex = \\\"\\\";\\n AuditLogs\\n | where OperationName =~ \\\"Add user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userAgent = tostring(AdditionalDetails[0].value)\\n | extend addingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend addingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend AddedBy = iif(isnotempty(addingUser), addingUser, addingApp)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend AddedUser = tostring(TargetResources[0].userPrincipalName)\\n | where AddedUser matches regex user_regex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Account Created Using Incorrect Naming Format\",\"description\":\"This query looks for accounts being created where the name does not match a defined pattern.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n The user_regex field in the query needs to be populated with the expected pattern for the environment before deployment.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"name\":\"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nlet ReasontoSubStatus = datatable(SubStatus:string,Reason:string) [\\n\\\"0xC000005E\\\", \\\"There are currently no logon servers available to service the logon request.\\\",\\n\\\"0xC0000064\\\", \\\"User logon with misspelled or bad user account\\\", \\n\\\"0xC000006A\\\", \\\"User logon with misspelled or bad password\\\",\\n\\\"0xC000006D\\\", \\\"Bad user name or password\\\",\\n\\\"0xC000006E\\\", \\\"Unknown user name or bad password\\\",\\n\\\"0xC000006F\\\", \\\"User logon outside authorized hours\\\",\\n\\\"0xC0000070\\\", \\\"User logon from unauthorized workstation\\\",\\n\\\"0xC0000071\\\", \\\"User logon with expired password\\\",\\n\\\"0xC0000072\\\", \\\"User logon to account disabled by administrator\\\",\\n\\\"0xC00000DC\\\", \\\"Indicates the Sam Server was in the wrong state to perform the desired operation\\\",\\n\\\"0xC0000133\\\", \\\"Clocks between DC and other computer too far out of sync\\\",\\n\\\"0xC000015B\\\", \\\"The user has not been granted the requested logon type (aka logon right) at this machine\\\",\\n\\\"0xC000018C\\\", \\\"The logon request failed because the trust relationship between the primary domain and the trusted domain failed\\\",\\n\\\"0xC0000192\\\", \\\"An attempt was made to logon, but the Netlogon service was not started\\\",\\n\\\"0xC0000193\\\", \\\"User logon with expired account\\\",\\n\\\"0xC0000224\\\", \\\"User is required to change password at next logon\\\",\\n\\\"0xC0000225\\\", \\\"Evidently a bug in Windows and not a risk\\\",\\n\\\"0xC0000234\\\", \\\"User logon with account locked\\\",\\n\\\"0xC00002EE\\\", \\\"Failure Reason: An Error occurred during Logon\\\",\\n\\\"0xC0000413\\\", \\\"Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\\\"\\n];\\n(union isfuzzy=true\\n(SecurityEvent \\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where SubStatus !=\u00270xc0000064\u0027 and Account !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId)\\n| lookup ReasontoSubStatus on SubStatus\\n| extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(\\n(WindowsEvent \\n| where EventID == 4625 and not(EventData has \u00270xc0000064\u0027)\\n| extend TargetAccount = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(EventData.TargetUserName endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubStatus = tostring(EventData.SubStatus)\\n| where SubStatus !=\u00270xc0000064\u0027 and TargetAccount !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"\\\")\\n| lookup ReasontoSubStatus on SubStatus\\n| extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend Activity=\\\"4625 - An account failed to log on.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend LogonType = tostring(EventData.LogonType)\\n| extend Status= tostring(EventData.Status)\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| extend WorkstationName = tostring(EventData.WorkstationName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend LogonTypeName=case(LogonType==2,\\\"2 - Interactive\\\", LogonType==3,\\\"3 - Network\\\", LogonType==4, \\\"4 - Batch\\\",LogonType==5, \\\"5 - Service\\\", LogonType==7, \\\"7 - Unlock\\\", LogonType==8, \\\"8 - NetworkCleartext\\\", LogonType==9, \\\"9 - NewCredentials\\\", LogonType==10, \\\"10 - RemoteInteractive\\\", LogonType==11, \\\"11 - CachedInteractive\\\",tostring(LogonType))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n)))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts by valid accounts within 10 mins\",\"description\":\"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"name\":\"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Build Variable Modified by New User.\",\"description\":\"Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify \\nor add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, \\njust detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed \\nmodifying them before.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\"name\":\"f8127962-7739-4211-a4a9-390a7a00e91f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet lbperiod = 14d;\\nlet knownrecipients = ProofpointPOD\\n| where TimeGenerated \u003e ago(lbperiod)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where SrcUserUpn != \u0027\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated between (ago(lbtime) .. now())\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend isProtected = todynamic(MsgParts)[0][\u0027isProtected\u0027]\\n| extend mimePgp = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where isProtected == \u0027true\u0027 or mimePgp == \u0027application/pgp-encrypted\u0027\\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple protected emails to unknown recipient\",\"description\":\"Detects when multiple protected messages where sent to early not seen recipient.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"name\":\"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlOriginal matches regex @\u0027\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - URI contains IP address\",\"description\":\"Malware can use IP address to communicate with C2.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\"name\":\"23005e87-2d3a-482b-b03d-edbebd1ae151\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated \u003e ago(14d)\\n| where sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| where TimeGenerated \u003e ago(1d)\\n| where Computer in (exchange_servers)\\n| where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious Exchange Request\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac9e233e-44d4-45eb-b522-6e47445f6582\",\"name\":\"ac9e233e-44d4-45eb-b522-6e47445f6582\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"imRegistry\\n | where EventType in (\\\"RegistryValueSet\\\", \\\"RegistryKeyCreated\\\")\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (imProcess\\n | where Process endswith \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass (ASIM Version)\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"name\":\"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Office 365 Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Office 365 alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Office 365\",\"lastUpdatedDateUTC\":\"2020-09-01T00:00:00Z\",\"createdDateUTC\":\"2020-04-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"name\":\"a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let mde_threats = dynamic([\\\"Behavior:Win32/SuspAzureRequest.A\\\", \\\"Behavior:Win32/SuspAzureRequest.B\\\", \\\"Behavior:Win32/SuspAzureRequest.C\\\", \\\"Behavior:Win32/LaunchingSuspCMD.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (mde_threats) or ThreatFamilyName in~ (mde_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory\",\"description\":\"This query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR. \\nIn Microsoft Sentinel, the SecurityAlerts table includes the name of the impacted device. Additionally, this query joins the DeviceInfo table to connect other information such as device group, \\nIP address, signed in users, and others allowing analysts using Microsoft Sentinel to have more context related to the alert. \\nReference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 , \\nhttps://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5db427b2-f406-4274-b413-e9fcb29412f8\",\"name\":\"5db427b2-f406-4274-b413-e9fcb29412f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NRT PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"name\":\"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^\u0027]*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"name\":\"d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\",\\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\",\\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\",\\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\",\\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\",\\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\",\\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\",\\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\",\\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\"name\":\"de58ee9e-b229-4252-8537-41a4c2f4045e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| extend file_ext = extract(@\u0027.*(\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| extend Filename = extract(@\u0027.*\\\\/*\\\\/(.*\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, SrcIpAddr, Identities, Filename\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request to blocklisted file type\",\"description\":\"Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"name\":\"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet aadFunc = (tableName:string){\\nlet GitHubFailedSSOLogins = (table(tableName) \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType != 0); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n) on UserPrincipalName \\n| where FailedLoginsCountInRunTime \u003e LearningThreshold\\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute Force Attack against GitHub Account\",\"description\":\"Attackers who are trying to guess your users\u0027 passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\"name\":\"12dcea64-bec2-41c9-9df2-9f28461b1295\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where NewProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service Control Services and Schedule Control Services\\n| union (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\"lastUpdatedDateUTC\":\"2022-01-30T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\"name\":\"155f40c6-610d-497d-85fc-3cf06ec13256\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Phosphorus group domains/IP\",\"description\":\"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"name\":\"a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let error403_count_threshold=200;\\n_Im_WebSession(eventresultdetails_in=\\\"403\\\")\\n| extend ParsedUrl=parse_url(Url)\\n| extend UrlHost=tostring(ParsedUrl[\\\"Host\\\"]), UrlSchema=tostring(ParsedUrl[\\\"Schema\\\"])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr\\n| where NumberOfErrors \u003e error403_count_threshold\\n| sort by NumberOfErrors desc\\n| extend Url=tostring(Urls[0])\",\"customDetails\":{\"NumberOfErrors\":\"NumberOfErrors\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of HTTP authentication failures from {{SrcIpAddr}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Persistence\",\"CredentialAccess\"],\"displayName\":\"Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)\",\"description\":\"This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\u003cbr\u003e\u003cbr\u003e\\nThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM. \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"name\":\"2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where OperationName in (\\\"Add eligible member (permanent)\\\", \\\"Add eligible member (eligible)\\\")\\n | extend Role = tostring(TargetResources[0].displayName)\\n | where Role contains \\\"admin\\\"\\n | extend AddedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedUser = tostring(TargetResources[2].userPrincipalName)\\n | project-reorder TimeGenerated, AddedUser, Role, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"User Added to Admin Role\",\"description\":\"Detects a user being added to a new privileged role. Monitor these additions to ensure the users are made eligible for these roles are intended to have these levels of access.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"name\":\"dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 10;\\n let default_ad_attributes = dynamic([\\\"LastDirSyncTime\\\", \\\"StsRefreshTokensValidFrom\\\", \\\"Included Updated Properties\\\", \\\"AccountEnabled\\\", \\\"Action Client Name\\\", \\\"SourceAnchor\\\"]);\\n AuditLogs\\n | where OperationName =~ \\\"Add user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend properties = TargetResources[0].modifiedProperties\\n | mv-expand properties\\n | evaluate bag_unpack(properties)\\n | summarize count() by displayName, TenantId\\n | where displayName !in (default_ad_attributes)\\n | top threshold by count_ desc\\n | summarize make_set(displayName) by TenantId\\n | join kind=inner (AuditLogs\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \\\"Add user\\\"\\n | extend CreatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend AccountProperties = TargetResources[0].modifiedProperties\\n | mv-expand AccountProperties\\n | extend PropName = tostring(AccountProperties.displayName)) on TenantId\\n | summarize makeset(PropName) by TimeGenerated, CorrelationId, CreatedUserPrincipalName, CreatingUserPrincipalName, tostring(set_displayName)\\n | extend missing_props = set_difference(todynamic(set_displayName), set_PropName)\\n | where array_length(missing_props) \u003e 0\\n | join kind=innerunique (AuditLogs\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \\\"Add user\\\"\\n | extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)) on CorrelationId, CreatedUserPrincipalName\\n | extend ExpectedProperties = set_displayName\\n | project-away set_displayName, set_PropName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatingUserPrincipalName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatedUserPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User account created without expected attributes defined\",\"description\":\"This query looks for accounts being created that do not have attributes populated that are commonly populated in the tenant.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"name\":\"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Low\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4720\\n| where AccountType == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n),\\n(WindowsEvent\\n| where EventID == 4720\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Activity=\\\"4720 - A user account was created.\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n))\\n| join ((union isfuzzy=true\\n(SecurityEvent \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732\\n// TargetSid is the builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid\\n),\\n( WindowsEvent \\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732 and EventData has \\\"S-1-5-32-544\\\"\\n//TargetSid is the builin Admins group: S-1-5-32-544\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Activity=\\\"4732 - A member was added to a security-enabled local group.\\\"\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid)\\n))\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \\n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"CreatedUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"New user created and added to the built-in administrators group\",\"description\":\"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"name\":\"d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DuoSecurityAuthentication_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(access_device_ip_s)\\n // renaming time column so it is clear the log this came from\\n | extend Duo_TimeGenerated = isotimestamp_t\\n)\\non $left.TI_ipEntity == $right.access_device_ip_s\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\\n| extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Duo Security\",\"description\":\"Identifies a match in DuoSecurity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"name\":\"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectServer = column_ifexists(\u0027ObjectServer\u0027, \\\"\\\"), ObjectType = column_ifexists(\u0027ObjectType\u0027, \\\"\\\"), ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\")\\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\\n| where ObjectServer =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Starting or Stopping HealthService to Avoid Detection\",\"description\":\"This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\\n The query requires a SACL to audit for access request to the service.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-03-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n| join (\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberRemoved\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n) on UPN\\n| where TimeDeleted \u003e TimeAdded\\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"External user added and removed in short timeframe\",\"description\":\"This detection flags the occurances of external user accounts that are added to a Team and then removed within\\none hour.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9367dff0-941d-44e2-8875-cb48570c7add\",\"name\":\"9367dff0-941d-44e2-8875-cb48570c7add\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has \\\"\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_DLLs\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppInit DLLs Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows or HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library.\\nRef: https://attack.mitre.org/techniques/T1546/010/\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\"name\":\"8d537f3c-094f-430c-a588-8a87da36ee3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nlet user_agents=dynamic([\\n \u0027(hydra)\u0027,\\n \u0027 arachni/\u0027,\\n \u0027 BFAC \u0027,\\n \u0027 brutus \u0027,\\n \u0027 cgichk \u0027,\\n \u0027core-project/1.0\u0027,\\n \u0027 crimscanner/\u0027,\\n \u0027datacha0s\u0027,\\n \u0027dirbuster\u0027,\\n \u0027domino hunter\u0027,\\n \u0027dotdotpwn\u0027,\\n \u0027FHScan Core\u0027,\\n \u0027floodgate\u0027,\\n \u0027get-minimal\u0027,\\n \u0027gootkit auto-rooter scanner\u0027,\\n \u0027grendel-scan\u0027,\\n \u0027 inspath \u0027,\\n \u0027internet ninja\u0027,\\n \u0027jaascois\u0027,\\n \u0027 zmeu \u0027,\\n \u0027masscan\u0027,\\n \u0027 metis \u0027,\\n \u0027morfeus fucking scanner\u0027,\\n \u0027n-stealth\u0027,\\n \u0027nsauditor\u0027,\\n \u0027pmafind\u0027,\\n \u0027security scan\u0027,\\n \u0027springenwerk\u0027,\\n \u0027teh forest lobster\u0027,\\n \u0027toata dragostea\u0027,\\n \u0027 vega/\u0027,\\n \u0027voideye\u0027,\\n \u0027webshag\u0027,\\n \u0027webvulnscan\u0027,\\n \u0027 whcc/\u0027,\\n \u0027 Havij\u0027,\\n \u0027absinthe\u0027,\\n \u0027bsqlbf\u0027,\\n \u0027mysqloit\u0027,\\n \u0027pangolin\u0027,\\n \u0027sql power injector\u0027,\\n \u0027sqlmap\u0027,\\n \u0027sqlninja\u0027,\\n \u0027uil2pn\u0027,\\n \u0027ruler\u0027,\\n \u0027Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)\u0027\\n ]);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Hack Tool User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by known hack tools\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"name\":\"30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process endswith \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, ActingProcessId, Dvc\\n | join kind=inner (imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ActingProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively (ASIM Version)\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\\n This query uses the Advanced Security Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"name\":\"84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has_all (\\\"member to role\\\", \\\"add\\\")\\n | where Result =~ \\\"Success\\\"\\n | extend type_ = tostring(TargetResources[0].type)\\n | where type_ =~ \\\"ServicePrincipal\\\"\\n | where isnotempty(TargetResources)\\n | extend ServicePrincipal = tostring(TargetResources[0].displayName)\\n | extend SPID = tostring(TargetResources[0].id)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"Role.DisplayName\\\"\\n | extend TargetRole = parse_json(tostring(TargetResources_0_modifiedProperties.newValue))\\n | where TargetRole contains \\\"admin\\\"\\n | extend AddedByApp = iif(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)),\\n tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName),\\n tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n )\\n | extend AddedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedBy = iif(isnotempty(AddedByApp), AddedByApp, AddedByUser)\\n | extend IpAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, ServicePrincipal, SPID, TargetRole, AddedBy, IpAddress\\n | project-away AddedByApp, AddedByUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"SPID\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned Privileged Role\",\"description\":\"Detects a privileged role being added to a Service Principal.\\n Ensure that any assignment to a Service Principal is valid and appropriate - Service Principals should not be assigned to very highly privileged roles such as Global Admin.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"name\":\"8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = ago(5m);\\nDuoSecurityTrustMonitor_CL\\n| where TimeGenerated \u003e= timeframe\\n| extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Trust Monitor Event\",\"description\":\"This query identifies when a new trust monitor event is detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"name\":\"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 6d;\\n// Adjust this to adjust the key export detection timeframe\\n//let timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer);\\n// Look for ADFS servers where Named Pipes event are present\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"),\\n TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\\n TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\"),\\n Image = column_ifexists(\\\"Image\\\", \\\"\\\"),\\n PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\"),\\n EventType = column_ifexists(\\\"EventType\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n// Look for Pipe related to querying the WID\\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Exclude expected processes\\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS Database Named Pipe Connection\",\"description\":\"This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\"lastUpdatedDateUTC\":\"2021-11-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3617d76d-b15e-4c6f-985e-a1dac73c592d\",\"name\":\"3617d76d-b15e-4c6f-985e-a1dac73c592d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"NRT MFA Rejected by User\",\"description\":\"Identifies occurrences where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\"name\":\"5436f471-b03d-41cb-b333-65891f887c43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"GitHubRepo\\n| where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\",\"entityMappings\":[],\"displayName\":\"GitHub Security Vulnerability in Repository\",\"description\":\"This alerts when there is a new security vulnerability in a GitHub repository.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-10T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"name\":\"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent\\n| where EventID == 4688\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n),\\n(WindowsEvent\\n| where EventID == 4688 and EventData has \u0027rundll32.exe\u0027 and EventData has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n) )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/961b6a81-5c53-40b6-9800-4f661a8faea7\",\"name\":\"961b6a81-5c53-40b6-9800-4f661a8faea7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet Command_Line = (iocs | where Type =~ \\\"CommandLine\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and InitiatingProcessCommandLine has_any (Command_Line))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (@\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and ActingProcessCommandLine has_any (Command_Line))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or ( CommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DEV-0586 Actor IOC - January 2022\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as DEV-0586\\n Refrence: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"name\":\"66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MessageIP = extract(IPRegex, 0, Message)\\n | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)\\n | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CS_ipEntity\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity\\n| project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"name\":\"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P3D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some columns to make output clearer\\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some things to make the output clearer\\n| project-rename TimeDeleted = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, IPCustomEntity = CreatingIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeletingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletingIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Azure DevOps Pipeline Created and Deleted on the Same Day\",\"description\":\"An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \\nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \\nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \\ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"name\":\"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed. \\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated \u003e= ago(auditLookback) and TimeGenerated \u003c ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName has \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount \u003e threshold\\n;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated \u003e= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| extend IpAddress = case(\\nisnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\nisnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n\u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Rare application consent\",\"description\":\"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\"name\":\"69b7723c-2889-469f-8b55-a2d355ed9c87\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | mv-expand SingleIP = split(IPAddresses, \\\", \\\") to typeof(string)\\n // renaming time column so it is clear the log this came from\\n | extend DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, SingleIP\\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-27T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"name\":\"c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nDeviceProcessEvents\\n//looks for execution from a shell\\n| where InitiatingProcessFileName in (parentProcesses)\\n// main filter\\n| where FileName =~ \\\"AdFind.exe\\\" or SHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or ProcessCommandLine has_any (args)\\n| extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, CommandLineCustomEntity = ProcessCommandLine, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLineCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-04-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"name\":\"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url\\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to Syslog data\",\"description\":\"Identifies a match in Syslog data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/af435ca1-fb70-4de1-92c1-7435c48482a9\",\"name\":\"af435ca1-fb70-4de1-92c1-7435c48482a9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let admin_asn = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by AutonomousSystemNumber);\\n let admin_locations = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by Location);\\n let admin_devices = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where isnotempty(deviceId)\\n | summarize by deviceId);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where AutonomousSystemNumber !in (admin_asn) and deviceId !in (admin_devices) and Location !in (admin_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentications of Privileged Accounts Outside of Expected Controls\",\"description\":\"Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days.\\n Privileged accounts are a key target for threat actors, monitoring for logins from these accounts that deviate from normal activity can help identify compromised accounts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\"name\":\"a357535e-f722-4afe-b375-cff362b2b376\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation\\n| parse ExtendedProperties with * \u0027User-Agent\\\\\\\\\\\":\\\\\\\\\\\"\u0027 UserAgent2 \u0027\\\\\\\\\u0027 *\\n| parse ExtendedProperties with * \u0027UserAgent\\\", \\\"Value\\\": \\\"\u0027 UserAgent1 \u0027\\\"\u0027 *\\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == \u0027AzureActiveDirectoryStsLogon\u0027, UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != \u0027-\u0027\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \u0027\\\\\\\"\u0027\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"Malformed user agent\",\"description\":\"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\\nMalformed user agents can be an indication of such malware.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"name\":\"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount \u003e triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated \u003e ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Name\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Possible contact with a domain generated by a DGA\",\"description\":\"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\"name\":\"aac495a9-feb1-446d-b08e-a1164a539452\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"ThreatIntelligenceIndicator\\n| where Action == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n GitHubAudit\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to GitHub_CL\",\"description\":\"Identifies a match in GitHub_CL table from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"name\":\"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-11T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"name\":\"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"ThreatIntelligence\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"Persistence\",\"LateralMovement\"],\"displayName\":\"(Preview) Microsoft Threat Intelligence Analytics\",\"description\":\"This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity.\\n\\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.\",\"lastUpdatedDateUTC\":\"2021-07-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\"name\":\"074ce265-f684-41cd-af07-613c5f3e6d0d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP\\n ),\\n (_Im_Dns(domain_has_any=DomainNames)\\n | extend IPAddress = SrcIpAddr, DNSName = DnsQuery, Host = Dvc),\\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | extend IPAddress = RemoteIp, Host = Computer\\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ),\\n (\\n _Im_WebSession(url_has_any=DomainNames)\\n | extend IPCustomEntity=IpAddr, HostCustomEntity=Hostname, AccoutCustomEntity=User\\n )\\n)\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known STRONTIUM group domains - July 2019\",\"description\":\"Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"name\":\"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n WireData | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n // renaming time column so it is clear the log this came from\\n | extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where WireData_TimeGenerated \u003c ExpirationDateTime\\n| summarize WireData_TimeGenerated = arg_max(WireData_TimeGenerated, *) by IndicatorId, RemoteIP\\n| project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to WireData\",\"description\":\"Identifies a match in WireData from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"name\":\"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let match_window = 3m;\\nAzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\") \\n| where ActivityStatusValue == \\\"Success\\\"\\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\\n| join kind = inner\\n(AzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/write\\\") \\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\\n) on Caller, TimeKey\\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, \u0027 , \u0027, OperationNameValue1)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UserIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New CloudShell User\",\"description\":\"Identifies when a user creates an Azure CloudShell for the first time.\\nMonitor this activity to ensure only expected user are using CloudShell\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5170c3c4-b8c9-485c-910d-a21d965ee181\",\"name\":\"5170c3c4-b8c9-485c-910d-a21d965ee181\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 30m;\\nlet accountthreshold = 10;\\nlet successCodes = dynamic([0, 50144]);\\nADFSSignInLogs\\n| extend IngestionTime = ingestion_time()\\n| where IngestionTime \u003e ago(queryfrequency)\\n| where not(todynamic(AuthenticationDetails)[0].authenticationMethod == \\\"Integrated Windows Authentication\\\")\\n| summarize\\n DistinctFailureCount = dcountif(UserPrincipalName, ResultType !in (successCodes)),\\n DistinctSuccessCount = dcountif(UserPrincipalName, ResultType in (successCodes)),\\n SuccessAccounts = make_set_if(UserPrincipalName, ResultType in (successCodes), 250),\\n arg_min(TimeGenerated, *)\\n by IPAddress\\n| where DistinctFailureCount \u003e DistinctSuccessCount and DistinctFailureCount \u003e= accountthreshold\\n//| extend SuccessAccounts = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic([\\\"null\\\"]))\\n//| mv-expand SuccessAccounts\\n| project TimeGenerated, Category, OperationName, IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against ADFSSignInLogs\",\"description\":\"Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window.\\nReference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference\",\"lastUpdatedDateUTC\":\"2022-05-04T00:00:00Z\",\"createdDateUTC\":\"2022-03-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"ADFSSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"name\":\"6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Add non-approved user principal names to the list below to search for their account creation/deletion activity\\n// ex: dynamic([\\\"UPN1\\\", \\\"upn123\\\"])\\nlet nonapproved_users = dynamic([]);\\nAuditLogs\\n| where OperationName == \\\"Add user\\\" or OperationName == \\\"Delete user\\\"\\n| where Result == \\\"success\\\"\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| where InitiatingUser has_any (nonapproved_users)\\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\\n| extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account created or deleted by non-approved user\",\"description\":\"Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\"name\":\"11b4c19d-2a79-4da3-af38-b067e1273dee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID in (17,18)\\n| where EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\")\\n| extend Account = UserName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00275145\u0027\\n// %%4418 looks for presence of CreatePipeInstance value \\n| where AccessList has \u0027%%4418\u0027 \\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00275145\u0027 and EventData has \u0027%%4418\u0027 and EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027 \\n// %%4418 looks for presence of CreatePipeInstance value \\n| extend AccessList= tostring(EventData.AccessList)\\n| where AccessList has \u0027%%4418\u0027 \\n| extend RelativeTargetName= tostring(EventData.RelativeTargetName)\\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\"],\"displayName\":\"Solorigate Named Pipe\",\"description\":\"Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2020-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"name\":\"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain\\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to Syslog\",\"description\":\"Identifies a match in Syslog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\"name\":\"19e01883-15d8-4eb6-a7a5-3276cd668388\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed attempts from same client IP\",\"description\":\"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \\npotentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \\nthat is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd78a122-d377-415a-afe9-f22e08d2112c\",\"name\":\"dd78a122-d377-415a-afe9-f22e08d2112c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Add other permissions to this list as needed\\n let permissions = dynamic([\\\"Mail.Read\\\", \\\"offline_access\\\", \\\"Files.Read\\\", \\\"Notes.Read\\\", \\\"ChannelMessage.Read\\\", \\\"Chat.Read\\\", \\\"TeamsActivity.Read\\\",\\n \\\"Group.Read\\\", \\\"EWS.AccessAsUser.All\\\", \\\"EAS.AccessAsUser.All\\\"]);\\n AuditLogs\\n | where OperationName =~ \\\"Add app role assignment to service principal\\\"\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"AppRole.Value\\\" or TargetResources_0_modifiedProperties.displayName =~ \\\"DelegatedPermissionGrant.Scope\\\"\\n | extend Permissions = split((parse_json(tostring(TargetResources_0_modifiedProperties.newValue))), \\\" \\\")\\n | where Permissions has_any (permissions)\\n | summarize AddedPermissions=make_set(Permissions) by CorrelationId\\n | join kind=inner (AuditLogs\\n | where OperationName =~ \\\"Add app role assignment to service principal\\\") on CorrelationId\\n | extend InitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n | extend ServicePrincipal = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[4].newValue)))\\n | extend SPID = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[6].newValue)))\\n | extend InitiatedBy = pack(\\\"User\\\", InitiatedBy, \\\"UA\\\", UserAgent, \\\"IPAddress\\\", IpAddress)\\n | mv-expand kind=array AddedPermissions\\n | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(InitiatedBy), make_set(AddedPermissions) by SPID, ServicePrincipal\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipal\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"SPID\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned App Role With Sensitive Access\",\"description\":\"Detects a Service Principal being assigned an app role that has sensitive access such as Mail.Read.\\n A threat actor who compromises a Service Principal may assign it an app role to allow it to access sensitive data, or to perform other actions.\\n Ensure that any assignment to a Service Principal is valid and appropriate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"name\":\"d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, NewProcessId, Computer\\n | join kind=inner (SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ParentProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend newProcess = Process\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.NewProcessId == $right.ProcessId, timekey, Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"name\":\"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where TimeGenerated \u003e ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 5 downloads/uploads from a new user agent today\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e ago(endtime) \\n| where RecordType =~ szSharePointFileOperation \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via devices with previously unseen user agents\",\"description\":\"Identifies if the number of documents uploaded or downloaded from device(s) associated\\nwith a previously unseen user agent exceeds a threshold (default is 5).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"name\":\"f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where AADOperationType =~ \\\"Assign\\\"\\n| where ActivityDisplayName =~ \\\"Add app role assignment to service principal\\\"\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"AppRole.Value\\\"\\n| extend AppRole = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where AppRole has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\\n| extend TargetId = tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue)))\\n| project TimeGenerated, OperationName, Initiator, Target, TargetId, Result\\n| join kind=innerunique (\\n AuditLogs\\n | where LoggedByService =~ \\\"Core Directory\\\"\\n | where Category =~ \\\"RoleManagement\\\"\\n | where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n | where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n | where displayName_ =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n | where RoleName contains \\\"Admin\\\"\\n | extend Initiator = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend InitiatorId = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend TargetUser = tostring(TargetResources.userPrincipalName)\\n | extend Target = iif(isnotempty(TargetUser), TargetUser, tostring(TargetResources.displayName))\\n | extend TargetType = tostring(TargetResources.type)\\n | extend TargetId = tostring(TargetResources.id)\\n | project TimeGenerated, OperationName, RoleName, Initiator, InitiatorId, Target, TargetId, TargetType, Result\\n) on $left.TargetId == $right.InitiatorId\\n| extend TimeRoleMgGrant = TimeGenerated, TimeAdminPromo = TimeGenerated1, ServicePrincipal = Initiator1, ServicePrincipalId = InitiatorId,\\n TargetObject = Target1, TargetObjectId = TargetId1, TargetObjectType = TargetType\\n| where TimeRoleMgGrant \u003c TimeAdminPromo\\n| project TimeRoleMgGrant, TimeAdminPromo, RoleName, ServicePrincipal, ServicePrincipalId, TargetObject, TargetObjectId, TargetObjectType\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ServicePrincipal\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetObject\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"Persistence\"],\"displayName\":\"Admin promotion after Role Management Application Permission Grant\",\"description\":\"This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).\\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission Allows an app to manage permission grants for application permissions to any API.\\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"name\":\"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated \u003e= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal \u003e 2*prev6hAvgCumTotal or last1hAvgRatePerSec \u003e 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec \u003e 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - average attack detection rate increase\",\"description\":\"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"name\":\"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Full Admin policy created and then attached to Roles, Users or Groups\",\"description\":\"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"name\":\"34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\n IdentityInfo\\n | where TimeGenerated \u003e ago(starttime)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | mv-expand AssignedRoles\\n | where AssignedRoles matches regex \u0027Admin\u0027\\n | summarize Roles = make_list(AssignedRoles) by AccountUPN = tolower(AccountUPN)\\n | join kind=inner (\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultType != 0\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n ) on $left.AccountUPN == $right.UserPrincipalName\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, Roles = tostring(Roles)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\n allSignins\\n | make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1h by UserPrincipalName, Roles\\n | extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n | mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n // Filtering low count events per baselinethreshold\\n | where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n | extend AnomalyHour = TimeGenerated\\n | project UserPrincipalName, Roles, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, Roles, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Privileged Accounts - Sign in Failure Spikes\",\"description\":\" Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\",\"lastUpdatedDateUTC\":\"2022-01-25T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\"name\":\"106813db-679e-4382-a51b-1bfc463befc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to PaloAlto data\",\"description\":\"Identifies a match in PaloAlto data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"name\":\"884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in~ (SensitiveOperationList)\\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPMax\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup.\\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"name\":\"95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\\n| mv-expand AdditionalDetails\\n),\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| where NewDomainValue has \\\"Federated\\\"\\n)\\n)\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\"name\":\"ac891683-53c3-4f86-86b4-c361708e2b2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"// Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)[\u0027foo@bar.com\u0027, \u0027test@foo.com\u0027];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist = datatable(OperationNamePart:string)[\u0027Security.\u0027,\u0027Project.\u0027,\u0027AuditLog.\u0027,\u0027Extension.\u0027];\\n// Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)[\u0027Group.UpdateGroupMembership.Add\u0027,\u0027Library.ServiceConnectionExecuted\u0027,\u0027Pipelines.PipelineModified\u0027,\\n\u0027Release.ReleasePipelineModified\u0027, \u0027Git.RefUpdatePoliciesBypassed\u0027];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Impact\"],\"displayName\":\"Azure DevOps Personal Access Token (PAT) misuse\",\"description\":\"This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=preview-page\\nUse this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"name\":\"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Agent Pool Created Then Deleted\",\"description\":\"As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this \\ndetection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), \\nas an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\"name\":\"26a3b261-b997-4374-94ea-6c37f67f4f39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n( _Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA1=\u0027 SHA1 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known GALLIUM domains and hashes\",\"description\":\"GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \\n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-12-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/52aec824-96c1-4a03-8e44-bb70532e6cea\",\"name\":\"52aec824-96c1-4a03-8e44-bb70532e6cea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 5136 and EventData contains \\\"\u003cData Name=\\\\\\\"ObjectDN\\\\\\\"\u003eCN=AdminSDHolder,CN=System\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AdminSDHolder Modifications\",\"description\":\"This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence. \\nAdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory.\\nThis query searches for the event id 5136 where the Object DN is AdminSDHolder.\\nRef: https://attack.stealthbits.com/adminsdholder-modification-ad-persistence\",\"lastUpdatedDateUTC\":\"2022-01-20T00:00:00Z\",\"createdDateUTC\":\"2021-12-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"name\":\"8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\" or OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| extend Federated = iif(OperationName =~ \\\"Set domain authentication\\\", iif(NewDomainValue has \\\"Federated\\\", True, False), True)\\n| where Federated == True\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserOrApp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"NRT Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\"name\":\"327cd4ed-ca42-454b-887c-54e1c91363c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Defender Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Endpoint alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Endpoint\",\"lastUpdatedDateUTC\":\"2019-10-24T00:00:00Z\",\"createdDateUTC\":\"2019-10-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"name\":\"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"Low\",\"query\":\"let PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nWindowsEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \\\"success\\\"\\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \\nTargetUserName = tolower(tostring(TargetResources[0].displayName))\\n| project TimeGenerated, AccountType, Account, Computer = \\\"\\\", Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| where SyslogMessage matches regex \\\".*password changed for.*\\\"\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\\n(union isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\\n| where Total \u003e PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\\n| where Total \u003e TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Multiple Password Reset by user\",\"description\":\"This query will determine multiple password resets by user across multiple data sources. \\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \\nand certain permission levels within an environment.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-09-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\"name\":\"d804b39c-03a4-417c-a949-bdbf21fa3305\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.7.2\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet sha256s = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet ips = (iocs | where Type =~ \\\"ip\\\" | project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\" | project IoC);\\nlet dyndomains = todynamic(toscalar((domains | summarize make_set(IoC))));\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has_any (file_paths)\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName in (file_paths)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(imFileEvent\\n| where TargetFileName in (file_paths)\\n or\\n TargetFileSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n (CommonSecurityLog\\n| where FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event // File iocs\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 *\\n| where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nWindowsFirewall\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(\\n _Im_NetworkSession(srcipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n (\\n _Im_NetworkSession(dstipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = DstIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n(_Im_Dns(domain_has_any=dyndomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\\n)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange Server Vulnerabilities Disclosed March 2021 IoC Match\",\"description\":\"This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog (F5)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"name\":\"09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nimAuthentication\\n| where TimeGenerated \u003e timeframe\\n| where EventType==\u0027Logon\u0027 and EventResult==\u0027Success\u0027\\n| where isnotempty(SrcGeoCountry)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)\\n , NumOfCountries = dcount(SrcGeoCountry)\\n by TargetUserId, TargetUsername, TargetUserType\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetUsername\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User login from different countries within 3 hours (Uses Authentication Normalization)\",\"description\":\"This query searches for successful user logins from different countries within 3 hours.\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/67775878-7f8b-4380-ac54-115e1e828901\",\"name\":\"67775878-7f8b-4380-ac54-115e1e828901\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX=10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = (ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"\\\")\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true);\\nlet TI_IP_List=IP_TI | summarize NIPs=dcount(TI_ipEntity), IP_List=make_set( TI_ipEntity) \\n| project IP_List=iff(NIPs \u003e HAS_ANY_MAX, dynamic([]), IP_List);\\n_Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(TI_IP_List)))\\n | extend tilist = toscalar(TI_IP_List)\\n | mv-expand tilist\\n | extend SingleIP=tostring(tilist)\\n | project-away tilist\\n | where has_ipv4(DnsResponseName, SingleIP)\\n | extend DNS_TimeGenerated = TimeGenerated\\n| join IP_TI\\n on $left.SingleIP == $right.TI_ipEntity\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"SubType\":\"EventSubType\",\"DnsQuery\":\"DnsQuery\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any IP IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"name\":\"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has \\\"TVqQAAMAAAAEAAA\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName));\\nprocessEvents};\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"name\":\"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center\",\"severitiesFilter\":[\"Low\",\"Medium\",\"High\"],\"displayName\":\"Create incidents based on Microsoft Defender for Cloud\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud\",\"lastUpdatedDateUTC\":\"2021-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"name\":\"d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// Filter out other servers in the AD FS farm\\nlet ADFSServersList = dynamic([\\\"ADFS02.domain.com\\\",\\\"ADFS03.domain.com\\\"]);\\n// Start by identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer !in (ADFSServersList)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer\\n);\\n// Look for ADFS servers receiving connections over port 80\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n| where EventID == 3\\n// Look for endpoints connecting to the AD FS server over port 80\\n| extend DestinationPort = column_ifexists(\\\"DestinationPort\\\", \\\"\\\"), Image = column_ifexists(\\\"Image\\\", \\\"\\\"), Initiated = column_ifexists(\\\"Initiated\\\", \\\"\\\"), SourceIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\"), DestinationIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\")\\n| where DestinationPort == 80\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Look for the System process receiving connections\\n| where process == \u0027System\u0027 and Initiated == \u0027false\u0027\\n| where DestinationIp !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027)\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName, IPCustomEntity = SourceIp\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote HTTP Network Connection\",\"description\":\"This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor\\ntrying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1faf5e8-6958-11ec-90d6-0242ac120003\",\"name\":\"c1faf5e8-6958-11ec-90d6-0242ac120003\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4720 and TargetUserName endswith \\\"$\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectUserName, SubjectUserSid, SubjectLogonId, TargetUserName, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Fake computer account created\",\"description\":\"This query detects domain user accounts creation (event ID 4720) where the username ends with $. \\nAccounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights.html\",\"lastUpdatedDateUTC\":\"2022-01-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\"name\":\"04384937-e927-4595-8f3c-89ff58ed231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Sept 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"name\":\"7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"name\":\"6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let queryfrequency = 1h;\\nlet wait_for_deletion = 10m;\\nlet account_created =\\n AuditLogs \\n | where ActivityDisplayName == \\\"Add service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend creationTime = ActivityDateTime\\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_activity =\\n AADServicePrincipalSignInLogs\\n | extend Activities = pack(\\\"ActivityTime\\\", TimeGenerated ,\\\"IpAddress\\\", IPAddress, \\\"ResourceDisplayName\\\", ResourceDisplayName)\\n | extend AppID = AppId\\n | summarize make_list(Activities) by AppID;\\nlet account_deleted =\\n AuditLogs \\n | where OperationName == \\\"Remove service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend deletionTime = ActivityDateTime\\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_credentials =\\n AuditLogs\\n | where OperationName has_all (\\\"Update application\\\", \\\"Certificates and secrets management\\\")\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend credentialCreationTime = ActivityDateTime;\\nlet roles_assigned =\\n AuditLogs\\n | where ActivityDisplayName == \\\"Add app role assignment to service principal\\\"\\n | extend AppID = tostring(TargetResources[1].displayName)\\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\\\"AppRole.Value\\\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\\\"\\\")\\n | extend AssignedRoles = pack(\\\"Role\\\", AssignedRole)\\n | summarize make_list(AssignedRoles) by AppID;\\naccount_created\\n| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))\\n| join kind= inner (account_activity) on AppID\\n| join kind= inner (account_deleted) on AppID\\n| join kind= inner (account_credentials) on AppID\\n| join kind= inner (roles_assigned) on AppID\\n| where deletionTime - creationTime between (time(0s)..wait_for_deletion)\\n| extend AliveTime = deletionTime - creationTime\\n| project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_creator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_deleter\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_creator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_deleter\"}]}],\"tactics\":[\"CredentialAccess\",\"PrivilegeEscalation\",\"InitialAccess\"],\"displayName\":\"Suspicious Service Principal creation activity\",\"description\":\"This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\",\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\"name\":\"ec21493c-2684-4acd-9bc2-696dbad72426\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceVendor =~ \u0027Palo Alto Networks\u0027\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain\\n | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, \\n DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to PaloAlto\",\"description\":\"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"name\":\"caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Tarrask malware IOC - April 2022\",\"description\":\"Identifies a hash match related to Tarrask malware across various data sources.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\"name\":\"2560515c-07d1-434e-87fb-ebe3af267760\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\\n| mv-expand props\\n| extend UserAgent = tostring(AdditionalDetails[0].value)\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| extend DisplayName = tostring(props.displayName)\\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\\n| extend Type = tostring(TargetResources[0].type)\\n| project-away props\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName has \\\"Consent to application\\\"\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | extend AppId = tostring(TargetResources[0].id)\\n | project AppName, AppId, CorrelationId) on CorrelationId\\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Mail.Read Permissions Granted to Application\",\"description\":\"This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"name\":\"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Active Directory Identity Protection\",\"displayName\":\"Create incidents based on Azure Active Directory Identity Protection alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"name\":\"bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where OperationName =~ \\\"Delete user\\\"\\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n| extend UserPrincipalName = extract(@\u0027([a-f0-9]{32})?(.*)\u0027, 2, tostring(TargetResources[0].userPrincipalName))\\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\\n| join kind=inner (\\n AuditLogs\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where OperationName =~ \\\"Add user\\\"\\n | extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | project-rename Creation_TimeGenerated = TimeGenerated\\n) on UserPrincipalName\\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\\n| where TimeDelta between (time(0s) .. queryperiod)\\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\\n| extend timestamp = Deletion_TimeGenerated, CustomAccountEntity = UserPrincipalName, IPCustomEntity = DeletedByIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CustomAccountEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account Created and Deleted in Short Timeframe\",\"description\":\"Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"name\":\"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated \u003e ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\\n| where dcount_sld \u003e threshold\\n// Filter out previously seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld \u003e threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"name\":\"ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_locations =\\n union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location;\\n union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend LocationDetails_dynamic = column_ifexists(\\\"LocationDetails_dynamic\\\", \\\"\\\")\\n | extend DeviceDetail_dynamic = column_ifexists(\\\"DeviceDetail_dynamic\\\", \\\"\\\")\\n | extend LocationDetails = iif(isnotempty(LocationDetails_dynamic), LocationDetails_dynamic, parse_json(LocationDetails_string))\\n | extend DeviceDetail = iif(isnotempty(DeviceDetail_dynamic), DeviceDetail_dynamic, parse_json(DeviceDetail_string))\\n | extend City = tostring(LocationDetails.city)\\n | extend State = tostring(LocationDetails.state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend DeviceId = tostring(DeviceDetail.deviceId)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(UserAgent), make_set(Place), make_set(DeviceId) by UserPrincipalName, Location, Category\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentication Attempt from New Country\",\"description\":\"Detects when there is a log in attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\"name\":\"9713e3c0-1410-468d-b79e-383448434b2d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n VMConnection\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| where VMConnection_TimeGenerated \u003c ExpirationDateTime\\n| summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId, RemoteIp\\n| project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to VMConnection\",\"description\":\"Identifies a match in VMConnection from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/017e095a-94d8-430c-a047-e51a11fb737b\",\"name\":\"017e095a-94d8-430c-a047-e51a11fb737b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let domains =\\n SigninLogs\\n | where ResultType == 0\\n | extend domain = split(UserPrincipalName, \\\"@\\\")[1]\\n | extend domain = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tolower(tostring(domain));\\n AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend AddingUser = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), \\\"\\\")\\n | extend AddingApp = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)) , tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName), \\\"\\\")\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingApp)\\n | project-away AddingApp, AddingUser\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | where isnotempty(AddedUrls)\\n | mv-expand AddedUrls\\n | extend Domain = extract(\\\"^(?:https?:\\\\\\\\/\\\\\\\\/)?(?:[^@\\\\\\\\/\\\\\\\\n]+@)?(?:www\\\\\\\\.)?([^:\\\\\\\\/?\\\\\\\\n]+)/\\\", 1, replace_string(tolower(tostring(AddedUrls)), \u0027\\\"\u0027, \\\"\\\"))\\n | where isnotempty(Domain)\\n | extend Domain = strcat(split(Domain, \\\".\\\")[-2], \\\".\\\", split(Domain, \\\".\\\")[-1])\\n | where Domain !in (domains)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, AddedBy, UserAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"URL Added to Application from Unknown Domain\",\"description\":\"Detects a URL being added to an application where the domain is not one that is associated with the tenant.\\n The query uses domains seen in sign in logs to determine if the domain is associated with the tenant.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"name\":\"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Collect the alert events\\nlet alertData = SecurityAlert \\n| where DisplayName has \\\"Potential malware uploaded to\\\" \\n| extend Entities = parse_json(Entities) \\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"ip\\\" \\n| extend AttackerIP = tostring(Entities[\u0027Address\u0027]), AttackerCountry = tostring(Entities[\u0027Location\u0027][\u0027CountryName\u0027]);\\n//Parse the file data\\nlet FileData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"file\\\" \\n| extend MaliciousFileDirectory = tostring(Entities[\u0027Directory\u0027]), MaliciousFileName = tostring(Entities[\u0027Name\u0027]), MaliciousFileHashes = tostring(Entities[\u0027FileHashes\u0027]);\\n//Combine the File and IP data together\\nipData \\n| join (FileData) on VendorOriginalId \\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create a type column so we can track if it was a File storage or blobl storage upload \\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\") \\n| join (\\n union\\n StorageFileLogs, \\n StorageBlobLogs \\n //File upload operations \\n | where OperationName =~ \\\"PutBlob\\\" or OperationName =~ \\\"PutRange\\\"\\n //Parse out the uploader IP \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename from the Uri \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don\u0027t work\\n //We can work around this by making it an array then converting it to hex from an int \\n | extend base64Char = base64_decode_toarray(ResponseMd5) \\n | mv-expand base64Char \\n | extend hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) \u003c 2, strcat(\\\"0\\\", hexChar), hexChar) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable \\n | extend Md5Hash = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the summarise into a ClientIP row \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize UploadedFileInfo=make_list(p), FilesUploaded=count() by ClientIP \\n | join kind=leftouter (\\n union\\n StorageFileLogs,\\n StorageBlobLogs \\n | where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\" \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0]) \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize DeletedFileInfo=make_list(p), FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP == $right.ClientIP \\n| mvexpand UploadedFileInfo \\n| extend LinkedMaliciousFileName = UploadedFileInfo.FileName \\n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash \\n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo \\n| extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = \\\"MD5\\\", IPCustomEntity = AttackerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Linked Malicious Storage Artifacts\",\"description\":\"An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"name\":\"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| where FilterModulesSpamScoresOverall == \u0027100\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - High risk message not discarded\",\"description\":\"Detects when email with high risk score was not rejected or discarded by filters.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"name\":\"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n (_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession(url_has_any=DomainNames) \\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Account=User\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known CERIUM domains and hashes\",\"description\":\"CERIUM malicious webserver and hash values for maldocs and malware. \\n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"name\":\"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AuditLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| where Audit_TimeGenerated \u003c ExpirationDateTime\\n| summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url\\n| project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nOperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to AuditLogs\",\"description\":\"Identifies a match in AuditLogs from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\"name\":\"ab4b6944-a20d-42ab-8b63-238426525801\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated \u003e= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = VMProcess\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n | project-away exePathArr;\\nlet computers = VMComputer\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind = inner (processes) on AgentId, Machine, Process\\n | join kind = inner (computers) on AgentId, Machine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"FirstPid\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Directory\",\"columnName\":\"DirectoryName\"},{\"identifier\":\"Name\",\"columnName\":\"Filename\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Domains Found in VM Insights\",\"description\":\"Identifies connections to Solorigate-related DNS records based on VM insights data\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMProcess\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMComputer\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"name\":\"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\nlet wef_fails =\\nWindowsEvent\\n| where EventID == 4625\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains \u0027auth\u0027 and ProcessName != \u0027sudo\u0027\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails) or IPAddress in (wef_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, Type = Type\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed host logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"name\":\"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let timeRange = 24h;\\nlet failureCountThreshold = 5;\\nlet authenticationWindow = 20m;\\nlet aadFunc = (tableName:string){\\n table(tableName)\\n| where AppDisplayName has \\\"Azure Portal\\\"\\n| extend\\n DeviceDetail = todynamic(DeviceDetail),\\n //Status = todynamic(Status),\\n LocationDetails = todynamic(LocationDetails)\\n| extend\\n OS = tostring(DeviceDetail.operatingSystem),\\n Browser = tostring(DeviceDetail.browser),\\n //StatusCode = tostring(Status.errorCode),\\n //StatusDetails = tostring(Status.additionalDetails),\\n State = tostring(LocationDetails.state),\\n City = tostring(LocationDetails.city),\\n Region = tostring(LocationDetails.countryOrRegion)\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\") \\n// bin outcomes based on authenticationWindow\\n| summarize take_anyif(UserPrincipalName, not(UserPrincipalName matches regex @\\\"[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\")),\\n take_anyif(UserDisplayName, isnotempty(UserDisplayName)), FailureOrSuccessCount = count() by FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, authenticationWindow), ResultType\\n// sort for sessionizing - by UserPrincipalName and time of the authentication outcome\\n| sort by UserPrincipalName asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName != prev(UserPrincipalName) or prev(FailureOrSuccess) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(FailureOrSuccessCount, FailureOrSuccess == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(FailureOrSuccess), IPAddress = make_set(IPAddress), make_set(Browser), make_set(City), make_set(State), make_set(Region), make_set(ResultType) by SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, Type\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_FailureOrSuccess, \\\"Success\\\") != 0\\n| where array_index_of(list_FailureOrSuccess, \\\"Success\\\") == array_length(list_FailureOrSuccess) - 1\\n| project-away SessionStartedUtc, list_FailureOrSuccess\\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= failureCountThreshold \\n// expand out ip for entity assignment\\n| mv-expand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n};\\n let aadSignin = aadFunc(\\\"SigninLogs\\\");\\n let aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\n union isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against Azure Portal\",\"description\":\"Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\nDefault Failure count is 5 and default Time Window is 20 minutes.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\"name\":\"23de46ea-c425-4a77-b456-511ae4855d69\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic([\\\"microsoft.compute/snapshots/write\\\", \\\"microsoft.network/networksecuritygroups/write\\\", \\\"microsoft.storage/storageaccounts/listkeys/action\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \\\"listkeys/action\\\"\\n| where ActivityStatusValue =~ \\\"Success\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on CallerIpAddress, Caller, OperationNameValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Rare subscription-level operations in Azure\",\"description\":\"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \\n For example this monitors for the operation name \u0027Create or Update Snapshot\u0027 which is used for creating backups but could be misused by attackers \\n to dump hashes or extract sensitive information from the disk.\",\"lastUpdatedDateUTC\":\"2022-03-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\"name\":\"84cf1d59-f620-4fee-b569-68daf7008b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"name\":\"bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nimFileEvent\\n| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = User, \\n HostCustomEntity = DvcHostname,\\n FileHashCustomEntity = TargetFileMD5,\\n AlgorithmCustomEntity = \\\"MD5\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimFileEvent)\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"name\":\"8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Cryptominer\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| summarize N_Events=count() by SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The host {{SrcIpAddr}} is potentially running a crypto miner\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by crypto miners and indicates crypto mining activity on the client.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"A host is potentially running a crypto miner (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.\u003cbr\u003eYou can add custom crypto mining indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"name\":\"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let EventCountThreshold = 25;\\n// To avoid any False Positives, filtering using AppId is recommended.\\n// For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\n// The AppId 8cae6e77-e04e-42ce-b5cb-50d82bce26b1 has been added as it correspond to Microsoft Policy Insights Provider Data Plane performing VaultGet operations for policies checks.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\",\\\"8cae6e77-e04e-42ce-b5cb-50d82bce26b1\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\\n| where count_ \u003e EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Mass secret retrieval from Azure Key Vault\",\"description\":\"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment \\nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\"lastUpdatedDateUTC\":\"2022-07-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"name\":\"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Crypto Miner User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by crypto miners in proxy logs.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"name\":\"dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\",\\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\",\\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\",\\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\",\\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\",\\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage),\\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage),\\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage),\\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NRT Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used.\\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\"name\":\"2b701288-b428-4fb8-805e-e4372c574786\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 95]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60m;\\nlet queryfrequency = 1d;\\nlet queryperiod = 14d;\\nlet aadFunc = (tableName: string) {\\n // Get successful signins to Teams\\n let signinData =\\n table(tableName)\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where AppDisplayName has \\\"Teams\\\" and ConditionalAccessStatus =~ \\\"success\\\"\\n | extend Country = tostring(todynamic(LocationDetails)[\u0027countryOrRegion\u0027])\\n | where isnotempty(Country) and isnotempty(IPAddress);\\n // Calculate prevalence of countries\\n let countryPrevalence =\\n signinData\\n | summarize CountCountrySignin = count() by Country\\n | extend TotalSignin = toscalar(signinData | summarize count())\\n | extend CountryPrevalence = toreal(CountCountrySignin) / toreal(TotalSignin) * 100;\\n // Count signins by user and IP address\\n let userIpSignin =\\n signinData\\n | summarize CountIPSignin = count(), Country = any(Country), ListSigninTimeGenerated = make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n // Calculate delta between the IP addresses with the most and minimum activity by user\\n let userIpDelta =\\n userIpSignin\\n | summarize MaxIPSignin = max(CountIPSignin), MinIPSignin = min(CountIPSignin), DistinctCountries = dcount(Country), make_set(Country) by UserPrincipalName\\n | extend UserIPDelta = toreal(MaxIPSignin - MinIPSignin) / toreal(MaxIPSignin) * 100;\\n // Collect Team operations the user account has performed within a time range of the suspicious signins\\n OfficeActivity\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | project OperationTimeGenerated = TimeGenerated, UserId = tolower(UserId), Operation\\n | join kind = inner(\\n userIpDelta\\n // Check users with activity from distinct countries\\n | where DistinctCountries \u003e= minimumCountries\\n // Check users with high IP delta\\n | where UserIPDelta \u003e= deltaThreshold\\n // Add information about signins and countries\\n | join kind = leftouter userIpSignin on UserPrincipalName\\n | join kind = leftouter countryPrevalence on Country\\n // Check activity that comes from nonprevalent countries\\n | where CountryPrevalence \u003c countryPrevalenceThreshold\\n | project\\n UserPrincipalName,\\n SuspiciousIP = IPAddress,\\n UserIPDelta,\\n SuspiciousSigninCountry = Country,\\n SuspiciousCountryPrevalence = CountryPrevalence,\\n EventTimes = ListSigninTimeGenerated\\n ) on $left.UserId == $right.UserPrincipalName\\n // Check the signins occured 60 min before the Teams operations\\n | mv-expand SigninTimeGenerated = EventTimes\\n | extend SigninTimeGenerated = todatetime(SigninTimeGenerated)\\n | where OperationTimeGenerated between (SigninTimeGenerated .. (SigninTimeGenerated + projectedEndTime))\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize arg_max(SigninTimeGenerated, *) by UserPrincipalName, SuspiciousIP, OperationTimeGenerated\\n| summarize\\n ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(\\\"Operation\\\", tostring(Operation), \\\"OperationTime\\\", OperationTimeGenerated)))\\n by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence\\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Anomalous login followed by Teams action\",\"description\":\"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta \u003e= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP\u0027s country, only keeping IP\u0027s where the country is unusual for the tenant (dynamic ranges)\\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2020-06-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"name\":\"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous SSH Login Detection\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c094384d-7ea7-4091-83be-18706ecca981\",\"name\":\"c094384d-7ea7-4091-83be-18706ecca981\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Low\",\"query\":\"let minersDomains=dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\"]);\\n_Im_Dns(domain_has_any=minersDomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"name\":\"99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let core_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where ResultType == 0\\n | extend domain = tolower(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n let alternative_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where isnotempty(AlternateSignInName)\\n | where ResultType == 0\\n | extend domain = tolower(split(AlternateSignInName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add User\\\"\\n | extend AddingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddingSPN = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingSPN)\\n | extend UserAdded = tostring(TargetResources[0].userPrincipalName)\\n | extend Domain = tolower(split(UserAdded, \\\"@\\\")[1])\\n | where Domain !in (core_domains) and Domain !in (alternative_domains)\\n | project-away AddingUser\\n | project-reorder TimeGenerated, UserAdded, Domain, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserAdded\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account created from non-approved sources\",\"description\":\"This query looks for account being created from a domain that is not regularly seen in a tenant.\\n Attackers may attempt to add accounts from these sources as a means of establishing persistant access to an environment.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"name\":\"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| where TimeGenerated \u003e ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\\n| where dcount_Name \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name \u003e threshold\\n | project ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Rare client observed with high reverse DNS lookup count\",\"description\":\"Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"name\":\"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\n let ioc_lookBack = 14d;\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n | where isnotempty(FileHashValue)\\n | extend FileHashValue = toupper(FileHashValue)\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique ( union isfuzzy=true \\n (SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(FileHash)\\n ),\\n (WindowsEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(EventData.FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(EventData.FileHash)\\n )\\n )\\n on $left.FileHashValue == $right.FileHash\\n | where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n | summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, FileHash\\n | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n Process, FileHash, Computer, Account, Event, FileHashValue, FileHashType\\n | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to Security Event\",\"description\":\"Identifies a match in Security Event data from any File Hash IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"name\":\"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n| where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, DeviceName\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=DeviceName, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise - MDE\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\"name\":\"957cb240-f45d-4491-9ba5-93430a3c08be\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\", \\\"Set-TransportRule\\\")\\nand not(UserId has_any (\u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\u0027, \u0027NT AUTHORITY\\\\\\\\SYSTEM (w3wp)\u0027, \u0027devilfish-applicationaccount\u0027) and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend ClientIPOnly = tostring(extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?\u0027, dynamic([\\\"IPAddress\\\"]), ClientIP)[0][0])\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIPOnly\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"Collection\"],\"displayName\":\"Rare and potentially high-risk Office operations\",\"description\":\"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\"lastUpdatedDateUTC\":\"2022-05-24T00:00:00Z\",\"createdDateUTC\":\"2019-02-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\"name\":\"2fc5d810-c9cc-491a-b564-841427ae0e50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique ( \\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) \\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| where isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n))\\n)\\non $left.EmailSenderAddress == $right.TargetUserName\\n| where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, TargetUserName\\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend\\ntimestamp = SecurityEvent_TimeGenerated,\\nAccountCustomEntity = TargetUserName,\\nIPCustomEntity = IpAddress,\\nHostCustomEntity = Computer,\\nURLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityEvent\",\"description\":\"Identifies a match in SecurityEvent table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"name\":\"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let endpointData = \\n(union isfuzzy=true\\n(SecurityEvent\\n | where EventID == 4688\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n ),\\n (WindowsEvent\\n | where EventID == 4688\\n | extend NewProcessName = tostring(EventData.NewProcessName)\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n | extend TargetUserName = tostring(EventData.TargetUserName)\\n ));\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, \u0027/\u0027)[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Network endpoint to host executable correlation\",\"description\":\"Correlates blocked URLs hosting [malicious] executables with host endpoint data\\nto identify potential instances of executables of the same name having been recently run.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicro\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\"name\":\"5efb0cfd-063d-417a-803b-562eae5b0301\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need to exhibit execution of more \\\"new\\\" connections than this number.\\nlet NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)) \\n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iff(\\nType == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\nstrcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| where CurrentCount \u003e= HistoricCount + NewConnectionThreshold\\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \\n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend timestamp = StartTime, AccountCustomEntity = ActorUPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Addition/Abuse - Historic allow list\",\"description\":\"This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and \\nnot historically included in the allow list Build/Release runs. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"name\":\"3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let SpringShell_threats = dynamic([\\\"Trojan:Python/SpringShellExpl\\\", \\\"Exploit:Python/SpringShell\\\", \\\"Backdoor:PHP/Remoteshell.V\\\", \\\"SpringShell\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (SpringShell_threats) or ThreatFamilyName in~ (SpringShell_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"AV detections related to SpringShell Vulnerability\",\"description\":\"This query looks for Microsoft Defender AV detections related to SpringShell Vulnerability. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, \\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"name\":\"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project TimeGenerated, Total, baseline, anomalies, score;\\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e ago(2d)\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) \\n | where HourlyCount \u003e 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\\n | order by HourlyCount desc \\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100 \\n| where PercentofTotal \u003e percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\\n| order by PercentofTotal desc \\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Exchange workflow MailItemsAccessed operation anomaly\",\"description\":\"Identifies anomalous increases in Exchange mail items accessed operations.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"name\":\"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let cmdTokens0 = dynamic([\u0027vbscript\u0027,\u0027jscript\u0027]);\\nlet cmdTokens1 = dynamic([\u0027mshtml\u0027,\u0027RunHTMLApplication\u0027]);\\nlet cmdTokens2 = dynamic([\u0027Execute\u0027,\u0027CreateObject\u0027,\u0027RegRead\u0027,\u0027window.close\u0027]);\\n(union isfuzzy=true \\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688 and EventData has_all(cmdTokens2) and EventData has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(EventData has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"NOBELIUM - Script payload stored in Registry\",\"description\":\"This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"name\":\"3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let OMIVulnerabilityPatchVersion = \\\"OMIVulnerabilityPatchVersion:1.13.40-0\\\";\\nHeartbeat\\n| where Category == \\\"Direct Agent\\\"\\n| summarize arg_max(TimeGenerated,*) by Computer\\n| parse strcat(\\\"Version:\\\" , Version) with * \\\"Version:\\\" Major:long \\\".\\\"\\nMinor:long \\\".\\\" Patch:long \\\"-\\\" *\\n| parse OMIVulnerabilityPatchVersion with * \\\"OMIVulnerabilityPatchVersion:\\\"\\nOMIVersionMajor:long \\\".\\\" OMIVersionMinor:long \\\".\\\" OMIVersionPatch:long \\\"-\\\" *\\n| where Major \u003cOMIVersionMajor or (Major==OMIVersionMajor and Minor\\n\u003cOMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and\\nPatch\u003cOMIVersionPatch) \\n| project Version, Major,Minor,Patch,\\nComputer,ComputerIP,OSType,OSName,ResourceId\",\"customDetails\":{\"HostIp\":\"ComputerIP\",\"OSType\":\"OSType\",\"OSName\":\"OSName\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"OMI Vulnerability Exploitation\",\"description\":\"Following the September 14th, 2021 release of three Elevation of Privilege\\n(EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one\\nunauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in\\nthe Open Management Infrastructure (OMI) Framework.\\nThis detection validates that any OMS-agent that is reporting to the Microsoft\\nSentinel workspace is updated with the patch. The detection will go over the\\nheartbeats received from all agents over the last day and will create alert\\nfor those agents who are not updated.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-09-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"name\":\"c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n | where Result =~ \\\"success\\\"\\n | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)\\n | extend displayName = tostring(TargetResources[0].displayName)\\n | extend displayName2 = tostring(TargetResources[3].displayName)\\n | extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n | join kind = rightanti (AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n | where Result =~ \\\"success\\\"\\n | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)\\n | extend displayName = tostring(TargetResources[0].displayName)\\n | extend displayName2 = tostring(TargetResources[3].displayName)\\n | extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n | extend ElevatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) on ElevatedRole, ElevatedUser\\n | project-reorder ElevatedUser, ElevatedRole, ResultReason,ElevatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ElevatedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ElevatedBy\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account Elevated to New Role\",\"description\":\"Detects an account that is elevated to a new role where that account has not had that role in the last 14 days.\\n Role elevations are a key mechanism for gaining permissions, monitoring which users have which roles, and for anomalies in those roles is useful for finding suspicious activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"name\":\"d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let threshold = 3;\\nPulseConnectSecure\\n| where Messages contains \\\"Unauthenticated request url /dana-na/\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Source_IP\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, IPCustomEntity = Source_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack\",\"description\":\"This query identifies exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893) to the VPN server\",\"lastUpdatedDateUTC\":\"2022-05-11T00:00:00Z\",\"createdDateUTC\":\"2022-05-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"name\":\"bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"AWSGuardDuty | extend tokens = split(ActivityType,\\\":\\\") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\\\"/\\\") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),\\\"High\\\",iff(Severity between (4.0..6.9), \\\"Medium\\\", iff(Severity between (1.0..3.9),\\\"Low\\\",\\\"Unknown\\\")))\",\"customDetails\":{\"ThreatPurpose\":\"ThreatPurpose\",\"ResourceTypeAffected\":\"ResourceTypeAffected\",\"UniqueFindingId\":\"UniqueFindingId\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Arn\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"AWSAcoundId\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"{{Title}}\",\"alertDescriptionFormat\":\"{{Description}}\",\"alertTacticsColumnName\":\"ThreatPurpose\",\"alertSeverityColumnName\":\"Severity\"},\"displayName\":\"AWS Guard Duty Alert\",\"description\":\"Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"name\":\"b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let UA_threats = dynamic([\\\"FoxBlade\\\", \\\"WhisperGate\\\", \\\"Lasainraw\\\", \\\"SonicVote\\\"]);\\n SecurityAlert\\n | where ProviderName == \\\"MDATP\\\"\\n | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n | where ThreatFamilyName in (UA_threats)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Ukraine threats\",\"description\":\"This query looks for Microsoft Defender AV detections for malware observed in relation to the war in Ukraine.\\n Ref: https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/ \",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\"name\":\"cf3ede88-a429-493b-9108-3e46d3c741f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let timeRange = 6h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeRange)\\n| where EventID == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SecurityEvent - Multiple authentication failures followed by a success\",\"description\":\"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\\npossible mis-configuration of a service account within an environment.\\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by a success for an account within 1 hour to surface an alert.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"name\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(_Im_Dns (domain_has_any=domains)\\n | extend DNSName = DnsQuery\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\"name\":\"2790795b-7dba-483e-853f-44aa0bc9c985\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors \u003e 400\\n| sort by NumberOfErrors desc\\n| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Wazuh - Large Number of Web errors from an IP\",\"description\":\"Identifies instances where Wazuh logged over 400 \u0027403\u0027 Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-21T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\"name\":\"78979d32-e63f-4740-b206-cfb300c735e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcIpAddr)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientIP = SrcIpAddr\\n )\\non $left.TI_ipEntity == $right.ClientIP\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientIP\\n| project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUserUpn\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender IP in TI list\",\"description\":\"Email sender IP in TI list.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\"name\":\"2b328487-162d-4034-b472-59f1d53684a1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal == \u0027\u0027\\n| extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Empty User Agent Detected\",\"description\":\"Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"name\":\"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == 500121\\n| where Status has \\\"MFA Denied; user declined the authentication\\\" or Status has \\\"MFA denied; Phone App Reported Fraud\\\"\\n| extend Type = Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Explicit MFA Deny\",\"description\":\"User explicitly denies MFA push, indicating that login was not expected and the account\u0027s password may be compromised.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\"name\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.3\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName: string) {\\nlet failed_signins = table(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\";\\nlet disabled_users = failed_signins | summarize by UserPrincipalName;\\ntable(tableName)\\n | where ResultType == 0\\n | where isnotempty(UserPrincipalName)\\n | where UserPrincipalName !in (disabled_users)\\n| summarize\\n successfulAccountsTargettedCount = dcount(UserPrincipalName),\\n successfulAccountSigninSet = make_set(UserPrincipalName, 100),\\n successfulApplicationSet = make_set(AppDisplayName, 100)\\n by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountsTargettedCount \u003c 50\\n | where isnotempty(successfulAccountsTargettedCount)\\n | join kind=inner (failed_signins\\n| summarize\\n StartTime = min(TimeGenerated),\\n EndTime = max(TimeGenerated),\\n totalDisabledAccountLoginAttempts = count(),\\n disabledAccountsTargettedCount = dcount(UserPrincipalName),\\n applicationsTargeted = dcount(AppDisplayName),\\n disabledAccountSet = make_set(UserPrincipalName, 100),\\n disabledApplicationSet = make_set(AppDisplayName, 100)\\nby IPAddress, Type\\n| order by totalDisabledAccountLoginAttempts desc) on IPAddress\\n| project StartTime, EndTime, IPAddress, totalDisabledAccountLoginAttempts, disabledAccountsTargettedCount, disabledAccountSet, disabledApplicationSet, successfulApplicationSet, successfulAccountsTargettedCount, successfulAccountSigninSet, Type\\n| order by totalDisabledAccountLoginAttempts};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| join kind=leftouter (\\n BehaviorAnalytics\\n | where ActivityType in (\\\"FailedLogOn\\\", \\\"LogOn\\\")\\n | where EventSource =~ \\\"Azure AD\\\"\\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress, UserPrincipalName\\n | project-rename IPAddress = SourceIPAddress\\n | summarize\\n Users = make_set(UserPrincipalName, 100),\\n UsersInsights = make_set(UsersInsights, 100),\\n DevicesInsights = make_set(DevicesInsights, 100),\\n IPInvestigationPriority = sum(InvestigationPriority)\\n by IPAddress\\n) on IPAddress\\n| extend SFRatio = toreal(toreal(disabledAccountsTargettedCount)/toreal(successfulAccountsTargettedCount))\\n| where SFRatio \u003e= 0.5\\n| sort by IPInvestigationPriority desc\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts using the IP through which successful signins from other accounts have happened.\\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.\",\"lastUpdatedDateUTC\":\"2023-11-23T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e147e4dc-849c-49e9-9e8b-db4581951ff4\",\"name\":\"e147e4dc-849c-49e9-9e8b-db4581951ff4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let baseline_time = 14d;\\nlet detection_time = 1h;\\nDynamics365Activity\\n| where TimeGenerated between(ago(baseline_time)..ago(detection_time))\\n| where UserType =~ \u0027admin\u0027\\n| extend Message = tostring(split(OriginalObjectId, \u0027 \u0027)[0])\\n| summarize by UserId\\n| join kind=rightanti\\n(Dynamics365Activity\\n| where TimeGenerated \u003e ago(detection_time)\\n| where UserType =~ \u0027admin\u0027)\\non UserId\\n| summarize Actions = make_set(Message), MostRecentAction = max(TimeGenerated), IPs=make_set(ClientIP), UserAgents = make_set(UserAgent) by UserId\\n| extend timestamp = MostRecentAction, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New Dynamics 365 Admin Activity\",\"description\":\"Detects users conducting administrative activity in Dynamics 365 where they have not had admin rights before.\",\"lastUpdatedDateUTC\":\"2022-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Dynamics365\",\"dataTypes\":[\"Dynamics365Activity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\"name\":\"ba144bf8-75b8-406f-9420-ed74397f9479\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins = \\n table(tableName)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize count() by IPAddress\\n | where count_ \u003e signin_threshold\\n | summarize make_set(IPAddress);\\n suspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\u0027User name: ([^,]+)\u0027, 1, Message) \\n | extend ClientOS = extract(\u0027Client OS version: ([^,\\\\\\\"]+)\u0027, 1, Message)\\n | extend Location = extract(\u0027Source region: ([^,]{2})\u0027,1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"User\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"IP with multiple failed Microsoft Entra ID logins successfully logs in to Palo Alto VPN\",\"description\":\"This query creates a list of IP addresses with the number of failed login attempts to Entra ID \\nabove a set threshold ( default of 5 ). It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"name\":\"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.8\",\"severity\":\"Low\",\"query\":\"let DistinctSecretsThreshold = 10;\\nlet EventCountThreshold = 50;\\n// To avoid any False Positives, filtering using AppId is recommended.\\n// The AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\n// The AppId 8cae6e77-e04e-42ce-b5cb-50d82bce26b1 has been added as it correspond to Microsoft Policy Insights Provider Data Plane performing VaultGet operations for policies checks.\\nlet AllowedAppId = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\",\\\"8cae6e77-e04e-42ce-b5cb-50d82bce26b1\\\"]);\\nlet OperationList = dynamic([\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where OperationName in (OperationList) and ResourceType =~ \\\"VAULTS\\\"\\n| where not(identity_claim_appid_g in (AllowedAppId) and OperationName == \u0027VaultGet\u0027)\\n| extend\\n ResourceId,\\n ResultType = column_ifexists(\\\"ResultType\\\", \\\"\\\"),\\n identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = column_ifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"\\\"),\\n identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s = column_ifexists(\\\"identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s\\\", \\\"\\\"),\\n identity_claim_oid_g = column_ifexists(\\\"identity_claim_oid_g\\\", \\\"\\\"),\\n identity_claim_upn_s = column_ifexists(\\\"identity_claim_upn_s\\\", \\\"\\\")\\n| extend\\n CallerObjectId = iff(isempty(identity_claim_oid_g), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g),\\n CallerObjectUPN = iff(isempty(identity_claim_upn_s), identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s, identity_claim_upn_s)\\n| as _Retrievals\\n| where CallerObjectId in (toscalar(\\n _Retrievals\\n | where ResultType == \\\"Success\\\"\\n | summarize Count = dcount(requestUri_s) by OperationName, CallerObjectId\\n | where Count \u003e DistinctSecretsThreshold\\n | summarize make_set(CallerObjectId,10000)\\n))\\n| extend\\n requestUri_s = column_ifexists(\\\"requestUri_s\\\", \\\"\\\"),\\n id_s = column_ifexists(\\\"id_s\\\", \\\"\\\"),\\n CallerIPAddress = column_ifexists(\\\"CallerIPAddress\\\", \\\"\\\"),\\n clientInfo_s = column_ifexists(\\\"clientInfo_s\\\", \\\"\\\")\\n| summarize\\n EventCount = count(),\\n StartTime = min(TimeGenerated),\\n EndTime = max(TimeGenerated),\\n ResourceList = make_set(Resource, 50),\\n OperationNameList = make_set(OperationName, 50),\\n RequestURLList = make_set(requestUri_s, 50),\\n ResourceId = max(ResourceId),\\n CallerIPList = make_set(CallerIPAddress, 50),\\n clientInfo_sList = make_set(clientInfo_s, 50),\\n CallerIPMax = max(CallerIPAddress)\\n by ResourceType, ResultType, identity_claim_appid_g, CallerObjectId, CallerObjectUPN\\n | where EventCount \u003e EventCountThreshold\\n| project-reorder StartTime, EndTime, EventCount, ResourceId,ResourceType,identity_claim_appid_g, CallerObjectId, CallerObjectUPN, ResultType, ResourceList, OperationNameList, RequestURLList, CallerIPList, clientInfo_sList\\n| extend timestamp = EndTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"CallerObjectId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPMax\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Mass secret retrieval from Azure Key Vault\",\"description\":\"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment and also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"name\":\"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.7\",\"severity\":\"Medium\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = (union isfuzzy=true \\n(SecurityEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\")\\n| where AccountType =~ \\\"User\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, \\nGroupAddTargetAccount = TargetAccount, GroupAddTargetUserName = TargetUserName, GroupAddTargetDomainName = TargetDomainName, GroupAddTargetSid = TargetSid, \\nGroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserName = SubjectUserName, GroupAddSubjectDomainName = SubjectDomainName, GroupAddSubjectUserSid = SubjectUserSid, \\nGroupSid = MemberSid\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n| where AccountType =~ \\\"User\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, \\nGroupAddTargetAccount = TargetAccount, GroupAddTargetUserName = tostring(EventData.TargetUserName), GroupAddTargetDomainName = tostring(EventData.TargetDomainName), GroupAddTargetSid = TargetSid, \\nGroupAddSubjectAccount = Account, GroupAddSubjectUserName = tostring(EventData.SubjectUserName), GroupAddSubjectDomainName = tostring(EventData.SubjectDomainName), GroupAddSubjectUserSid = SubjectUserSid, \\nGroupSid = MemberSid\\n));\\nlet GroupCreated = (union isfuzzy=true \\n(SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, \\nGroupCreateTargetAccount = TargetAccount, GroupCreateTargetUserName = TargetUserName, GroupCreateTargetDomainName = TargetDomainName,\\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserName = SubjectUserName, GroupCreateSubjectDomainName = SubjectDomainName, GroupCreateSubjectUserSid = SubjectUserSid, \\nGroupSid = TargetSid\\n),\\n(WindowsEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\", \\\"Machine\\\", iff(SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", iff(isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")))\\n| where AccountType =~ \\\"User\\\"\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName) \\n| extend TargetSid = tostring(EventData.TargetSid) \\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, \\nGroupCreateTargetAccount = TargetAccount, GroupCreateTargetUserName = tostring(EventData.TargetUserName), GroupCreateTargetDomainName = tostring(EventData.TargetDomainName), \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserName = tostring(EventData.SubjectUserName), GroupCreateSubjectDomainName = tostring(EventData.SubjectDomainName),GroupCreateSubjectUserSid = SubjectUserSid, \\nGroupSid = TargetSid\\n));\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid\\n| extend GroupCreateHostName = tostring(split(GroupCreateComputer , \\\".\\\")[0]), DomainIndex = toint(indexof(GroupCreateComputer , \u0027.\u0027))\\n| extend GroupCreateHostNameDomain = iff(DomainIndex != -1, substring(GroupCreateComputer , DomainIndex + 1), GroupCreateComputer)\\n| extend GroupAddHostName = tostring(split(GroupAddComputer , \\\".\\\")[0]), DomainIndex = toint(indexof(GroupAddComputer , \u0027.\u0027))\\n| extend GroupAddHostNameDomain = iff(DomainIndex != -1, substring(GroupAddComputer , DomainIndex + 1), GroupAddComputer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GroupCreateSubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"GroupCreateSubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"GroupCreateSubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GroupCreateTargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"GroupAddSubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"GroupAddSubjectDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GroupCreateComputer\"},{\"identifier\":\"HostName\",\"columnName\":\"GroupCreateHostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"GroupCreateHostNameDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GroupAddComputer\"},{\"identifier\":\"HostName\",\"columnName\":\"GroupAddHostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"GroupAddHostNameDomain\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Group created then added to built in domain local or global group\",\"description\":\"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"name\":\"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"union isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has \\\"vmware-vmdmp.log\\\"\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(imFileEvent\\n| where TargetFileName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\\n)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"[Deprecated] - SUNSPOT log file creation\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/972c89fa-c969-4d12-932f-04d55d145299\",\"name\":\"972c89fa-c969-4d12-932f-04d55d145299\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"( union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| extend FileName = Process, ProcessCommandLine = CommandLine\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(DeviceProcessEvents\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\nor ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1 \\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\"), ProcessCommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend FileName = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"[Deprecated] - MSHTML vulnerability CVE-2021-40444 attack\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"name\":\"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let lbtime = 1h;\\nlet tls_ciphers = dynamic([\u0027RC4-SHA\u0027, \u0027DES-CBC3-SHA\u0027]);\\nProofpointPOD\\n| where EventType == \u0027message\u0027\\n| where TlsCipher in (tls_ciphers)\\n| extend IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"ProofpointPOD - Weak ciphers\",\"description\":\"Detects when weak TLS ciphers are used.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5239248b-abfb-4c6a-8177-b104ade5db56\",\"name\":\"5239248b-abfb-4c6a-8177-b104ade5db56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.8\",\"severity\":\"Medium\",\"query\":\"let RunCommandData = materialize ( AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue =~ \\\"Microsoft.Compute/virtualMachines/runCommand/action\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has_any (\\\"Succeeded\\\", \\\"Success\\\")\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress, Scope\\n| join kind=leftouter (\\n DeviceFileEvents\\n | where InitiatingProcessFileName == \\\"RunCommandExtension.exe\\\"\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\\n) on VirtualMachineName\\n// We need to filter by time sadly, this is the only way to link events\\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, Scope\\n| join kind=inner(\\n DeviceEvents\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | where InitiatingProcessCommandLine has \\\"-File\\\"\\n // Extract the script name based on the structure used by the RunCommand extension\\n | extend PowershellFileName = extract(@\\\"\\\\-File\\\\s(script[0-9]{1,9}\\\\.ps1)\\\", 1, InitiatingProcessCommandLine)\\n // Discard results that didn\u0027t successfully extract, these are not run command related\\n | where isnotempty(PowershellFileName)\\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\\n | where PSCommand != PowershellFileName \\n // Now we normalise the cmdlets, we\u0027re aiming to hash them to find scripts using rare combinations\\n | extend PSCommand = toupper(PSCommand)\\n | order by PSCommand asc\\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\\n) on $left.FileName == $right.PowershellFileName\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName, Scope\\n| order by StartTime asc \\n// We generate the hash based on the cmdlets called and the size of the powershell script\\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\\nlet totals = toscalar (RunCommandData\\n| summarize count());\\nlet hashTotals = RunCommandData\\n| summarize HashCount=count() by ScriptFingerprintHash;\\nRunCommandData\\n| join kind=leftouter (\\nhashTotals\\n) on ScriptFingerprintHash\\n// Calculate prevalence, while we don\u0027t need this, it may be useful for responders to know how rare this script is in relation to normal activity\\n| extend Prevalence = toreal(HashCount) / toreal(totals) * 100\\n// Where the hash was only ever seen once.\\n| where HashCount == 1\\n| extend timestamp = StartTime\\n| extend CallerName = tostring(split(Caller, \\\"@\\\")[0]), CallerUPNSuffix = tostring(split(Caller, \\\"@\\\")[1])\\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerName, CallerUPNSuffix, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, Scope\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"CallerName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"CallerUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"VirtualMachineName\"},{\"identifier\":\"AzureID\",\"columnName\":\"Scope\"}]}],\"tactics\":[\"LateralMovement\",\"Execution\"],\"displayName\":\"Azure VM Run Command operations executing a unique PowerShell script\",\"description\":\"Identifies when Azure Run command is used to execute a PowerShell script on a VM that is unique.\\nThe uniqueness of the PowerShell script is determined by taking a combined hash of the cmdLets it imports and the file size of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed in your environment.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"name\":\"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (DomainNames) \\n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n (_Im_Dns (domain_has_any=DomainNames)\\n | extend DNSName = DnsQuery \\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (_Im_WebSession (url_has_any=DomainNames)\\n | extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer = DeviceName \\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (DomainNames) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ),\\n (AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallNetworkRule\\\"\\n | where msg_s has_any (DomainNames)\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" to \\\" TargetIP \\\":\\\" TargetPortInt:int *\\n | parse kind=regex flags=U msg_s with * \\\". Action\\\\\\\\: \\\" Action1a \\\"\\\\\\\\.\\\"\\n | parse msg_s with * \\\". Policy: \\\" Policy \\\". Rule Collection Group: \\\" RuleCollectionGroup \\\".\\\" *\\n | parse msg_s with * \\\" Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule \\n | extend IPCustomEntity = SourceIP\\n ),\\n (AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | where msg_s has_any (DomainNames)\\n | parse msg_s with \\\"DNS Request: \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" - \\\" QueryID:int \\\" \\\" RequestType \\\" \\\" RequestClass \\\" \\\" hostname \\\". \\\" protocol \\\" \\\" details\\n | extend\\n ResponseDuration = extract(\\\"[0-9]*.?[0-9]+s$\\\", 0, msg_s),\\n SourcePort = tostring(SourcePortInt),\\n QueryID = tostring(QueryID)\\n | project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\\n | order by TimeGenerated\\n | extend IPCustomEntity = SourceIP\\n ),\\n (AZFWApplicationRule\\n | where Fqdn has_any (DomainNames)\\n | extend IPCustomEntity = SourceIp\\n ),\\n (AZFWDnsQuery\\n | where isnotempty(QueryName)\\n | where QueryName has_any (DomainNames)\\n | extend DNSName = QueryName\\n | extend IPCustomEntity = SourceIp\\n )\\n ) \\n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Known Barium domains\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"name\":\"c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.3\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where ScanStatus == \\\"Failed\\\"\\n| extend timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"AzureID\",\"columnName\":\"_ResourceId\"}]}],\"displayName\":\"AppServices AV Scan Failure\",\"description\":\"Identifies if an AV scan fails in Azure App Services.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\"name\":\"65c78944-930b-4cae-bd79-c3664ae30ba7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(AuditLogs\\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend _parsedIntiatedByUser = parse_json(tostring(InitiatedBy.user))\\n| extend _parsedIntiatedByApp = parse_json(tostring(InitiatedBy.app))\\n| extend IPAddress = tostring(_parsedIntiatedByUser.ipAddress)\\n| extend InitiatedByUser = iff(isnotempty(tostring(_parsedIntiatedByUser.userPrincipalName)),\\n tostring(_parsedIntiatedByUser.userPrincipalName), tostring(_parsedIntiatedByApp.displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\")\\n| extend _parsedRequestParameters = parse_json(RequestParameters)\\n| extend InstanceProfileName = tostring(_parsedRequestParameters.InstanceProfileName)\\n| extend TargetUser = tostring(_parsedRequestParameters.userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, UserName = tostring(split(User, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(User, \u0027@\u0027, 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Multi-Factor Authentication Disabled for a User\",\"description\":\"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to deactivate MFA for a user.\",\"lastUpdatedDateUTC\":\"2024-01-16T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"name\":\"f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog =~ \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject=~\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\SecurityProviders\\\\\\\\WDigest\\\\\\\\UseLogonCredential\\\" and Details !=\\\"DWORD (0x00000000)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"WDigest downgrade attack\",\"description\":\"When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory.\\nRef: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"name\":\"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@\u0027\\\\A(.*?)@\u0027, 1, SrcUserUpn)\\n| extend sender_domain = extract(@\u0027@(.*)$\u0027, 1, SrcUserUpn)\\n| extend recipient = extract(@\u0027\\\\A(.*?)@\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| extend recipient_domain = extract(@\u0027@(.*)$\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Possible data exfiltration to private email\",\"description\":\"Detects when sender sent email to the non-corporate domain and recipient\u0027s username is the same as sender\u0027s username.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"name\":\"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = column_ifexists(\\\"ResultType\\\", \\\"NoResultType\\\"), \\nrequestUri_s = column_ifexists(\\\"requestUri_s\\\", \\\"None\\\"), \\nidentity_claim_oid_g = column_ifexists(\\\"identity_claim_oid_g\\\", \\\"None\\\"), CallerIPAddress = column_ifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), \\nclientInfo_s = column_ifexists(\\\"clientInfo_s\\\", \\\"None\\\"), \\nidentity_claim_upn_s = column_ifexists(\\\"identity_claim_upn_s\\\", \\\"None\\\"),\\nidentity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = column_ifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in~ (SensitiveOperationList)\\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=make_list(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, identity_claim_upn_s, clientInfo_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = StartTimeUtc\\n| extend Name = tostring(split(identity_claim_upn_s,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(identity_claim_upn_s,\u0027@\u0027,1)[0]), AadUserId = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AadUserId\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPMax\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup.\\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7\",\"name\":\"58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Filter GCP Audit Logs to exclude service accounts\\nGCPAuditLogs \\n| where PrincipalEmail !endswith \\\"gserviceaccount.com\\\"\\n// Exclude system-related authentication information\\n| where AuthenticationInfo !has (\\\"system:\\\")\\n// Extract GCP request name and relevant attributes\\n| extend GCPRequestName= parse_json(Request).name\\n| extend\\n GCPAccoutType= tostring(split(GCPRequestName, \\\"/\\\")[2]),\\n GCPUserIdentity = iff(isempty(tostring(split(GCPRequestName, \\\"/\\\")[3])), tostring(parse_json(AuthenticationInfo).principalEmail), \\\"na\\\"), \\n GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),\\n GCPCallerUA = tostring(parse_json(RequestMetadata).callerSuppliedUserAgent)\\n// Filter out empty or service account identities\\n| where isnotempty(GCPUserIdentity) and GCPUserIdentity !endswith \\\"gserviceaccount.com\\\"\\n// Select relevant attributes for further analysis\\n| project\\n PrincipalEmail,\\n GCPUserIdentity,\\n GCPAccoutType,\\n GCPRequestName,\\n GCPCallerUA,\\n Request,\\n RequestMetadata,\\n GCPUserIp,\\n MethodName,\\n ServiceName,\\n GCPEventTime= TimeGenerated,\\n ProjectId\\n// Join GCP Audit Logs with SecurityAlert data based on user identity and IP\\n| join kind=inner ( \\n SecurityAlert \\n // Exclude alerts from Azure Sentinel\\n | where ProductName !in (\\\"Azure Sentinel\\\")\\n // Extract IP entities from alert data\\n | extend AlertIPEntity= tostring(extract(@\\\"\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\", 0, Entities))\\n | extend\\n AlertUserUPN = tostring(extract(@\u0027\\\\b[\\\\w\\\\.\\\\-]+@[\\\\w\\\\.\\\\-]+\\\\b\u0027, 0, Entities)),\\n AlertTime= TimeGenerated\\n // Filter out empty user identities and IP entities\\n | where isnotempty(AlertIPEntity) and isnotempty(AlertUserUPN)\\n )\\n on $left.GCPUserIdentity == $right.AlertUserUPN and $left.GCPUserIp == $right.AlertIPEntity\\n// Summarize the data, calculating time differences and aggregating attributes\\n| summarize\\n FirstAlert=min(AlertTime),\\n LastAlert=max(AlertTime),\\n TimeDiff=datetime_diff(\u0027minute\u0027, min(AlertTime), min(GCPEventTime)),\\n MethodName=make_set(MethodName),\\n ServiceName= make_set(ServiceName),\\n GCPProjctId=make_set(ProjectId),\\n Request=make_set(Request),\\n GCPCallerUA=make_set(GCPCallerUA)\\n by\\n AlertUserUPN,\\n AlertIPEntity,\\n GCPUserIp,\\n GCPUserIdentity,\\n AlertSeverity,\\n AlertName,\\n AlertLink,\\n Description,\\n Tactics,\\n ProductName,\\n SystemAlertId,\\n GCPAccoutType\\n// Extend the data with additional attributes\\n| extend\\n Name = tostring(split(GCPUserIdentity, \\\"@\\\")[0]),\\n UPNSuffix = tostring(split(GCPUserIdentity, \\\"@\\\")[1])\",\"customDetails\":{\"AlertName\":\"AlertName\",\"FirstAlert\":\"FirstAlert\",\"LastAlert\":\"LastAlert\",\"TimeDiff\":\"TimeDiff\",\"MethodName\":\"MethodName\",\"GCPProjctId\":\"GCPProjctId\",\"GCPCallerUA\":\"GCPCallerUA\",\"ServiceName\":\"ServiceName\",\"AlertUserUPN\":\"AlertUserUPN\",\"SystemAlertId\":\"SystemAlertId\",\"Tactics\":\"Tactics\",\"Request\":\"Request\",\"CorrelationWith\":\"GCPAuditLogs\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"GCPUserIp\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A user {{GCPUserUPN}} has been linked to {{AlertName}}, and has potentially suspicious behavior within the GCP environment from, originating from the IP address {{GCPUserIp}}.\",\"alertDescriptionFormat\":\" This detection compiles and correlates unauthorized user access alerts originating from {{ProductName}} With Alert Description \u0027{{Description}}\u0027 observed activity in GCP environmeny. It focuses on Microsoft Security, specifically targeting user bhaviour and network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint users suspicious activity to access both Azure and GCP resources. \\n\\n Microsoft Security ALert Link : \u0027{{AlertLink}}\u0027\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":\"AlertSeverity\"},\"tactics\":[\"InitialAccess\",\"Execution\",\"Persistence\",\"PrivilegeEscalation\",\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Cross-Cloud Suspicious user activity observed in GCP Envourment\",\"description\":\"\\nThis detection query aims to correlate potentially suspicious user activities logged in Google Cloud Platform (GCP) Audit Logs with security alerts originating from Microsoft Security products. This correlation facilitates the identification of potential cross-cloud security incidents. By summarizing these findings, the query provides valuable insights into cross-cloud identity threats and their associated details, enabling organizations to respond promptly and mitigate potential risks effectively.\\n\",\"lastUpdatedDateUTC\":\"2023-10-06T00:00:00Z\",\"createdDateUTC\":\"2023-10-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"GCPAuditLogsDefinition\",\"dataTypes\":[\"GCPAuditLogs\"]},{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"name\":\"8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let timeframe = ago(5m);\\nDuoSecurityTrustMonitor_CL\\n| where TimeGenerated \u003e= timeframe\\n| extend AccountName = tostring(split(surfaced_auth_user_name_s, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(surfaced_auth_user_name_s, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"surfaced_auth_user_name_s\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"surfaced_auth_access_device_ip_s\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Trust Monitor Event\",\"description\":\"This query identifies when a new trust monitor event is detected.\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2021-02-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\"name\":\"d804b39c-03a4-417c-a949-bdbf21fa3305\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet sha256s = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet ips = (iocs | where Type =~ \\\"ip\\\" | project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\" | project IoC);\\nlet dyndomains = todynamic(toscalar((domains | summarize make_set(IoC))));\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has_any (file_paths)\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName in (file_paths)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(imFileEvent\\n| where TargetFileName in (file_paths)\\n or\\n TargetFileSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n (CommonSecurityLog\\n| where FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event // File iocs\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 *\\n| where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nWindowsFirewall\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(\\n _Im_NetworkSession(srcipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n (\\n _Im_NetworkSession(dstipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = DstIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n(_Im_Dns(domain_has_any=dyndomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\\n)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"[Deprecated] - Exchange Server Vulnerabilities Disclosed March 2021 IoC Match\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-03-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog (F5)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"name\":\"ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let CombinedSignInLogs = union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs;\\n // Combine AADNonInteractiveUserSignInLogs and SigninLogs into a single table\\n // Fetch Azure IP address ranges data from a JSON file hosted on GitHub\\n let AzureRanges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n [\\\"https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/MSFTIPRanges/ServiceTags_Public.json\\\"] with(format=\u0027multijson\u0027)\\n // Load Azure IP address ranges from the JSON file hosted on GitHub\\n | mv-expand values\\n // Expand the values column into separate rows\\n | extend Name = values.name, AddressPrefixes = tostring(values.properties.addressPrefixes);\\n // Create additional columns for the name and address prefixes\\n // Identify known locations to be excluded from analysis\\n let ExcludedKnownLocations = CombinedSignInLogs\\n // Filter the combined logs based on the specified time range\\n | where TimeGenerated between (ago(14d)..ago(1d))\\n // Filter by specific ResultType\\n | where ResultType == 0\\n // Summarize the logs by location\\n | summarize by Location;\\n // Find sign-in locations matching specific criteria\\n let MatchedLocations = materialize(CombinedSignInLogs\\n // Filter the combined logs based on the specified time range\\n | where TimeGenerated \u003e ago(1d)\\n // Exclude specific ResultTypes\\n | where ResultType !in (50126, 50053, 50074, 70044)\\n // Exclude known locations\\n | where Location !in (ExcludedKnownLocations));\\n // Match IP addresses of matched locations with Azure IP address ranges\\n let MatchedIPs = MatchedLocations\\n // Use the \u0027ipv4_lookup\u0027 function to match IP addresses with Azure IP address ranges\\n | evaluate ipv4_lookup(AzureRanges, IPAddress, AddressPrefixes)\\n // Project only the IPAddress column\\n | project IPAddress;\\n // Exclude IP addresses that are already matched with Azure IP address ranges\\n let MaxSetSize = 5; // Set the maximum size limit for make_set\\n let ExcludedIPs = MatchedLocations\\n // Filter out IP addresses that are already matched\\n | where not (IPAddress in (MatchedIPs))\\n // Exclude empty or null Location values\\n | where isnotempty(Location)\\n // Handle dynamic and string column values for LocationDetails and DeviceDetail\\n | extend LocationDetails_dynamic = column_ifexists(\\\"LocationDetails_dynamic\\\", \\\"\\\")\\n | extend DeviceDetail_dynamic = column_ifexists(\\\"DeviceDetail_dynamic\\\", \\\"\\\")\\n | extend LocationDetails = iif(isnotempty(LocationDetails_dynamic), LocationDetails_dynamic, parse_json(LocationDetails_string))\\n | extend DeviceDetail = iif(isnotempty(DeviceDetail_dynamic), DeviceDetail_dynamic, parse_json(DeviceDetail_string))\\n // Extract location details (city and state)\\n | extend City = tostring(LocationDetails.city)\\n | extend State = tostring(LocationDetails.state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend DeviceId = tostring(DeviceDetail.deviceId)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n // Summarize the data based on UserPrincipalName, Location, and Category\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated),\\n make_set(Result, MaxSetSize), make_set(IPAddress, MaxSetSize),\\n make_set(UserAgent, MaxSetSize), make_set(Place, MaxSetSize),\\n make_set(DeviceId, MaxSetSize) by UserPrincipalName, Location, Category\\n // Extract the username prefix and suffix from UserPrincipalName\\n | extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0]);\\n ExcludedIPs // Output the final result set\\n | extend IP = set_IPAddress[0]\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentication Attempt from New Country\",\"description\":\"Detects when there is a login attempt from a country that has not seen a successful login in the previous 14 days.\\nThreat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\nAuthentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\nRef: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"name\":\"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin), indexId = indexof(tostring(UserIdentityPrincipalid),\\\":\\\")\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| where SessionIssuerUserName !contains \\\"AWSReservedSSO\\\"\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, indexId\\n| extend timestamp = StartTimeUtc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used and the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"name\":\"6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let queryfrequency = 1h;\\nlet wait_for_deletion = 10m;\\nlet account_created =\\n AuditLogs \\n | where ActivityDisplayName == \\\"Add service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend creationTime = ActivityDateTime\\n | extend CreatorUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CreatorIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_activity =\\n AADServicePrincipalSignInLogs\\n | extend Activities = pack(\\\"ActivityTime\\\", TimeGenerated ,\\\"IpAddress\\\", IPAddress, \\\"ResourceDisplayName\\\", ResourceDisplayName)\\n | extend AppID = AppId\\n | summarize make_list(Activities) by AppID;\\nlet account_deleted =\\n AuditLogs \\n | where OperationName == \\\"Remove service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend deletionTime = ActivityDateTime\\n | extend DeleterUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend DeleterIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_credentials =\\n AuditLogs\\n | where OperationName has_all (\\\"Update application\\\", \\\"Certificates and secrets management\\\")\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend credentialCreationTime = ActivityDateTime;\\nlet roles_assigned =\\n AuditLogs\\n | where ActivityDisplayName == \\\"Add app role assignment to service principal\\\"\\n | extend AppID = tostring(TargetResources[1].displayName)\\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\\\"AppRole.Value\\\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\\\"\\\")\\n | extend AssignedRoles = pack(\\\"Role\\\", AssignedRole)\\n | summarize make_list(AssignedRoles) by AppID;\\naccount_created\\n| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))\\n| join kind= inner (account_activity) on AppID\\n| join kind= inner (account_deleted) on AppID\\n| join kind= inner (account_credentials) on AppID\\n| join kind= inner (roles_assigned) on AppID\\n| where deletionTime - creationTime between (time(0s)..wait_for_deletion)\\n| extend AliveTime = deletionTime - creationTime\\n| project AADTenantId, AppID, creationTime, deletionTime, CreatorUserPrincipalName, DeleterUserPrincipalName, CreatorIPAddress, DeleterIPAddress, list_Activities, list_AssignedRoles, AliveTime\\n| extend CreatorName = tostring(split(CreatorUserPrincipalName, \\\"@\\\")[0]), CreatorUPNSuffix = tostring(split(CreatorUserPrincipalName, \\\"@\\\")[1])\\n| extend DeleterName = tostring(split(DeleterUserPrincipalName, \\\"@\\\")[0]), DeleterSuffix = tostring(split(DeleterUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatorUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"CreatorName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"CreatorUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeleterUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"DeleterName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"DeleterSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CreatorIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeleterIPAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"PrivilegeEscalation\",\"InitialAccess\"],\"displayName\":\"Suspicious Service Principal creation activity\",\"description\":\"This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2021-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\",\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"name\":\"c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nDeviceProcessEvents\\n//looks for execution from a shell\\n| where InitiatingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where FileName =~ \\\"AdFind.exe\\\" or SHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or ProcessCommandLine has_any (args)\\n| extend HostName = split(DeviceName, \u0027.\u0027, 0)[0], DnsDomain = strcat_array(array_slice(split(DeviceName, \u0027.\u0027), 1, -1), \u0027.\u0027), FileHashAlgorithm = \\\"SHA256\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"InitiatingProcessFileName\"},{\"identifier\":\"CommandLine\",\"columnName\":\"ProcessCommandLine\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"SHA256\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage\",\"description\":\"This query identifies the host and account that executed AdFind, by hash and filename, in addition to the flags commonly utilized by various threat actors during the reconnaissance phase.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-04-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11bda520-a965-4654-9a45-d09f372f71aa\",\"name\":\"11bda520-a965-4654-9a45-d09f372f71aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.10\",\"severity\":\"High\",\"query\":\"AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has_any (\\\"Success\\\", \\\"Succeeded\\\")\\n// Extract data from the Authorization field\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n// Create a join key using the Caller (UPN)\\n| extend joinkey = tolower(Caller)\\n// Join the Run Command actions to UEBA data\\n| join kind = inner (\\n BehaviorAnalytics\\n // We are specifically interested in unusual logins\\n | where EventSource == \\\"Azure AD\\\" and ActivityInsights.ActionUncommonlyPerformedByUser == \\\"True\\\"\\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\\n | extend joinkey = tolower(UserPrincipalName)\\n) on joinkey\\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\\n| extend UEBAWindowStart = UEBAEventTime - 1h, UEBAWindowEnd = UEBAEventTime + 6h\\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n| extend AccountName = tostring(split(Caller, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(Caller, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operation executed during suspicious login window\",\"description\":\"Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address that has resulted in a recent user entity behaviour alert.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\"name\":\"738702fd-0a66-42c7-8586-e30f0583f8fe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"High\",\"query\":\"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName has \\\"svchost.exe\\\" and FileName has \\\"NetSetupSvc.dll\\\"\\n| extend HashAlgorithm = \\\"SHA1\\\"\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingProcessAccountDomain\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"InitiatingProcessSHA1\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"TEARDROP memory-only dropper\",\"description\":\"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window\u0027s defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\"name\":\"5ef06767-b37c-4818-b035-47de950d0046\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.4\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688\\n| where Process has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688 and EventData has_any (build_processes)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (build_processes)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663 and EventData has_any (\\\"0x6\\\", \\\"0x4\\\", \\\"0X100\\\") and EventData has_any (\\\".cs\\\", \\\".cpp\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| extend AccessMask = tostring(EventData.AccessMask) \\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n))\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"name\":\"1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"PIM\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has \\\"Disable PIM Alert\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n \u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\\n| extend AccountName = tostring(split(InitiatedBy, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(InitiatedBy, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatedBy\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Detect PIM Alert Disabling activity\",\"description\":\"Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Microsoft Entra ID (Azure AD) organization. \\nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"name\":\"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 1;\\nunion isfuzzy=true(\\nAZFWApplicationRule\\n| where Action == \\\"Deny\\\"\\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\\n| where count_ \u003e= [\\\"threshold\\\"]),\\n(AZFWNetworkRule\\n| where Action == \\\"Deny\\\"\\n| extend Fqdn = DestinationIp\\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\\n| where count_ \u003e= [\\\"threshold\\\"]),\\n(AZFWFlowTrace\\n| where Action == \\\"Deny\\\"\\n| extend Fqdn = DestinationIp\\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\\n| where count_ \u003e= [\\\"threshold\\\"]),\\n(AZFWIdpsSignature\\n| where Action == \\\"Deny\\\"\\n| extend Fqdn = DestinationIp\\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\\n| where count_ \u003e= [\\\"threshold\\\"]),\\n(AzureDiagnostics\\n| where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n| extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n| extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n| extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n| extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n| extend Protocol = tostring(msg_a[0]), SourceIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), DestinationIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), Action = tostring(msg_a[7])\\n| where Action == \\\"Deny\\\"\\n| extend Fqdn = iff(DestinationIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",DestinationIp)\\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\\n| where count_ \u003e= [\\\"threshold\\\"])\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIp\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Fqdn\"}]}],\"tactics\":[\"Discovery\",\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Several deny actions registered\",\"description\":\"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2020-10-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWNetworkRule\",\"AZFWFlowTrace\",\"AZFWIdpsSignature\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\"name\":\"ec21493c-2684-4acd-9bc2-696dbad72426\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Duration to look back for recent logs (1 hour)\\nlet ioc_lookBack = 14d; // Duration to look back for recent threat intelligence indicators (14 days)\\n// Create a list of top-level domains (TLDs) in our threat feed for later validation of extracted domains\\nlet list_tlds = \\n ThreatIntelligenceIndicator\\n | where isnotempty(DomainName)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now()\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\nlet Domain_Indicators = \\n ThreatIntelligenceIndicator\\n // Filter to pick up only IOC\u0027s that contain the entities we want (in this case, DomainName)\\n | where isnotempty(DomainName)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now()\\n | extend TI_DomainEntity = DomainName;\\nDomain_Indicators\\n // Join with CommonSecurityLog to find potential malicious activity\\n | join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceVendor =~ \u0027Palo Alto Networks\u0027\\n | where DeviceEventClassID =~ \u0027url\u0027\\n // Uncomment the line below to only alert on allowed connections\\n // | where DeviceAction !~ \\\"block-url\\\"\\n // Extract domain from RequestURL, if not present, extract it from AdditionalExtensions\\n | extend PA_Url = coalesce(RequestURL, \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !in~ (\u0027None\u0027, \u0027http://None\u0027, \u0027https://None\u0027) and PA_Url !startswith \\\"http://\\\" and PA_Url !startswith \\\"https://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), PA_Url)\\n | extend PA_Url = iif(PA_Url !in~ (\u0027None\u0027, \u0027http://None\u0027, \u0027https://None\u0027) and PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url)\\n | extend Domain = trim(@\\\"\\\"\\\"\\\", tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n // Split out the top-level domain (TLD) for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n // Validate parsed domain by checking TLD against TLDs from the threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.TI_DomainEntity == $right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and Domain and keep only the latest CommonSecurityLog_TimeGenerated\\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain\\n // Select the desired fields for the final result set\\n | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod, Type, TI_DomainEntity\\n // Add a new field \u0027timestamp\u0027 for convenience, using the CommonSecurityLog_TimeGenerated as its value\\n | extend timestamp = CommonSecurityLog_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"PA_Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map Domain entity to PaloAlto\",\"description\":\"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"name\":\"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\",\\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\",\\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\",\\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage),\\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage),\\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage),\\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend AccountName = tostring(split(User, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(User, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events for ToR proxies\",\"description\":\"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2024-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"SyslogAma\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"name\":\"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.4\",\"severity\":\"Low\",\"query\":\"// Replace these with the username or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic([\u0027vip1@email.com\u0027,\u0027vip2@email.com\u0027]);\\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\\nlet allowed_users = dynamic([]);\\nLAQueryLogs\\n| where QueryText has_any (vips) or QueryText has_any (\u0027_GetWatchlist(\\\"VIPUsers\\\")\u0027, \\\"_GetWatchlist(\u0027VIPUsers\u0027)\\\")\\n| where AADEmail !in (allowed_users)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, AccountName = tostring(split(AADEmail, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(AADEmail, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"RequestTarget\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Users searching for VIP user activity\",\"description\":\"This query monitors for users running Log Analytics queries that contain filters for specific, defined VIP user accounts or the VIPUser watchlist template.\\nUse this detection to alert for users specifically searching for activity of sensitive users.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\"name\":\"2b701288-b428-4fb8-805e-e4372c574786\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 95]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60m;\\nlet queryfrequency = 1d;\\nlet queryperiod = 14d;\\nlet aadFunc = (tableName: string) {\\n // Get successful signins to Teams\\n let signinData =\\n table(tableName)\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where AppDisplayName has \\\"Teams\\\" and ConditionalAccessStatus =~ \\\"success\\\"\\n | extend Country = tostring(todynamic(LocationDetails)[\u0027countryOrRegion\u0027])\\n | where isnotempty(Country) and isnotempty(IPAddress);\\n // Calculate prevalence of countries\\n let countryPrevalence =\\n signinData\\n | summarize CountCountrySignin = count() by Country\\n | extend TotalSignin = toscalar(signinData | summarize count())\\n | extend CountryPrevalence = toreal(CountCountrySignin) / toreal(TotalSignin) * 100;\\n // Count signins by user and IP address\\n let userIpSignin =\\n signinData\\n | summarize CountIPSignin = count(), Country = any(Country), ListSigninTimeGenerated = make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n // Calculate delta between the IP addresses with the most and minimum activity by user\\n let userIpDelta =\\n userIpSignin\\n | summarize MaxIPSignin = max(CountIPSignin), MinIPSignin = min(CountIPSignin), DistinctCountries = dcount(Country), make_set(Country) by UserPrincipalName\\n | extend UserIPDelta = toreal(MaxIPSignin - MinIPSignin) / toreal(MaxIPSignin) * 100;\\n // Collect Team operations the user account has performed within a time range of the suspicious signins\\n OfficeActivity\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | where not (Operation in~ (\\\"MemberAdded\\\", \\\"MemberRemoved\\\") and CommunicationType in~ (\\\"GroupChat\\\", \\\"OneonOne\\\")) // These events have been noisy and are related to initiaing chat conversation and not admin operations.\\n | project OperationTimeGenerated = TimeGenerated, UserId = tolower(UserId), Operation\\n | join kind = inner(\\n userIpDelta\\n // Check users with activity from distinct countries\\n | where DistinctCountries \u003e= minimumCountries\\n // Check users with high IP delta\\n | where UserIPDelta \u003e= deltaThreshold\\n // Add information about signins and countries\\n | join kind = leftouter userIpSignin on UserPrincipalName\\n | join kind = leftouter countryPrevalence on Country\\n // Check activity that comes from nonprevalent countries\\n | where CountryPrevalence \u003c countryPrevalenceThreshold\\n | project\\n UserPrincipalName,\\n SuspiciousIP = IPAddress,\\n UserIPDelta,\\n SuspiciousSigninCountry = Country,\\n SuspiciousCountryPrevalence = CountryPrevalence,\\n EventTimes = ListSigninTimeGenerated\\n ) on $left.UserId == $right.UserPrincipalName\\n // Check the signins occured 60 min before the Teams operations\\n | mv-expand SigninTimeGenerated = EventTimes\\n | extend SigninTimeGenerated = todatetime(SigninTimeGenerated)\\n | where OperationTimeGenerated between (SigninTimeGenerated .. (SigninTimeGenerated + projectedEndTime))\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize arg_max(SigninTimeGenerated, *) by UserPrincipalName, SuspiciousIP, OperationTimeGenerated\\n| summarize\\n ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(\\\"Operation\\\", tostring(Operation), \\\"OperationTime\\\", OperationTimeGenerated)))\\n by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence\\n| extend AccountName = tostring(split(UserPrincipalName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuspiciousIP\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Anomalous login followed by Teams action\",\"description\":\"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta \u003e= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP\u0027s country, only keeping IP\u0027s where the country is unusual for the tenant (dynamic ranges). \\nPlease note, if the initial logic of prevalence to find suspicious logon activity is noisy then consider adding filtering based on Location. \\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\"lastUpdatedDateUTC\":\"2024-12-17T00:00:00Z\",\"createdDateUTC\":\"2020-06-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"name\":\"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for AzureNetworkAnalytics_CL logs\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and AzureNetworkAnalytics_CL logs for NSG Flow information\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n | extend PIPs = split(PublicIPs_s, \u0027|\u0027, 0)\\n | extend PIP = tostring(PIPs[0])\\n )\\n on $left.TI_ipEntity == $right.PIP\\n // Filter out logs that occurred after the expiration of the corresponding indicator\\n | where AzureNetworkAnalytics_CL_TimeGenerated \u003c ExpirationDateTime\\n // Filter out NSG Flow logs that are not allowed (FlowStatus_s == \\\"A\\\")\\n | where FlowStatus_s == \\\"A\\\"\\n // Group the results by IndicatorId and PIP (Public IP), and keep the log entry with the latest timestamp\\n | summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId, PIP\\n // Select the desired output fields\\n | project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n // Extract hostname and DNS domain from the Computer field\\n | extend HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\\n // Rename the timestamp field\\n | extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"TI_ipEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\"description\":\"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/720d12c6-a08c-44c4-b18f-2236412d59b0\",\"name\":\"720d12c6-a08c-44c4-b18f-2236412d59b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process !~ \\\"sdelete.exe\\\"\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-r\\\", \\\"-s\\\", \\\"-q\\\", \\\"c:/\\\")\\n | where CommandLine !has (\\\"sdelete\\\")\\n | extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n | extend AccountName = tostring(split(TargetAccount, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(TargetAccount, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"name\":\"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.4\",\"severity\":\"High\",\"query\":\"let servicelist = dynamic([\u0027Services\\\\\\\\HealthService\u0027, \u0027Services\\\\\\\\Sense\u0027, \u0027Services\\\\\\\\WinDefend\u0027, \u0027Services\\\\\\\\MsSecFlt\u0027, \u0027Services\\\\\\\\DiagTrack\u0027, \u0027Services\\\\\\\\SgrmBroker\u0027, \u0027Services\\\\\\\\SgrmAgent\u0027, \u0027Services\\\\\\\\AATPSensorUpdater\u0027 , \u0027Services\\\\\\\\AATPSensor\u0027, \u0027Services\\\\\\\\mpssvc\u0027]);\\nlet filename = dynamic([\\\"subinacl.exe\\\",\u0027SetACL.exe\u0027]);\\nlet parameters = dynamic ([\u0027/deny=SYSTEM\u0027, \u0027/deny=S-1-5-18\u0027, \u0027/grant=SYSTEM=r\u0027, \u0027/grant=S-1-5-18=r\u0027, \u0027n:SYSTEM;p:READ\u0027, \u0027n1:SYSTEM;ta:remtrst;w:dacl\u0027]);\\nlet FullAccess = dynamic([\u0027A;CI;KA;;;SY\u0027, \u0027A;ID;KA;;;SY\u0027, \u0027A;CIID;KA;;;SY\u0027]);\\nlet ReadAccess = dynamic([\u0027A;CI;KR;;;SY\u0027, \u0027A;ID;KR;;;SY\u0027, \u0027A;CIID;KR;;;SY\u0027]);\\nlet DenyAccess = dynamic([\u0027D;CI;KR;;;SY\u0027, \u0027D;ID;KR;;;SY\u0027, \u0027D;CIID;KR;;;SY\u0027]);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName has_any (servicelist)\\n| parse EventData with * \u0027OldSd\\\"\u003e\u0027 OldSd \\\"\u003c\\\" *\\n| parse EventData with * \u0027NewSd\\\"\u003e\u0027 NewSd \\\"\u003c\\\" *\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename)\\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670 and EventData has_any (servicelist) and EventData has \u0027Key\u0027\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (servicelist)\\n| extend OldSd = tostring(EventData.OldSd)\\n| extend NewSd = tostring(EventData.NewSd)\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend ProcessId = tostring(EventData.ProcessId)\\n| extend Activity= \\\"4670 - Permissions on an object were changed.\\\"\\n| extend HandleId = tostring(EventData.HandleId)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688 and EventData has_any (filename) and EventData has_any (servicelist) and EventData has_any (parameters)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename)\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountDomain = tostring(EventData.AccountDomain)\\n| extend Activity=\\\"4688 - A new process has been created.\\\"\\n| extend EventSourceName=Provider\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename)\\n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend AccountName = tostring(split(Account, \\\"\\\\\\\\\\\")[0]), AccountNTDomain = tostring(split(Account, \\\"\\\\\\\\\\\")[1])\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Service Registry ACL Modification\",\"description\":\"Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified.\\n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity.\\n Reference on guidance for enabling registry auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule\\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\"lastUpdatedDateUTC\":\"2024-06-14T00:00:00Z\",\"createdDateUTC\":\"2021-01-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02f6c2e5-219d-4426-a0bf-ad67abc63d53\",\"name\":\"02f6c2e5-219d-4426-a0bf-ad67abc63d53\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let lookback_start = 7d;\\nlet lookback_end = 1d;\\nlet timedelta = 5s;\\n// Get a list of previously seen DLLs being loaded\\nlet known_dlls = (Event\\n| where TimeGenerated between(ago(lookback_start)..ago(lookback_end))\\n| where EventID == 7\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend LoadedItems = parse_json(tostring(parse_json(tostring(EvData.DataItem)).EventData)).[\\\"Data\\\"]\\n| mv-expand LoadedItems\\n| where tostring(LoadedItems.[\\\"@Name\\\"]) =~ \\\"ImageLoaded\\\"\\n| extend DLL = tostring(LoadedItems.[\\\"#text\\\"])\\n| summarize by DLL);\\n// Get Image Load events related to svchost.exe\\nEvent\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n// Image Load Event in Sysmon\\n| where EventID == 7\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Images = parse_json(tostring(parse_json(tostring(EvData.DataItem)).EventData)).[\\\"Data\\\"]\\n| mv-expand Images\\n// Parse out executing process\\n| where tostring(Images.[\\\"@Name\\\"]) =~ \\\"Image\\\"\\n| extend Image = tostring(Images.[\\\"#text\\\"])\\n| where Image endswith \\\"\\\\\\\\svchost.exe\\\"\\n// Parse out loaded DLLs\\n| extend LoadedItems = parse_json(tostring(parse_json(tostring(EvData.DataItem)).EventData)).[\\\"Data\\\"]\\n| mv-expand LoadedItems\\n| where tostring(LoadedItems.[\\\"@Name\\\"]) =~ \\\"ImageLoaded\\\"\\n| extend DLL = tostring(LoadedItems.[\\\"#text\\\"])\\n| extend Image = tostring(Image)\\n| extend ImageLoadTime = TimeGenerated\\n// Join with processes with a command line related to COM Event System\\n| join kind = inner(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n// Sysmon process execution events\\n| where EventID == 1\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend ParentImage = tostring(column_ifexists(\\\"ParentImage\\\", \\\"NotAvailable\\\"))\\n// Command line related to COM Event System\\n| where ParentImage endswith \\\"\\\\\\\\svchost.exe\\\"\\n//| where ParentCommandLine has_all (\\\" -k LocalService\\\",\\\" -p\\\",\\\" -s EventSystem\\\")\\n| extend ProcessExecutionTime = TimeGenerated) on $left.Image == $right.ParentImage\\n// Check timespan between DLL load and process creation\\n| extend delta = ProcessExecutionTime - ImageLoadTime\\n| where ImageLoadTime \u003c= ProcessExecutionTime and delta \u003c= timedelta\\n// Filter to only newly seen DLLs\\n| where DLL !in (known_dlls)\\n| extend ParentCommandLine = tostring(column_ifexists(\\\"ParentCommandLine\\\", \\\"NotAvailable\\\"))\\n| project-reorder ImageLoadTime, ProcessExecutionTime , Image, ParentCommandLine, DLL\\n| extend Hashes = tostring(column_ifexists(\\\"Hashes\\\", \\\"NotAvailable, NotAvailable\\\"))\\n| extend Hashes = split(Hashes, \\\",\\\")\\n| mv-apply Hashes on (summarize FileHashes = make_bag(pack(tostring(split(Hashes, \\\"=\\\")[0]), tostring(split(Hashes, \\\"=\\\")[1]))))\\n| extend SHA1 = tostring(FileHashes.SHA1)\\n| extend HashAlgo = \\\"SHA1\\\"\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend Name = tostring(split(UserName, \\\"\\\\\\\\\\\")[1]), NTDomain = tostring(split(UserName, \\\"\\\\\\\\\\\")[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"SHA1\"},{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgo\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"COM Event System Loading New DLL\",\"description\":\"This query uses Sysmon Image Load (Event ID 7) and Process Create (Event ID 1) data to look for COM Event System being used to load a newly seen DLL.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"name\":\"d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// Filter out other servers in the AD FS farm\\nlet ADFSServersList = dynamic([\\\"ADFS02.domain.com\\\",\\\"ADFS03.domain.com\\\"]);\\n// Start by identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer !in (ADFSServersList)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer\\n);\\n// Look for ADFS servers receiving connections over port 80\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n| where EventID == 3\\n// Look for endpoints connecting to the AD FS server over port 80\\n| extend DestinationPort = column_ifexists(\\\"DestinationPort\\\", \\\"\\\"), Image = column_ifexists(\\\"Image\\\", \\\"\\\"), Initiated = column_ifexists(\\\"Initiated\\\", \\\"\\\"), SourceIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\"), DestinationIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\")\\n| where DestinationPort == 80\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Look for the System process receiving connections\\n| where process == \u0027System\u0027 and Initiated == \u0027false\u0027\\n| where DestinationIp !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027)\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(UserName, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(UserName, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIp\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote HTTP Network Connection\",\"description\":\"This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f171045-88ab-4634-baae-a7b6509f483b\",\"name\":\"5f171045-88ab-4634-baae-a7b6509f483b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"let Dev0530_threats = dynamic([\\\"Trojan:Win32/SiennaPurple.A\\\", \\\"Ransom:Win32/SiennaBlue.A\\\", \\\"Ransom:Win32/SiennaBlue.B\\\"]);\\nSecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Dev0530_threats) or ThreatFamilyName in~ (Dev0530_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n| join kind=inner (DeviceInfo\\n | extend DeviceName = tolower(DeviceName)\\n) on $left.CompromisedEntity == $right.DeviceName\\n| summarize by bin(TimeGenerated, 1d), DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId, CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Dev-0530 actors\",\"description\":\"This query looks for Microsoft Defender AV detections related to Dev-0530 actors.\\nIn Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f9949656-473f-4503-bf43-a9d9890f7d08\",\"name\":\"f9949656-473f-4503-bf43-a9d9890f7d08\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for AppServiceHTTPLogs\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n // Filter out indicators without relevant IP address fields\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n // Filtering out rows where the Confidence Score is less than 50 as they would not have an Alert Priority label. \\n | where ConfidenceScore \u003e 50\\n // Select the IP entity based on availability of different IP fields\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n // Determine AlertPriority based on ConfidenceScore\\n | extend AlertPriority = case(ConfidenceScore \u003e 82, \\\"High\\\",\\n ConfidenceScore \u003e 74, \\\"Medium\\\",\\n \\\"Low\\\")\\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and AppServiceHTTPLogs to identify potential malicious activity\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n AppServiceHTTPLogs | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(CIp)\\n | extend WebApp = split(_ResourceId, \u0027/\u0027)[8]\\n | extend AppService_TimeGenerated = TimeGenerated // Rename time column for clarity\\n )\\n on $left.TI_ipEntity == $right.CIp\\n // Filter out logs that occurred after the expiration of the corresponding indicator\\n | where AppService_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and CIp, and keep the log entry with the latest timestamp\\n | summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp\\n // Select the desired output fields\\n | project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, \u0027/\u0027)[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId, Type\\n // Extract hostname and DNS domain from the CsHost field\\n | extend HostName = tostring(split(CsHost, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(CsHost, \u0027.\u0027), 1, -1), \u0027.\u0027))\\n // Rename the timestamp field\\n | extend timestamp = AppService_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"CsUsername\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CIp\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":null,\"alertDescriptionFormat\":null,\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":\"AlertPriority\"},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to AppServiceHTTPLogs\",\"description\":\"Identifies a match in AppServiceHTTPLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9a7f6651-801b-491c-a548-8b454b356eaa\",\"name\":\"9a7f6651-801b-491c-a548-8b454b356eaa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZincOctober2022IOCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_path = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet commandline = (iocs | where Type =~ \\\"commandline\\\" | project IoC);\\n(union isfuzzy=true \\n(DeviceNetworkEvents\\n| where InitiatingProcessFolderPath has_any (file_path) or InitiatingProcessCommandLine has_any (commandline)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where Image has_any (file_path) or CommandLine has_any (commandline)\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostEntity = Computer , AccountEntity = UserName, ProcessEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1])\\n), \\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path)) or ( InitiatingProcessCommandLine has_any (commandline)) or (InitiatingProcessFolderPath has_any (file_path)) or (InitiatingProcessFolderPath has_any (commandline)) or (FolderPath has_any (file_path)) or (FolderPath has_any (commandline))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName , AccountEntity = InitiatingProcessAccountName, ProcessEntity = InitiatingProcessFileName\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessFolderPath has_any (file_path)) or (InitiatingProcessFolderPath has_any (commandline)) or (FolderPath has_any (file_path)) or (FolderPath has_any (commandline)) or ( InitiatingProcessCommandLine has_any (commandline)) or ( InitiatingProcessCommandLine has_any (file_path))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName , AccountEntity = RequestAccountName, ProcessEntity = InitiatingProcessFileName, AlgorithmEntity = \\\"SHA256\\\", FileHashEntity = InitiatingProcessSHA256\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path)) or ( InitiatingProcessCommandLine has_any (commandline)) or (InitiatingProcessFolderPath has_any (file_path)) or (InitiatingProcessFolderPath has_any (commandline)) or (FolderPath has_any (file_path)) or (FolderPath has_any (commandline))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName , AccountEntity = InitiatingProcessAccountName, ProcessEntity = InitiatingProcessFileName\\n),\\n(SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path)) or ( CommandLine has_any (commandline)) or (NewProcessName has_any (file_path)) or (NewProcessName has_any (commandline)) or (ParentProcessName has_any (file_path)) or (ParentProcessName has_any (commandline))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostEntity = Computer , AccountEntity = Account, ProcessEntity = NewProcessName\\n)\\n)\\n| extend HostName = tostring(split(HostEntity, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(HostEntity, \u0027.\u0027), 1, -1), \u0027.\u0027))\\n| extend Name = tostring(split(AccountEntity, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(AccountEntity, \u0027@\u0027, 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"RemoteIP\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Zinc Actor IOCs files - October 2022\",\"description\":\"Identifies a match across filename and commandline IOC\u0027s related to an actor tracked by Microsoft as Zinc.\\nReference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-09-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\"name\":\"4b93c5af-d20b-4236-b696-a28b8c51407f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n(union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe+spanoftime)\\n // A user account was created\\n | where EventID == 4720\\n | where AccountType =~ \\\"User\\\"\\n | project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToCreate = SubjectAccount, CreatedBySubjectUserName = SubjectUserName, CreatedBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToCreate = SubjectUserSid, UserPrincipalName\\n ),\\n (\\n WindowsEvent\\n | where TimeGenerated \u003e ago(timeframe+spanoftime)\\n // A user account was created\\n | where EventID == 4720\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | where AccountType =~ \\\"User\\\"\\n | extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n | extend SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName)\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n | extend Activity = \\\"4720 - A user account was created.\\\"\\n | extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName) \\n | project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToCreate = SubjectAccount, CreatedBySubjectUserName = SubjectUserName, CreatedBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToCreate = SubjectUserSid, UserPrincipalName\\n )\\n )\\n| join kind = inner \\n(\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n | where EventID == 4726\\n | where AccountType == \\\"User\\\"\\n | project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToDelete = SubjectAccount, DeletedBySubjectUserName = SubjectUserName, DeletedBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToDelete = SubjectUserSid, UserPrincipalName\\n ),\\n (WindowsEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n | where EventID == 4726\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n | extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | where AccountType == \\\"User\\\"\\n | extend SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName)\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n | extend Activity = \\\"4726 - A user account was deleted.\\\"\\n | extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName) \\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToDelete = SubjectAccount, DeletedBySubjectUserName = SubjectUserName, DeletedBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToDelete = SubjectUserSid, UserPrincipalName\\n )\\n )\\n) on Computer, TargetAccount\\n| where deletionTime - creationTime \u003c spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete, TargetUserName, TargetDomainName, \\nCreatedBySubjectUserName, CreatedBySubjectDomainName, DeletedBySubjectUserName, DeletedBySubjectDomainName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountUsedToCreate\"},{\"identifier\":\"Name\",\"columnName\":\"CreatedBySubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"CreatedBySubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountUsedToDelete\"},{\"identifier\":\"Name\",\"columnName\":\"DeletedBySubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"DeletedBySubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"TargetDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account created and deleted within 10 mins\",\"description\":\"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a172107d-794c-48c0-bc26-d3349fe10b4d\",\"name\":\"a172107d-794c-48c0-bc26-d3349fe10b4d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Dev-0530_July2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\n(union isfuzzy=true \\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) \\nand InitiatingProcessCommandLine has (\u0027sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID, CommandLine\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and ActingProcessCommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\\n| where Hashes[0] =~ \\\"SHA256\\\"\\n| where (Hashes[1] has_any (sha256Hashes)) or ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = tostring(Hashes[1])\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(EmailEvents\\n| where SenderFromAddress == \u0027H0lyGh0st@mail2tor.com\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = SenderIPv4, AccountCustomEntity = SenderFromAddress \\n),\\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) or FileHash in (sha256Hashes)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch , FileHash\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\"), FileHashCustomEntity = FileHash\\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAZFWApplicationRule\\n| where Fqdn has_any (IPList)\\n| extend IPCustomEntity = SourceIp\\n),\\n(\\nAZFWNetworkRule\\n| where DestinationIp has_any (IPList)\\n| extend IPCustomEntity = SourceIp\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"[Deprecated] - Dev-0530 IOC - July 2022\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceProcessEvents\",\"DeviceNetworkEvents\",\"EmailEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWNetworkRule\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"name\":\"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectServer = column_ifexists(\u0027ObjectServer\u0027, \\\"\\\"), ObjectType = column_ifexists(\u0027ObjectType\u0027, \\\"\\\"), ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\")\\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\\n| where ObjectServer =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(TargetAccount, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(TargetAccount, @\u0027\\\\\u0027)[0])\\n| extend timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Starting or Stopping HealthService to Avoid Detection\",\"description\":\"This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\\n The query requires a SACL to audit for access request to the service.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2021-03-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"name\":\"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n (_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession(url_has_any=DomainNames) \\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Account=User\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| where msg_s has_any (DomainNames)\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" to \\\" TargetIP \\\":\\\" TargetPortInt:int *\\n| parse kind=regex flags=U msg_s with * \\\". Action\\\\\\\\: \\\" Action1a \\\"\\\\\\\\.\\\"\\n| parse msg_s with * \\\". Policy: \\\" Policy \\\". Rule Collection Group: \\\" RuleCollectionGroup \\\".\\\" *\\n| parse msg_s with * \\\" Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule \\n| extend IPCustomEntity = SourceIP\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| where msg_s has_any (DomainNames)\\n| parse msg_s with \\\"DNS Request: \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" - \\\" QueryID:int \\\" \\\" RequestType \\\" \\\" RequestClass \\\" \\\" hostname \\\". \\\" protocol \\\" \\\" details\\n| extend\\n ResponseDuration = extract(\\\"[0-9]*.?[0-9]+s$\\\", 0, msg_s),\\n SourcePort = tostring(SourcePortInt),\\n QueryID = tostring(QueryID)\\n| project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\\n| order by TimeGenerated\\n| extend IPCustomEntity = SourceIP\\n),\\n(AZFWApplicationRule\\n| where Fqdn has_any (DomainNames)\\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (DomainNames)\\n| extend DNSName = QueryName\\n| extend IPCustomEntity = SourceIp\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"[Deprecated] - Known Ruby Sleet domains and hashes\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"name\":\"d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\",\\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\",\\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\",\\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\",\\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\",\\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\",\\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\",\\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\",\\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend HostName = iff(Computer has \u0027.\u0027, substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer)\\n| extend DnsDomain = iff(Computer has \u0027.\u0027, substring(Computer,indexof(Computer,\u0027.\u0027)+1),\\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"name\":\"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"ThreatIntelligence\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"Persistence\",\"LateralMovement\"],\"displayName\":\"(Preview) Microsoft Defender Threat Intelligence Analytics\",\"description\":\"This rule generates an alert when a Microsoft Defender Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity.\",\"lastUpdatedDateUTC\":\"2023-03-15T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\"name\":\"a35f2c18-1b97-458f-ad26-e033af18eb99\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.8\",\"severity\":\"Low\",\"query\":\"// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nunion isfuzzy=true\\n(\\nSecurityEvent\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType == \\\"User\\\"\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = iff(MemberName == \\\"-\\\", MemberName, substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3))\\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, \\nSubjectAccount, SubjectUserName, SubjectDomainName, SubjectUserSid\\n),\\n(\\nWindowsEvent\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = iff(MemberName == \\\"-\\\", MemberName, substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3))\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName), \\nTargetAccount = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName), \\nSubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, \\nSubjectAccount, SubjectUserName, SubjectDomainName, SubjectUserSid\\n)\\n| extend GroupAddedMemberTo = TargetAccount, AddedByAccount = SubjectAccount, AddedByAccountName = SubjectUserName, AddedByAccountDomainName = SubjectDomainName, \\nAddedByAccountSid = SubjectUserSid, AddedMemberName = SimpleMemberName, AddedMemberSid = MemberSid\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"SubjectUserSid\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AddedMemberName\"},{\"identifier\":\"Sid\",\"columnName\":\"AddedMemberSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account added to built in domain local or global group\",\"description\":\"Identifies when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ff56009-db01-4615-8211-d4fda21da02d\",\"name\":\"1ff56009-db01-4615-8211-d4fda21da02d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\" and LoggedByService =~ \\\"Core Directory\\\" and OperationName in~ (\\\"Add delegated permission grant\\\", \\\"Add app role assignment to service principal\\\")\\n| mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\" and array_length(TargetResource.modifiedProperties) \u003e 0 and isnotnull(TargetResource.displayName)\\n | extend props = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = props on\\n (\\n where Property.displayName in~ (\\\"AppRole.Value\\\",\\\"DelegatedPermissionGrant.Scope\\\")\\n | extend DisplayName = tostring(Property.displayName), PermissionGrant = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where PermissionGrant has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| mv-apply Property = props on\\n (\\n where Property.displayName =~ \\\"ServicePrincipal.DisplayName\\\"\\n | extend TargetAppDisplayName = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| mv-apply Property = props on\\n (\\n where Property.displayName =~ \\\"ServicePrincipal.ObjectID\\\"\\n | extend TargetAppServicePrincipalId = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| project TimeGenerated, OperationName, Result, PermissionGrant, TargetAppDisplayName, TargetAppServicePrincipalId, InitiatingAppName, InitiatingAppServicePrincipalId,\\nInitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIpAddress, TargetResources, AdditionalDetails, CorrelationId\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetAppDisplayName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"TargetAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Microsoft Entra ID Role Management Permission Grant\",\"description\":\"Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company\u0027s directory.\\nAn adversary could use this permission to add an Microsoft Entra ID object to an Admin directory role and escalate privileges.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66276b14-32c5-4226-88e3-080dacc31ce1\",\"name\":\"66276b14-32c5-4226-88e3-080dacc31ce1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet AccountAllowList = dynamic([\u0027SYSTEM\u0027]);\\nlet SubCategoryList = dynamic([\\\"Logoff\\\", \\\"Account Lockout\\\", \\\"User Account Management\\\", \\\"Authorization Policy Change\\\"]); // Add any Category in the list to be allowed or disallowed\\nlet tokens = dynamic([\\\"clear\\\", \\\"remove\\\", \\\"success:disable\\\",\\\"failure:disable\\\"]); \\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountName = SubjectUserName, AccountDomain = SubjectDomainName, DeviceName = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n// | where InitiatingProcessFileName =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountName = tostring(split(User, @\u0027\\\\\u0027)[1]), AccountUPNSuffix = tostring(split(User, @\u0027\\\\\u0027)[0]), DeviceName = Computer\\n)\\n)\\n| extend Account = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Audit policy manipulation using auditpol utility\",\"description\":\"This detects attempts to manipulate audit policies using auditpol command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but if the results show unrelated false positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6116dc19-475a-4148-84b2-efe89c073e27\",\"name\":\"6116dc19-475a-4148-84b2-efe89c073e27\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2022-12-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\"name\":\"39198934-62a0-4781-8416-a81265c03fd6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend AppDisplayName = tostring(TargetResource.displayName),\\n AppClientId = tostring(TargetResource.id),\\n props = TargetResource.modifiedProperties\\n )\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| mv-apply ConsentFull = props on \\n (\\n where ConsentFull.displayName =~ \\\"ConsentAction.Permissions\\\"\\n )\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull has_all (\\\"user.read\\\", \\\"offline_access\\\", \\\"mail.readwrite\\\", \\\"mail.send\\\", \\\"files.read.all\\\")\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantInitiatedByAppName = tostring(InitiatedBy.app.displayName)\\n| extend GrantInitiatedByAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend GrantInitiatedByUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend GrantInitiatedByAadUserId = tostring(InitiatedBy.user.id)\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(GrantInitiatedByUserPrincipalName), GrantInitiatedByUserPrincipalName, GrantInitiatedByAppName)\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend GrantUserAgent = AdditionalDetail.value\\n )\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantInitiatedByUserPrincipalName, GrantInitiatedByAadUserId, GrantInitiatedByAppName, GrantInitiatedByAppServicePrincipalId, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n | mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend props = TargetResource.modifiedProperties,\\n AppClientId = tostring(TargetResource.id)\\n )\\n | mv-apply Property = props on \\n (\\n where Property.displayName =~ \\\"AppAddress\\\" and Property.newValue has \\\"AddressType\\\"\\n | extend AppReplyURLs = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n | mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\" and array_length(TargetResource.modifiedProperties) \u003e 0 and isnotnull(TargetResource.displayName)\\n | extend GrantAuthentication = tostring(TargetResource.displayName)\\n )\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantInitiatedByUserPrincipalName, GrantInitiatedByAadUserId, GrantInitiatedByAppName, GrantInitiatedByAppServicePrincipalId, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedByUserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(GrantInitiatedByUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GrantInitiatedByUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"GrantInitiatedByAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"GrantInitiatedByAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"GrantIpAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to PwnAuth\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"name\":\"29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nimProcessCreate\\n| where ((Process has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((Process has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\\n// Increase risk score if recent alerts for the host\\n| join kind=leftouter (\\n SecurityAlert\\n | where ProviderName =~ \\\"MDATP\\\"\\n | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n | mv-expand todynamic(Entities)\\n | extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n | where isnotempty(DvcId)\\n // Higher risk score are for Defender alerts related to threat actor\\n | extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n | project DvcId, AlertRiskScore) \\n on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend AccountName = tostring(split(ActorUsername, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(ActorUsername, @\u0027\\\\\u0027)[0])\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ActingProcessFilename\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021 (ASIM Version)\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0a3f4f4f-46ad-4562-acd6-f17730a5aef4\",\"name\":\"0a3f4f4f-46ad-4562-acd6-f17730a5aef4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where CommandLine has_any (\\\"New-Mailbox\\\",\\\"Update-RoleGroupMember\\\") and CommandLine has \\\"HealthMailbox55x2yq\\\"\\n| project TimeGenerated, DeviceName = Computer, AccountName = SubjectUserName, AccountDomain = SubjectDomainName, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n| extend InitiatingProcessAccount = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\\n),\\n(DeviceProcessEvents\\n| where ProcessCommandLine has_any (\\\"New-Mailbox\\\",\\\"Update-RoleGroupMember\\\") and ProcessCommandLine has \\\"HealthMailbox55x2yq\\\"\\n| extend timestamp = TimeGenerated, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName\\n| extend InitiatingProcessAccount = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\\n)\\n)\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Unusual identity creation using exchange powershell\",\"description\":\" The query below identifies creation of unusual identity by the Europium actor to mimic Microsoft Exchange Health Manager Service account using Exchange PowerShell commands\\n Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-09-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Microsoft Entra ID Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2023-11-02T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/757e6a79-6d23-4ae6-9845-4dac170656b5\",\"name\":\"757e6a79-6d23-4ae6-9845-4dac170656b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P2D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// Tenants IDs can be found by navigating to Azure Active Directory then from menu on the left, select External Identities, then from menu on the left, select Cross-tenant access settings and from the list shown of Tenants\\nlet ExpectedTenantIDs = dynamic([\\\"List of expected tenant IDs\\\",\\\"Tenant ID 2\\\"]);\\nAuditLogs\\n| where OperationName has \\\"Add a partner to cross-tenant access setting\\\"\\n| mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type =~ \\\"Policy\\\"\\n | extend Properties = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = Properties on\\n (\\n where Property.displayName =~ \\\"tenantId\\\"\\n | extend ExtTenantIDAdded = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where ExtTenantIDAdded !in (ExpectedTenantIDs)\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Cross-tenant Access Settings Organization Added\",\"description\":\"Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Microsoft Entra ID Cross-tenant Access Settings.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\"name\":\"45b903c5-6f56-4969-af10-ae62ac709718\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n))\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n))\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)\\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @\\\"\\\\\\\")[1]), AccountNTDomain = tostring(split(Account, @\\\"\\\\\\\")[0])\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Rare RDP Connections\",\"description\":\"Identifies when an RDP connection is new or rare related to any logon type by a given account today compared with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2020-01-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"name\":\"a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT20M\",\"queryPeriod\":\"PT20M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 10;\\nlet successCountThreshold = 1;\\n// let authenticationWindow = 20m; // Implicit in the analytic rule query period \\nimAuthentication\\n| where TargetUserType != \\\"NonInteractive\\\"\\n| summarize \\n StartTime = min(TimeGenerated), \\n EndTime = max(TimeGenerated), \\n IpAddresses = make_set (SrcDvcIpAddr, 100),\\n ReportedBy = make_set (strcat (EventVendor, \\\"/\\\", EventProduct), 100),\\n FailureCount = countif(EventResult==\u0027Failure\u0027),\\n SuccessCount = countif(EventResult==\u0027Success\u0027)\\n by \\n TargetUserId, TargetUsername, TargetUserType \\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| extend\\n IpAddresses = strcat_array(IpAddresses, \\\", \\\"), \\n ReportedBy = strcat_array(ReportedBy, \\\", \\\")\\n| extend\\n Name = iif(\\n TargetUsername contains \\\"@\\\"\\n , tostring(split(TargetUsername, \u0027@\u0027, 0)[0])\\n , TargetUsername\\n ),\\n UPNSuffix = iif(\\n TargetUsername contains \\\"@\\\"\\n , tostring(split(TargetUsername, \u0027@\u0027, 1)[0])\\n , \\\"\\\"\\n )\",\"customDetails\":{\"IpAddresses\":\"IpAddresses\",\"ReportedBy\":\"ReportedBy\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against user credentials (Uses Authentication Normalization)\",\"description\":\"Identifies evidence of brute force activity against a user based on multiple authentication failures and at least one successful authentication within a given time window.\\nNote that the query does not enforce any sequence, and does not require the successful authentication to occur last.\\nThe default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"name\":\"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 25;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds\\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n | where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| extend ResultType = column_ifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = column_ifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by CallerIPAddress;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project CallerIPAddress, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join kind = innerunique (\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(2d)\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend ResultType = column_ifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = column_ifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = column_ifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\"),identity_claim_oid_g = column_ifexists(\\\"identity_claim_oid_g\\\", \\\"\\\"),\\n identity_claim_upn_s = column_ifexists(\\\"identity_claim_upn_s\\\", \\\"\\\")\\n| extend\\n CallerObjectId = iff(isempty(identity_claim_oid_g), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g),\\n CallerObjectUPN = iff(isempty(identity_claim_upn_s), identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s, identity_claim_upn_s)\\n| extend id_s = column_ifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = column_ifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = column_ifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g, requestUri_s, clientInfo_s\\n) on CallerIPAddress\\n| extend\\n CallerObjectId = iff(isempty(identity_claim_oid_g), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g),\\n CallerObjectUPN = iff(isempty(identity_claim_upn_s), identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s, identity_claim_upn_s)\\n| summarize EventCount=count(), OperationNameList = make_set(OperationName,1000), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(CallerObjectId, 100), AccountMax = arg_max(CallerObjectId,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountMax\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure Key Vault access TimeSeries anomaly\",\"description\":\"Identifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm to find large deviations from baseline Azure Key Vault access patterns.\\nAny sudden increase in the count of Azure Key Vault accesses can be an indication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"name\":\"009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has \\\"Consent to application\\\"\\n | where Result =~ \\\"failure\\\"\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend userAgent = iif(AdditionalDetails[0].key == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))\\n | where isnotempty(TargetResources)\\n | extend TargetAppName = tostring(TargetResources[0].displayName)\\n | extend TargetAppId = tostring(TargetResources[0].id)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"MethodExecutionResult.\\\"\\n | extend TargetPropertyDisplayName = tostring(TargetResources_0_modifiedProperties.displayName)\\n | extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\\n | where FailureReason contains \\\"Risky\\\"\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, OperationName, Result, TargetAppName, TargetAppId, FailureReason, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, userAgent\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"AppId\",\"columnName\":\"TargetAppId\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAppName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"End-user consent stopped due to risk-based consent\",\"description\":\"Detects a user\u0027s consent to an OAuth application being blocked due to it being too risky.\\n These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"name\":\"95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"imAuthentication\\n| where EventResult ==\u0027Failure\u0027\\n| where EventResultDetails == \u0027User disabled\u0027\\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\\n , applicationsTargeted = dcount(TargetAppName)\\n , applicationSet = make_set(TargetAppName) \\n by SrcDvcIpAddr, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind=leftouter \\n (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n imAuthentication\\n | where EventResult==\u0027Success\u0027\\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on SrcDvcIpAddr\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcDvcIpAddr\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2023-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"name\":\"3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let SpringShell_threats = dynamic([\\\"Trojan:Python/SpringShellExpl\\\", \\\"Exploit:Python/SpringShell\\\", \\\"Backdoor:PHP/Remoteshell.V\\\", \\\"SpringShell\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (SpringShell_threats) or ThreatFamilyName in~ (SpringShell_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"AV detections related to SpringShell Vulnerability\",\"description\":\"This query looks for Microsoft Defender AV detections related to the SpringShell vulnerability. In Microsoft Sentinel, the SecurityAlerts table includes only the Device Name of the affected device.\\n This query joins the DeviceInfo table to clearly connect other information such as device group, IP, logged-on users, etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/\",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"name\":\"a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"High\",\"query\":\"let mde_threats = dynamic([\\\"Behavior:Win32/SuspAzureRequest.A\\\", \\\"Behavior:Win32/SuspAzureRequest.B\\\", \\\"Behavior:Win32/SuspAzureRequest.C\\\", \\\"Behavior:Win32/LaunchingSuspCMD.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (mde_threats) or ThreatFamilyName in~ (mde_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by bin(TimeGenerated, 1d), DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId, CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory\",\"description\":\"This query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR. \\nIn Microsoft Sentinel, the SecurityAlerts table includes the name of the impacted device. Additionally, this query joins the DeviceInfo table to connect other information such as device group, IP address, signed in users, and others allowing analysts using Microsoft Sentinel to have more context related to the alert. \\nReference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 , \\nhttps://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"name\":\"4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet parentprocess = (iocs | where Type =~ \\\"parentprocess\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (IPList), \\\"RequestUrl\\\",\\\"NoMatch\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, IPMatch == \\\"RequestUrl\\\", RequestURL, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Dev-0322 IOC match\u0027, UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = DestinationHost\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = DestinationHost, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(\\nAZFWApplicationRule\\n| where Fqdn has_any (IPList)\\n| extend IPCustomEntity = SourceIp\\n),\\n(\\nAZFWNetworkRule\\n| where DestinationIp has_any (IPList)\\n| extend IPCustomEntity = SourceIp\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ParentImage = EventDetail.[20].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceProcessEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Dev-0322 IOC match\u0027, IPCustomEntity = CommandLineIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"[Deprecated] - DEV-0322 Serv-U related IOCs - July 2021\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWNetworkRule\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f819c592-c5f9-4d5c-a79f-1e6819863533\",\"name\":\"f819c592-c5f9-4d5c-a79f-1e6819863533\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.6\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Microsoft Online\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n (\\nWindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend Name = tostring(split(Account, \\\"\\\\\\\\\\\")[1]), NTDomain = tostring(split(Account, \\\"\\\\\\\\\\\")[0])\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Microsoft Entra ID Health Monitoring Agent Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key of Microsoft Entra ID Health monitoring agent.\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent.\\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\"name\":\"7249500f-3038-4b83-8549-9cd8dfa2d498\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames))\\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames))\\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = DestinationIP\\n),\\n(DnsEvents\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ \u0027OATP\u0027\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn,\\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (DomainNames) \\n| extend timestamp = TimeGenerated),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"[Deprecated] - Known Mint Sandstorm group domains/IP - October 2020\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics (Azure Firewall)\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\"name\":\"2790795b-7dba-483e-853f-44aa0bc9c985\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors \u003e 400\\n| sort by NumberOfErrors desc\\n| extend timestamp = StartTime\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Wazuh - Large Number of Web errors from an IP\",\"description\":\"Identifies instances where Wazuh logged over 400 \u0027403\u0027 Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2020-04-21T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\"name\":\"11b4c19d-2a79-4da3-af38-b067e1273dee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID in (17,18)\\n| where EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\")\\n| extend Account = User\\n| extend AccountName = tostring(split(User, @\\\"\\\\\\\")[1]), AccountNTDomain = tostring(split(User, @\\\"\\\\\\\")[0])\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00275145\u0027\\n// %%4418 looks for presence of CreatePipeInstance value\\n| where AccessList has \u0027%%4418\u0027\\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend AccountName = SubjectUserName, AccountNTDomain = SubjectDomainName\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00275145\u0027 and EventData has \u0027%%4418\u0027 and EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n// %%4418 looks for presence of CreatePipeInstance value\\n| extend AccessList= tostring(EventData.AccessList)\\n| where AccessList has \u0027%%4418\u0027\\n| extend RelativeTargetName= tostring(EventData.RelativeTargetName)\\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountName = tostring(EventData.SubjectUserName), AccountNTDomain = tostring(EventData.SubjectDomainName)\\n)\\n)\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\"],\"displayName\":\"Solorigate Named Pipe\",\"description\":\"Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2020-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"name\":\"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet disallowed_ext = dynamic([\u0027ps1\u0027, \u0027exe\u0027, \u0027vbs\u0027, \u0027js\u0027, \u0027scr\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedExt = todynamic(MsgParts)[0][\u0027detectedExt\u0027]\\n| where tolower(attachedExt) in (disallowed_ext)\\n| project SrcUserUpn, AccountCustomEntity = parse_json(DstUserUpn)[0], attachedExt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Suspicious attachment\",\"description\":\"Detects when email contains suspicious attachment (file type).\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\"name\":\"ef88eb96-861c-43a0-ab16-f3835a97c928\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let regexEmpire = tostring(toscalar(externaldata(cmdlets:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/EmpireCommandString.txt\\\"] with (format=\\\"txt\\\")));\\n(union isfuzzy=true\\n (SecurityEvent\\n| where EventID == 4688\\n//consider filtering on filename if perf issues occur\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| project timestamp = TimeGenerated, Computer, SubjectUserName, SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend HostName = split(Computer, \u0027.\u0027, 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027)\\n),\\n(WindowsEvent\\n| where EventID == 4688\\n| where EventData has_any (\\\"-encodedCommand\\\", \\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(EventData has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n//consider filtering on filename if perf issues occur\\n//extend NewProcessName = tostring(EventData.NewProcessName)\\n//extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n//FileName = Process\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project timestamp = TimeGenerated, Computer, SubjectUserName, SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend HostName = split(Computer, \u0027.\u0027, 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027)\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Powershell Empire Cmdlets Executed in Command Line\",\"description\":\"This query identifies use of PowerShell Empire\u0027s cmdlets within the command line data of the PowerShell process, indicating potential use of the post-exploitation tool.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/61988db3-0565-49b5-b8e3-747195baac6e\",\"name\":\"61988db3-0565-49b5-b8e3-747195baac6e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]); \\nimProcessCreate\\n| where CommandLine has \\\"recycler\\\"\\n| where Process has_any (procList)\\n| extend FileName = tostring(split(Process, \u0027\\\\\\\\\u0027)[-1])\\n| where FileName in~ (procList)\\n| project TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend AccountName = tostring(split(User, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(User, @\u0027\\\\\u0027)[0])\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin (Normalized Process Events)\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-06-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"name\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(_Im_Dns (domain_has_any=domains)\\n | extend DNSName = DnsQuery\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallNetworkRule\\\"\\n | where msg_s has_any (domains)\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" to \\\" TargetIP \\\":\\\" TargetPortInt:int *\\n | parse kind=regex flags=U msg_s with * \\\". Action\\\\\\\\: \\\" Action1a \\\"\\\\\\\\.\\\"\\n | parse msg_s with * \\\". Policy: \\\" Policy \\\". Rule Collection Group: \\\" RuleCollectionGroup \\\".\\\" *\\n | parse msg_s with * \\\" Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule \\n | extend DNSName = TargetIP \\n | extend IPCustomEntity = SourceIP\\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | where msg_s has_any (domains)\\n | parse msg_s with \\\"DNS Request: \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" - \\\" QueryID:int \\\" \\\" RequestType \\\" \\\" RequestClass \\\" \\\" hostname \\\". \\\" protocol \\\" \\\" details\\n | extend\\n ResponseDuration = extract(\\\"[0-9]*.?[0-9]+s$\\\", 0, msg_s),\\n SourcePort = tostring(SourcePortInt),\\n QueryID = tostring(QueryID)\\n | extend DNSName = hostname\\n | extend IPCustomEntity = SourceIP\\n | project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\\n | order by TimeGenerated\\n ),\\n(AZFWApplicationRule\\n | where Fqdn has_any (domains)\\n | extend DNSName = Fqdn\\n | extend IPCustomEntity = SourceIp\\n ),\\n(AZFWDnsQuery\\n | where isnotempty(QueryName)\\n | where QueryName has_any (domains)\\n | extend DNSName = QueryName\\n | extend IPCustomEntity = SourceIp\\n )\\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Solorigate Network Beacon\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\"name\":\"4a3073ac-7383-48a9-90a8-eb6716183a54\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n InitiatingProcessAccountUPNSuffix = tostring(split(InitiatingProcessAccountUpn, \\\"@\\\")[1]),\\n Algorithm = \\\"MD5\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"InitiatingProcessAccountDomain\"},{\"identifier\":\"Sid\",\"columnName\":\"InitiatingProcessAccountSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"Algorithm\"},{\"identifier\":\"Value\",\"columnName\":\"MD5\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"name\":\"4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"// Enter a reference list of decoy users (usernames) \\\"Case Sensitive\\\"\\nlet MaliciousServiceArtifacts = dynamic ([\\\"fgexec\\\",\\\"cachedump\\\",\\\"mimikatz\\\",\\\"mimidrv\\\",\\\"wceservice\\\",\\\"pwdump\\\"]);\\nEvent\\n| where Source == \\\"Service Control Manager\\\" and EventID == 7045\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" * \u0027ImagePath\\\"\u003e\u0027 ImagePath \\\"\u003c\\\" *\\n| where ServiceName has_any (MaliciousServiceArtifacts) or ImagePath has_any (MaliciousServiceArtifacts)\\n| parse EventData with * \u0027AccountName\\\"\u003e\u0027 AccountName \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ServiceName, ImagePath, AccountName\\n| extend HostName = split(Computer, \u0027.\u0027, 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ImagePath\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - Service Installation\",\"description\":\"This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\"name\":\"2b328487-162d-4034-b472-59f1d53684a1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal == \u0027\u0027\\n| extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlOriginal\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Empty User Agent Detected\",\"description\":\"Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\"name\":\"8d537f3c-094f-430c-a588-8a87da36ee3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nlet user_agents=dynamic([\\n \u0027(hydra)\u0027,\\n \u0027 arachni/\u0027,\\n \u0027 BFAC \u0027,\\n \u0027 brutus \u0027,\\n \u0027 cgichk \u0027,\\n \u0027core-project/1.0\u0027,\\n \u0027 crimscanner/\u0027,\\n \u0027datacha0s\u0027,\\n \u0027dirbuster\u0027,\\n \u0027domino hunter\u0027,\\n \u0027dotdotpwn\u0027,\\n \u0027FHScan Core\u0027,\\n \u0027floodgate\u0027,\\n \u0027get-minimal\u0027,\\n \u0027gootkit auto-rooter scanner\u0027,\\n \u0027grendel-scan\u0027,\\n \u0027 inspath \u0027,\\n \u0027internet ninja\u0027,\\n \u0027jaascois\u0027,\\n \u0027 zmeu \u0027,\\n \u0027masscan\u0027,\\n \u0027 metis \u0027,\\n \u0027morfeus fucking scanner\u0027,\\n \u0027n-stealth\u0027,\\n \u0027nsauditor\u0027,\\n \u0027pmafind\u0027,\\n \u0027security scan\u0027,\\n \u0027springenwerk\u0027,\\n \u0027teh forest lobster\u0027,\\n \u0027toata dragostea\u0027,\\n \u0027 vega/\u0027,\\n \u0027voideye\u0027,\\n \u0027webshag\u0027,\\n \u0027webvulnscan\u0027,\\n \u0027 whcc/\u0027,\\n \u0027 Havij\u0027,\\n \u0027absinthe\u0027,\\n \u0027bsqlbf\u0027,\\n \u0027mysqloit\u0027,\\n \u0027pangolin\u0027,\\n \u0027sql power injector\u0027,\\n \u0027sqlmap\u0027,\\n \u0027sqlninja\u0027,\\n \u0027uil2pn\u0027,\\n \u0027ruler\u0027,\\n \u0027Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)\u0027\\n ]);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlOriginal\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Hack Tool User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by known hack tools\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"name\":\"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents\\n// ResultCode 3 =\u003e \u0027NXDOMAIN\u0027\\n| where ResultCode == 3\\n| where QueryType in~ (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !has \\\"/\\\"\\n| where Name has \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated \u003e ago(endtime)\\n// sld = Second Level Domain\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld), sampleNXDomainList=make_set(Name, 100) by ClientIP\\n| where dcount_sld \u003e threshold\\n// Filter out previously seen IPs\\n// Returns all the records from the left side that don\u0027t have matches from the right\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP, bin(TimeGenerated,1d)\\n | where dcount_sld \u003e threshold\\n ) on ClientIP\\n | order by dcount_sld desc\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected\",\"description\":\"Identifies clients with a high NXDomain count, which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live).\\nAlerts are generated when a new IP address is seen (based on not being associated with NXDomain records in the prior 10-day baseline period).\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/492fbe35-cbac-4a8c-9059-826782e6915a\",\"name\":\"492fbe35-cbac-4a8c-9059-826782e6915a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend TargetAppName = tostring(TargetResources[0].displayName)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | mv-expand mod_props\\n | extend Action = tostring(mod_props.displayName)\\n | where Action contains \\\"Url\\\"\\n | extend UpdatedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)\\n | extend OldURL = tostring(mod_props.oldValue)\\n | extend NewURL = tostring(mod_props.newValue)\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingAadUserId, InitiatingUserPrincipalName, InitiatingIPAddress, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"OldURL\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURL\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Logout URL\",\"description\":\"Detects changes to an applications sign out URL.\\n Look for any modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#logout-url-modified-or-removed\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/122fbc6a-57ab-4aa7-b9a9-51ac4970cac1\",\"name\":\"122fbc6a-57ab-4aa7-b9a9-51ac4970cac1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Define variable \u0027AwsAlert\u0027 to collect AWS GuardDuty CredentialAccess alerts related to Amazon Relational Database Service (RDS) activity\\nlet AwsAlert = materialize (\\n AWSGuardDuty\\n | where ActivityType has_any (\\n \\\"CredentialAccess:RDS/TorIPCaller.SuccessfulLogin\\\",\\n \\\"CredentialAccess:RDS/TorIPCaller.FailedLogin\\\",\\n \\\"CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteForce\\\",\\n \\\"CredentialAccess:RDS/AnomalousBehavior.SuccessfulLogin\\\",\\n \\\"CredentialAccess:RDS/MaliciousIPCaller.SuccessfulLogin\\\",\\n \\\"CredentialAccess:RDS/MaliciousIPCaller.FailedLogin\\\"\\n )\\n | extend\\n AWSAlertId = Id, \\n AWSAlertTitle = Title,\\n AWSAlertDescription = Description,\\n AWSresourceType = tostring(parse_json(ResourceDetails).resourceType),\\n AWSNetworkEntity = tostring(parse_json(ServiceDetails).action.rdsLoginAttemptAction.remoteIpDetails.ipAddressV4),\\n RDSInstanceId = tostring(parse_json(ResourceDetails).rdsDbInstanceDetails.dbInstanceIdentifier),\\n RDSUser = tostring(parse_json(ResourceDetails).rdsDbUserDetails.user),\\n RDSApplication = tostring(parse_json(ResourceDetails).rdsDbUserDetails.application),\\n RDSactionType = tostring(parse_json(ServiceDetails).action.actionType),\\n AWSAlertTime = TimeCreated,\\n AWSAlertLink= tostring(strcat(\u0027https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current\u0026fId=\u0027,Id)),\\n Severity = \\n case (\\n Severity \u003e= 7.0, \\\"High\\\",\\n Severity between (4.0 .. 6.9), \\\"Medium\\\",\\n Severity between (1.0 .. 3.9), \\\"Low\\\",\\n \\\"Unknown\\\")\\n | distinct\\n AWSAlertTime,\\n ActivityType,\\n AWSAlertId,\\n AWSAlertLink,\\n AWSAlertTitle,\\n AWSAlertDescription,\\n AWSresourceType,\\n Arn,\\n Severity,\\n RDSactionType,\\n RDSApplication,\\n RDSInstanceId,\\n RDSUser,\\n AWSNetworkEntity\\n );\\n // Define variable \u0027Azure_sigin\u0027 to collect Azure portal sign-in activities\\n let Azure_sigin = materialize (\\n SigninLogs\\n | where AppDisplayName == \\\"Azure Portal\\\"\\n | where isnotempty(OriginalRequestId)\\n | summarize \\n AzureSuccessfulEvent = countif(ResultType == 0), \\n AzureFailedEvent = countif(ResultType != 0), \\n totalAzureLoginEventId = dcount(OriginalRequestId), \\n AzureFailedEventsCount = dcountif(OriginalRequestId, ResultType != 0), \\n AzureSuccessfuleventsCount = dcountif(OriginalRequestId, ResultType == 0),\\n AzureSetOfFailedevents = makeset(iff(ResultType != 0, OriginalRequestId, \\\"\\\"), 5), \\n AzureSetOfSuccessfulEvents = makeset(iff(ResultType == 0, OriginalRequestId, \\\"\\\"), 5) \\n by \\n IPAddress, \\n UserPrincipalName, \\n bin(TimeGenerated, 1min), \\n UserAgent,\\n ConditionalAccessStatus,\\n OperationName,\\n RiskDetail,\\n AuthenticationRequirement,\\n ClientAppUsed\\n // Extracting the name and UPN suffix from UserPrincipalName\\n | extend\\n Name = tostring(split(UserPrincipalName, \u0027@\u0027)[0]),\\n UPNSuffix = tostring(split(UserPrincipalName, \u0027@\u0027)[1])\\n );\\n // Join \u0027AwsAlert\u0027 and \u0027Azure_sigin\u0027 on the AWS Network Entity and Azure IP Address\\n AwsAlert\\n | join kind=inner Azure_sigin on $left.AWSNetworkEntity == $right.IPAddress\",\"customDetails\":{\"AWSAlertUserName\":\"RDSUser\",\"AWSArn\":\"Arn\",\"AWSresourceType\":\"AWSresourceType\",\"AWSInstanceType\":\"RDSactionType\",\"AWSAplicationName\":\"RDSApplication\",\"AWSInstanceId\":\"RDSInstanceId\",\"AzureUserAgent\":\"UserAgent\",\"AzureUser\":\"UserPrincipalName\",\"AzureClientAppUsed\":\"ClientAppUsed\",\"AzConditionalAccess\":\"ConditionalAccessStatus\",\"AzureOperationName\":\"OperationName\",\"AzureRiskDetail\":\"RiskDetail\",\"AzAuthRequirement\":\"AuthenticationRequirement\",\"alertSeverity\":\"Severity\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"IP address {{IPAddress}} in {{AWSAlertTitle}} seen in Azure Signin Logs with {{UserPrincipalName}}\",\"alertDescriptionFormat\":\"This detection correlates AWS GuardDuty Credential Access alert described \u0027{{AWSAlertDescription}}\u0027 related to Amazon Relational Database Service (RDS) activity with Azure portal sign-in activities. It identifies successful and failed logins, anomalous behavior, and malicious IP access. By joining these datasets on network entities and IP addresses, it detects unauthorized credential access attempts across AWS and Azure resources, enhancing cross-cloud security monitoring. \\n\\n AWS ALert Link : \u0027{{AWSAlertLink}}\u0027 \\n\\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":\"Severity\"},\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login\",\"description\":\"\\nThis detection correlates AWS GuardDuty Credential Access alerts related to Amazon Relational Database Service (RDS) activity with Azure portal sign-in activities. It identifies successful and failed logins, anomalous behavior, and malicious IP access. By joining these datasets on network entities and IP addresses, it detects unauthorized credential access attempts across AWS and Azure resources, enhancing cross-cloud security monitoring.\\n\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2023-09-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"name\":\"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\n// Configure the list with sensitive process names \\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll32.exe\\\"]);\\nlet TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in~ (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total \u003e TotalEventsThreshold);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, NTDomain = split(Account, \u0027\\\\\\\\\u0027, 0)[0], Name = split(Account, \u0027\\\\\\\\\u0027, 1)[0], HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Process Execution Frequency Anomaly\",\"description\":\"This detection identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\\nThe query leverages KQL\u0027s built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/961b6a81-5c53-40b6-9800-4f661a8faea7\",\"name\":\"961b6a81-5c53-40b6-9800-4f661a8faea7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet Command_Line = (iocs | where Type =~ \\\"CommandLine\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and InitiatingProcessCommandLine has_any (Command_Line))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\"), AlgorithmCustomEntity = \\\"SHA256\\\"\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (@\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, Account = SourceUserID, AlgorithmCustomEntity = \\\"SHA256\\\"\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and ActingProcessCommandLine has_any (Command_Line))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash, AlgorithmCustomEntity = \\\"SHA256\\\"\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\\n| where (Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes)) or ( CommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = tostring(Hashes[1]), AlgorithmCustomEntity = \\\"SHA256\\\"\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"[Deprecated] - Cadet Blizzard Actor IOC - January 2022\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ab1f7b2-61b8-442f-bc81-96afe7ad8c53\",\"name\":\"6ab1f7b2-61b8-442f-bc81-96afe7ad8c53\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"// OBJECT ID of AAD Groups can be found by navigating to Azure Active Directory then from menu on the left, select Groups and from the list shown of AAD Groups, the Second Column shows the ObjectID of each\\nlet GroupIDs = dynamic([\\\"List with Custom AAD GROUP OBJECT ID 1\\\",\\\"Custom AAD GROUP OBJECT ID 2\\\"]);\\nAuditLogs\\n| where OperationName in (\u0027Add member to group\u0027, \u0027Add owner to group\u0027)\\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress \\n// Uncomment the following line to filter events where the inviting user was a guest user\\n//| where InitiatedBy has_any (\\\"CUSTOM DOMAIN NAME#\\\", \\\"#EXT#\\\")\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend InvitedUser = trim(@\u0027\\\"\u0027,tostring(TargetResource.userPrincipalName)),\\n Properties = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = Properties on \\n (\\n where Property.displayName =~ \\\"Group.DisplayName\\\"\\n | extend AADGroup = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where InvitedUser has_any (\\\"CUSTOM DOMAIN NAME#\\\", \\\"#EXT#\\\")\\n| mv-apply Property = Properties on\\n (\\n where Property.displayName =~ \\\"Group.ObjectID\\\"\\n | extend AADGroupId = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where AADGroupId !in (GroupIDs)\\n| extend Name = tostring(split(InitiatedByActionUserInformation,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InvitedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatedByIPAdress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Guest accounts added in AAD Groups other than the ones specified\",\"description\":\"Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Azure AD Groups other than the ones specified and poses a risk to gain access to sensitive apps or data.\",\"lastUpdatedDateUTC\":\"2023-10-27T00:00:00Z\",\"createdDateUTC\":\"2022-10-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"name\":\"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nSyslog\\n| where Facility =~ \\\"authpriv\\\"\\n| where SyslogMessage has \\\"authentication failure\\\" and SyslogMessage has \\\" uid=0\\\"\\n| extend RemoteIP = extract(@\\\".*?rhost=([\\\\d.]+).*?\\\", 1,SyslogMessage)\\n| project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID\\n| join kind=innerunique (\\n // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\n Syslog \\n | where Facility =~ \\\"authpriv\\\"\\n | where SyslogMessage has \\\"user unknown\\\"\\n | project Computer, HostIP, ProcessID\\n ) on Computer, HostIP, ProcessID\\n// Count the number of failed logon attempts by External IP and internal machine\\n| summarize FirstLogonAttempt = min(TimeGenerated), LatestLogonAttempt = max(TimeGenerated), TotalLogonAttempts = count() by Computer, HostIP, RemoteIP\\n// Calculate the time between first and last logon attempt (AttemptPeriodLength)\\n| extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt\\n| where TotalLogonAttempts \u003e= threshold\\n| project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, Computer, HostIP\\n| sort by Computer asc nulls last\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"HostIP\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts in authpriv\",\"description\":\"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in isn\u0027t provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren\u0027t authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"SyslogAma\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57c7e832-64eb-411f-8928-4133f01f4a25\",\"name\":\"57c7e832-64eb-411f-8928-4133f01f4a25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.4\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and AzureDiagnostics logs for Key Vault events\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n AzureDiagnostics\\n | where ResourceType =~ \\\"VAULTS\\\"\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\\n )\\n on $left.TI_ipEntity == $right.ClientIP\\n // Filter out logs that occurred after the expiration of the corresponding indicator\\n | where KeyVaultEvents_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and ClientIP, and keep the log entry with the latest timestamp\\n | summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n // Select the desired output fields\\n | project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d,\\n identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, Type\\n // Rename the timestamp field\\n | extend timestamp = KeyVaultEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to Azure Key Vault logs\",\"description\":\"Identifies a match in Azure Key Vault logs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"name\":\"050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"High\",\"query\":\"// Define the start and end times based on input values\\nlet starttime = now()-1h;\\nlet endtime = now();\\n// Set a lookback period of 14 days\\nlet lookback = starttime - 14d;\\n// Define a reusable function to query audit logs\\nlet awsFunc = (start:datetime, end:datetime) {\\n AuditLogs\\n | where TimeGenerated between (start..end)\\n | where Category =~ \\\"RoleManagement\\\"\\n | where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n | where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n | mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type in~ (\\\"User\\\", \\\"ServicePrincipal\\\")\\n | extend Target = iff(TargetResource.type =~ \\\"ServicePrincipal\\\", tostring(TargetResource.displayName), tostring(TargetResource.userPrincipalName)),\\n props = TargetResource.modifiedProperties\\n )\\n | mv-apply Property = props on\\n (\\n where Property.displayName =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = trim(\u0027\\\"\u0027, tostring(Property.newValue))\\n )\\n | where RoleName contains \\\"Admin\\\" and Result == \\\"success\\\"\\n};\\n// Query for audit events in the current day\\nlet EventInfo_CurrentDay = awsFunc(starttime, endtime);\\n// Query for audit events in the historical period (lookback)\\nlet EventInfo_historical = awsFunc(lookback, starttime);\\n// Find unseen events by performing a left anti-join\\nlet EventInfo_Unseen = (EventInfo_CurrentDay\\n | join kind=leftanti(EventInfo_historical) on Target, RoleName, OperationName\\n);\\n// Extend and clean up the results\\nEventInfo_Unseen\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend Initiator = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)\\n// You can uncomment the lines below to filter out PIM activations\\n// | where Initiator != \\\"MS-PIM\\\"\\n// | summarize StartTime=min(TimeGenerated), EndTime=min(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result\\n// Project specific columns and split them for further analysis\\n| project TimeGenerated, OperationName, RoleName, Target, Initiator, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, Result\\n| extend TargetName = tostring(split(Target,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(Target,\u0027@\u0027,1)[0]), InitiatorName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatorUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Target\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatorName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatorUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"New User Assigned to Privileged Role\",\"description\":\"Identifies when a privileged role is assigned to a new user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn\u0027t the responsibility of the account holder, investigate.\",\"lastUpdatedDateUTC\":\"2024-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/968358d6-6af8-49bb-aaa4-187b3067fb95\",\"name\":\"968358d6-6af8-49bb-aaa4-187b3067fb95\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let successCodes = dynamic([200, 302, 401]);\\nW3CIISLog\\n| where scStatus has_any (successCodes)\\n| where ipv4_is_private(cIP) == False\\n| where csUriStem hasprefix \\\"/autodiscover/autodiscover.json\\\"\\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\\n| where (csUriQuery !has \\\"Protocol\\\" and isnotempty(csUriQuery))\\nor (csUriQuery has_any(\\\"/mapi/\\\", \\\"powershell\\\"))\\nor (csUriQuery contains \\\"@\\\" and csUriQuery matches regex @\\\"\\\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\\\/)\\\")\\nor (csUriQuery contains \\\":\\\" and csUriQuery matches regex @\\\"\\\\:[0-9]{2,4}\\\\/\\\")\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(csUserName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(csUserName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"csUserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"cIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange SSRF Autodiscover ProxyShell - Detection\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit patterns recently blogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange which eventually allows the attacker to execute arbitrary Powershell on the server.\\nIn the example powershell can be used to write an email to disk with an encoded attachment containing a shell.\\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"name\":\"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for W3CIISLog events\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and W3CIISLog events\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n W3CIISLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n | where ipv4_is_private(cIP) == false and cIP !startswith \\\"fe80\\\" and cIP !startswith \\\"::\\\" and cIP !startswith \\\"127.\\\"\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n )\\n on $left.TI_ipEntity == $right.cIP\\n // Filter out W3CIISLog events that occurred after the expiration of the corresponding indicator\\n | where W3CIISLog_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and keep the W3CIISLog event with the latest timestamp\\n | summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId, cIP\\n // Select the desired output fields\\n | project timestamp = W3CIISLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\n NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"csUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"cIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to W3CIISLog\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in W3CIISLog.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"name\":\"cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nEvent\\n| where EventLog =~ \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where OriginalFileName has_any (procList) and not (Image has_any (procList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"User\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Lolbins Renamed\",\"description\":\"This query detects the execution of renamed Windows binaries (Lolbins). This is a common technique used by adversaries to evade detection. \\nRef: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/execution-of-renamed-lolbin.html\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"name\":\"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.8\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend Alert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.EntityEmail\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend Name = tostring(split(EntityEmail, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(EntityEmail, \u0027@\u0027, 1)[0])\\n| extend timestamp = Alert_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"EntityEmail\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"TI map Email entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\"lastUpdatedDateUTC\":\"2024-07-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"name\":\"fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let account_threshold = 5;\\nAADNonInteractiveUserSignInLogs\\n//| where ResultType == \\\"81016\\\"\\n| where ResultType startswith \\\"81\\\"\\n| summarize DistinctAccounts = dcount(UserPrincipalName), DistinctAddresses = make_set(IPAddress,100) by ResultType\\n| where DistinctAccounts \u003e account_threshold\\n| mv-expand IPAddress = DistinctAddresses\\n| extend IPAddress = tostring(IPAddress)\\n| join kind=leftouter (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs) on IPAddress\\n| summarize\\n StartTime = min(TimeGenerated),\\n EndTime = max(TimeGenerated),\\n UserPrincipalName = make_set(UserPrincipalName,100),\\n UserAgent = make_set(UserAgent,100),\\n ResultDescription = take_any(ResultDescription),\\n ResultSignature = take_any(ResultSignature)\\n by IPAddress, Type, ResultType\\n| project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent)\\n| extend Name = tostring(split(UserPrincipalName[0],\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName[0],\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Microsoft Entra ID Seamless SSO\",\"description\":\"This query detects when there is a spike in Microsoft Entra ID Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\\nMicrosoft Entra ID only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.\",\"lastUpdatedDateUTC\":\"2024-01-04T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"name\":\"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Medium\",\"query\":\"let szOperationNames = dynamic([\\\"microsoft.compute/virtualMachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nlet timeframe = 1d;\\nlet TimeSeriesData =\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(now()))\\n| where OperationNameValue in~ (szOperationNames)\\n| project TimeGenerated, Caller \\n| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Caller; \\nTimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long) \\n| where TimeGenerated \u003e= startofday(ago(endtime))\\n| where anomalies \u003e 0 and baseline \u003e 0\\n| project Caller, TimeGenerated, Total, baseline, anomalies, score\\n| join (AzureActivity\\n| where TimeGenerated \u003e startofday(ago(endtime)) \\n| where OperationNameValue in~ (szOperationNames)\\n| summarize make_set(OperationNameValue,100), make_set(_ResourceId,100), make_set(CallerIpAddress,100) by bin(TimeGenerated, timeframe), Caller\\n) on TimeGenerated, Caller\\n| mv-expand CallerIpAddress=set_CallerIpAddress\\n| project-away Caller1\\n| extend Name = iif(Caller has \u0027@\u0027,tostring(split(Caller,\u0027@\u0027,0)[0]),\\\"\\\")\\n| extend UPNSuffix = iif(Caller has \u0027@\u0027,tostring(split(Caller,\u0027@\u0027,1)[0]),\\\"\\\")\\n| extend AadUserId = iif(Caller !has \u0027@\u0027,Caller,\\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious number of resource creation or deployment activities\",\"description\":\"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log. This query generates the baseline pattern of cloud resource creation by an individual and generates an anomaly when any unusual spike is detected. These anomalies from unusual or privileged users could be an indication of a cloud infrastructure takedown by an adversary.\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/baedfdf4-7cc8-45a1-81a9-065821628b83\",\"name\":\"baedfdf4-7cc8-45a1-81a9-065821628b83\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let runningRAT_parameters = dynamic([\u0027/ui/chk\u0027, \u0027mactok=\u0027, \u0027UsRnMe=\u0027, \u0027IlocalP=\u0027, \u0027kMnD=\u0027]);\\nCommonSecurityLog\\n| where RequestMethod == \\\"GET\\\"\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\\n| where RequestURL has_any (runningRAT_parameters)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"RunningRAT request parameters\",\"description\":\"This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request.\\nId the device blocked this communication presence of this alert means the RunningRAT implant is likely still executing on the source host.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/42436753-9944-4d70-801c-daaa4d19ddd2\",\"name\":\"42436753-9944-4d70-801c-daaa4d19ddd2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.4\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Powershell\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"]\\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername\\n| extend AccountName = tostring(split(SrcUsername, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(SrcUsername, \\\"@\\\")[1])\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running PowerShell\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by PoerShell and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\",\"Execution\"],\"displayName\":\"A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong PowerShell. \u003cbr\u003eYou can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/631d02df-ab51-46c1-8d72-32d0cfec0720\",\"name\":\"631d02df-ab51-46c1-8d72-32d0cfec0720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.6\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nimProcessCreate\\n| where Process hassuffix \u0027solarwinds.businesslayerhost.exe\u0027\\n| where not(Process has_any (excludeProcs))\\n| extend AccountName = tostring(split(ActorUsername, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(ActorUsername, @\u0027\\\\\u0027)[0])\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmType\"},{\"identifier\":\"Value\",\"columnName\":\"TargetFileMD5\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes (Normalized Process Events)\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48602a24-67cf-4362-b258-3f4249e55def\",\"name\":\"48602a24-67cf-4362-b258-3f4249e55def\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let query_frequency = 1h;\\nlet query_period = 14d;\\nIdentityInfo\\n| where TimeGenerated \u003e ago(query_period)\\n| where set_has_element(AssignedRoles, \\\"Global Administrator\\\")\\n| distinct AccountUPN, AccountObjectId\\n| join kind=inner (\\n AuditLogs\\n | where TimeGenerated \u003e ago(query_frequency)\\n | where OperationName=~ \\\"Update user\\\" and Result =~ \\\"success\\\"\\n // | where isnotempty(InitiatedBy[\\\"user\\\"])\\n | mv-expand TargetResource = TargetResources\\n | where TargetResource[\\\"type\\\"] == \\\"User\\\"\\n | extend AccountObjectId = tostring(TargetResource[\\\"id\\\"])\\n | where tostring(TargetResource[\\\"modifiedProperties\\\"]) != \\\"[]\\\"\\n | mv-apply modifiedProperty = TargetResource[\\\"modifiedProperties\\\"] on (\\n summarize modifiedProperties = make_bag(\\n bag_pack(tostring(modifiedProperty[\\\"displayName\\\"]),\\n bag_pack(\\\"oldValue\\\", trim(@\u0027[\\\\\\\"\\\\s]+\u0027, tostring(modifiedProperty[\\\"oldValue\\\"])),\\n \\\"newValue\\\", trim(@\u0027[\\\\\\\"\\\\s]+\u0027, tostring(modifiedProperty[\\\"newValue\\\"])))))\\n )\\n | where not(tostring(modifiedProperties[\\\"Included Updated Properties\\\"][\\\"newValue\\\"]) in (\\\"LastDirSyncTime\\\", \\\"\\\"))\\n | where not(tostring(modifiedProperties[\\\"Included Updated Properties\\\"][\\\"newValue\\\"]) == \\\"StrongAuthenticationPhoneAppDetail\\\" and isnotempty(modifiedProperties[\\\"StrongAuthenticationPhoneAppDetail\\\"]) and tostring(array_sort_asc(extract_all(@\u0027\\\\\\\"Id\\\\\\\"\\\\:\\\\\\\"([^\\\\\\\"]+)\\\\\\\"\u0027, tostring(modifiedProperties[\\\"StrongAuthenticationPhoneAppDetail\\\"][\\\"newValue\\\"])))) == tostring(array_sort_asc(extract_all(@\u0027\\\\\\\"Id\\\\\\\"\\\\:\\\\\\\"([^\\\\\\\"]+)\\\\\\\"\u0027, tostring(modifiedProperties[\\\"StrongAuthenticationPhoneAppDetail\\\"][\\\"oldValue\\\"])))))\\n | extend\\n Initiator = iif(isnotempty(InitiatedBy[\\\"app\\\"]), tostring(InitiatedBy[\\\"app\\\"][\\\"displayName\\\"]), tostring(InitiatedBy[\\\"user\\\"][\\\"userPrincipalName\\\"])),\\n InitiatorId = iif(isnotempty(InitiatedBy[\\\"app\\\"]), tostring(InitiatedBy[\\\"app\\\"][\\\"servicePrincipalId\\\"]), tostring(InitiatedBy[\\\"user\\\"][\\\"id\\\"])),\\n IPAddress = tostring(InitiatedBy[tostring(bag_keys(InitiatedBy)[0])][\\\"ipAddress\\\"])\\n) on AccountObjectId\\n| project TimeGenerated, Category, Identity, Initiator, IPAddress, OperationName, Result, AccountUPN, InitiatedBy, AdditionalDetails, TargetResources, AccountObjectId, InitiatorId, CorrelationId\\n| extend\\n InitiatorName = tostring(split(Initiator, \\\"@\\\")[0]),\\n InitiatorUPNSuffix = tostring(split(Initiator, \\\"@\\\")[1]),\\n AccountName = tostring(split(AccountUPN, \\\"@\\\")[0]),\\n AccountUPNSuffix = tostring(split(AccountUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatorName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatorUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Suspicious modification of Global Administrator user properties\",\"description\":\"This query will detect if user properties of Global Administrator are updated by an existing user. Usually only user administrator or other global administrator can update such properties.\\nInvestigate if such user change is an attempt to elevate an existing low privileged identity or rogue administrator activity\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"name\":\"30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"imProcess\\n| where EventType =~ \\\"ProcessCreated\\\"\\n| where Process endswith \\\"svchost.exe\\\"\\n| where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n| extend timekey = bin(TimeGenerated, 1m)\\n| project timekey, ActingProcessId, Dvc\\n| join kind=inner (\\n imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ActingProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) \\n on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc\\n| extend AccountName = tostring(split(ActorUsername, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(ActorUsername, @\u0027\\\\\u0027)[0])\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively (ASIM Version)\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\\n This query uses the Advanced Security Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"name\":\"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe+spanoftime)\\n // A user account was enabled\\n | where EventID == 4722\\n | where AccountType =~ \\\"User\\\"\\n | where TargetAccount !endswith \\\"$\\\"\\n | project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToEnable = SubjectAccount, EnabledBySubjectUserName = SubjectUserName, EnabledBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToEnable = SubjectUserSid, UserPrincipalName\\n ),\\n (\\n WindowsEvent\\n | where TimeGenerated \u003e ago(timeframe+spanoftime)\\n // A user account was enabled\\n | where EventID == 4722\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | where AccountType =~ \\\"User\\\"\\n | extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n | extend SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName)\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | where TargetAccount !endswith \\\"$\\\"\\n | extend Activity=\\\"4722 - A user account was enabled.\\\"\\n | extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName) \\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n | project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToEnable = SubjectAccount, EnabledBySubjectUserName = SubjectUserName, EnabledBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToEnable = SubjectUserSid, UserPrincipalName\\n )\\n )\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n | where AccountType =~ \\\"User\\\"\\n | project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToDisable = SubjectAccount, DisabledBySubjectUserName = SubjectUserName, DisabledBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToDisable = SubjectUserSid, UserPrincipalName\\n ),\\n (WindowsEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | where AccountType =~ \\\"User\\\"\\n | extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n | extend SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName)\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName) \\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n | extend Activity = \\\"4725 - A user account was disabled.\\\"\\n | project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToDisable = SubjectAccount, DisabledBySubjectUserName = SubjectUserName, DisabledBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToDisable = SubjectUserSid, UserPrincipalName\\n )\\n )\\n) on Computer, TargetAccount\\n| where DisableTime - EnableTime \u003c spanoftime\\n| extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, TargetUserName, TargetDomainName, UserPrincipalName, \\nAccountUsedToEnable, SIDofAccountUsedToEnable, DisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable, \\nEnabledBySubjectUserName, EnabledBySubjectDomainName, DisabledBySubjectUserName, DisabledBySubjectDomainName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountUsedToEnable\"},{\"identifier\":\"Name\",\"columnName\":\"EnabledBySubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"EnabledBySubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountUsedToDisable\"},{\"identifier\":\"Name\",\"columnName\":\"DisabledBySubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"DisabledBySubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"TargetDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account enabled and disabled within 10 mins\",\"description\":\"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/779731f7-8ba0-4198-8524-5701b7defddc\",\"name\":\"779731f7-8ba0-4198-8524-5701b7defddc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let Alert_List= dynamic([\\n\\\"Phishing link click observed in Network Traffic\\\",\\n\\\"Phish delivered due to an IP allow policy\\\",\\n\\\"A potentially malicious URL click was detected\\\",\\n\\\"High Risk Sign-in Observed in Network Traffic\\\",\\n\\\"A user clicked through to a potentially malicious URL\\\",\\n\\\"Suspicious network connection to AitM phishing site\\\",\\n\\\"Messages containing malicious entity not removed after delivery\\\",\\n\\\"Email messages containing malicious URL removed after delivery\\\",\\n\\\"Email reported by user as malware or phish\\\",\\n\\\"Phish delivered due to an ETR override\\\",\\n\\\"Phish not zapped because ZAP is disabled\\\"]);\\nSecurityAlert\\n| where AlertName in~ (Alert_List)\\n//Findling Alerts which has the URL\\n| where Entities has \\\"url\\\"\\n//extracting Entities\\n| extend Entities = parse_json(Entities)\\n| mv-apply Entity = Entities on\\n (\\n where Entity.Type == \u0027url\u0027\\n | extend EntityUrl = tostring(Entity.Url)\\n )\\n| summarize\\n Url=tostring(tolower(take_any(EntityUrl))),\\n AlertTime= min(TimeGenerated),\\n make_set(SystemAlertId, 100)\\n by ProductName, AlertName\\n// matching with 3rd party network logs and 3p Alerts\\n| join kind= inner (CommonSecurityLog\\n | where DeviceVendor has_any (\\\"Palo Alto Networks\\\", \\\"Fortinet\\\", \\\"Check Point\\\", \\\"Zscaler\\\")\\n | where DeviceProduct startswith \\\"FortiGate\\\" or DeviceProduct startswith \\\"PAN\\\" or DeviceProduct startswith \\\"VPN\\\" or DeviceProduct startswith \\\"FireWall\\\" or DeviceProduct startswith \\\"NSSWeblog\\\" or DeviceProduct startswith \\\"URL\\\"\\n | where DeviceAction != \\\"Block\\\"\\n | where isnotempty(RequestURL)\\n | project\\n 3plogTime=TimeGenerated,\\n DeviceVendor,\\n DeviceProduct,\\n Activity,\\n DestinationHostName,\\n DestinationIP,\\n RequestURL=tostring(tolower(RequestURL)),\\n MaliciousIP,\\n SourceUserName=tostring(tolower(SourceUserName)),\\n IndicatorThreatType,\\n ThreatSeverity,\\n ThreatConfidence,\\n SourceUserID,\\n SourceHostName)\\n on $left.Url == $right.RequestURL\\n// matching successful Login from suspicious IP\\n| join kind=inner (SigninLogs\\n //filtering the Successful Login\\n | where ResultType == 0\\n | project\\n IPAddress,\\n SourceSystem,\\n SigniningTime= TimeGenerated,\\n OperationName,\\n ResultType,\\n ResultDescription,\\n AlternateSignInName,\\n AppDisplayName,\\n AuthenticationRequirement,\\n ClientAppUsed,\\n RiskState,\\n RiskLevelDuringSignIn,\\n UserPrincipalName=tostring(tolower(UserPrincipalName)),\\n Name = tostring(split(UserPrincipalName, \\\"@\\\")[0]),\\n UPNSuffix =tostring(split(UserPrincipalName, \\\"@\\\")[1]))\\n on $left.DestinationIP == $right.IPAddress and $left.SourceUserName == $right.UserPrincipalName\\n| where SigniningTime between ((AlertTime - 6h) .. (AlertTime + 6h)) and 3plogTime between ((AlertTime - 6h) .. (AlertTime + 6h))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DestinationHostName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceSystem\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"M365D Alerts Correlation to non-Microsoft Network device network activity involved in successful sign-in Activity\",\"description\":\"This content is employed to correlate with Microsoft Defender XDR phishing-related alerts. It focuses on instances where a user successfully connects to a phishing URL from a non-Microsoft network device and subsequently makes successful sign-in attempts from the phishing IP address.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2023-05-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"name\":\"2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where OperationName in (\\\"Add eligible member (permanent)\\\", \\\"Add eligible member (eligible)\\\", \\\"Add member to role\\\")\\n | mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend Target = tostring(TargetResource.userPrincipalName),\\n props = TargetResource.modifiedProperties\\n )\\n | mv-apply Property = props on \\n (\\n where Property.displayName =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n | where RoleName contains \\\"admin\\\"\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend InitiatedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)\\n | extend TargetUserPrincipalName = iff(OperationName==\\\"Add member to role\\\",tostring(TargetResources[0].userPrincipalName),tostring(TargetResources[2].userPrincipalName))\\n | extend TargetAadUserId = iff(OperationName==\\\"Add member to role\\\", tostring(TargetResources[0].id), tostring(TargetResources[2].id))\\n | extend AddedUser = TargetUserPrincipalName\\n | extend TargetAccountName = tostring(split(TargetUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \\\"@\\\")[1])\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, AddedUser, RoleName, InitiatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"TargetAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"User Added to Admin Role\",\"description\":\"Detects a user being added to a new privileged role. Monitor these additions to ensure the users are made eligible for these roles are intended to have these levels of access.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2024-03-27T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"name\":\"979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027ProcessId\\\"\u003e\u0027 ProcessId \\\"\u003c\\\"* \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \\n| where TargetObject has (\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\DsrmAdminLogonBehavior\\\") and Details == \\\"DWORD (0x00000002)\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ProcessId, Image, TargetObject, Details, _ResourceId\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(User, \\\"\\\\\\\\\\\")[1]), AccountNTDomain = tostring(split(User, \\\"\\\\\\\\\\\")[0])\\n| extend ImageFileName = tostring(split(Image, \\\"\\\\\\\\\\\")[-1])\\n| extend ImageDirectory = replace_string(Image, ImageFileName, \\\"\\\")\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessId\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ImageFileName\"},{\"identifier\":\"Directory\",\"columnName\":\"ImageDirectory\"}]},{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"DSRM Account Abuse\",\"description\":\"This query detects an abuse of the DSRM account in order to maintain persistence and access to the organization\u0027s Active Directory.\\nRef: https://adsecurity.org/?p=1785\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"name\":\"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Low\",\"query\":\"union isfuzzy=true\\n(\\n SecurityEvent\\n | where EventID == 4738\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | where UserAccountControl has \\\"%%2089\\\"\\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event.\\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event.\\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, \\n AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount, SubjectUserName, SubjectDomainName, SubjectUserSid\\n ),\\n (\\n WindowsEvent\\n | where EventID == 4738 and EventData has \u00272089\u0027\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | extend UserAccountControl = tostring(EventData.UserAccountControl)\\n | where UserAccountControl has \\\"%%2089\\\"\\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event.\\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event.\\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | extend Activity=\\\"4738 - A user account was changed.\\\"\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName), TargetSid, \\n AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount, SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName), SubjectUserSid = tostring(EventData.SubjectUserSid)\\n )\\n | extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n | project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"TargetDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"SubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD account with Don\u0027t Expire Password\",\"description\":\"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 resolves to \\\"Don\u0027t Expire Password - Enabled\\\".\",\"lastUpdatedDateUTC\":\"2024-01-22T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"name\":\"6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let Alerts = SecurityAlert\\n| where AlertName =~ \\\"mass download by a single user\\\"\\n| where Status != \u0027Resolved\u0027\\n| extend ipEnt = parse_json(Entities), accountEnt = parse_json(Entities)\\n| mv-apply tempParams = ipEnt on (\\nmv-expand ipEnt\\n| where ipEnt.Type == \\\"ip\\\" \\n| extend IpAddress = tostring(ipEnt.Address)\\n)\\n| mv-apply tempParams = accountEnt on (\\nmv-expand accountEnt\\n| where accountEnt.Type == \\\"account\\\"\\n| extend AADUserId = tostring(accountEnt.AadUserId)\\n)\\n| extend Alert_TimeGenerated = TimeGenerated\\n| distinct Alert_TimeGenerated, IpAddress, AADUserId, DisplayName, Description, ProductName, ExtendedProperties, Entities, Status, CompromisedEntity\\n;\\nlet CA_Events = CloudAppEvents\\n| where ActionType == \\\"FileDownloaded\\\"\\n| extend parsed = parse_json(RawEventData)\\n| extend UserId = tostring(parsed.UserId)\\n| extend FileName = tostring(parsed.SourceFileName)\\n| extend FileExtension = tostring(parsed.SourceFileExtension)\\n| summarize CloudAppEvent_StartTime = min(TimeGenerated), CloudAppEvent_EndTime = max(TimeGenerated), CloudAppEvent_Files = make_set(FileName), FileCount = dcount(FileName) by Application, AccountObjectId, UserId, IPAddress, City, CountryCode\\n| extend CloudAppEvents_Details = pack_all();\\nlet CA_Alerts_Events = Alerts | join kind=inner (CA_Events)\\non $left.AADUserId == $right.AccountObjectId and $left.IpAddress == $right.IPAddress\\n// Cloud app event comes before Alert\\n| where CloudAppEvent_EndTime \u003c= Alert_TimeGenerated\\n| project Alert_TimeGenerated, UserId, AADUserId, IPAddress, CloudAppEvents_Details, CloudAppEvent_Files\\n;\\n// setup list to filter DeviceFileEvents for only files downloaded as indicated by CloudAppEvents\\nlet CA_FileList = CA_Alerts_Events | project CloudAppEvent_Files;\\nCA_Alerts_Events\\n| join kind=inner ( DeviceFileEvents\\n| where ActionType in (\\\"FileCreated\\\", \\\"FileRenamed\\\")\\n| where FileName in~ (CA_FileList)\\n| summarize DeviceFileEvent_StartTime = min(TimeGenerated), DeviceFileEvent_EndTime = max(TimeGenerated), DeviceFileEvent_Files = make_set(FolderPath), DeviceFileEvent_FileCount = dcount(FolderPath) by InitiatingProcessAccountUpn, DeviceId, DeviceName, InitiatingProcessFolderPath, InitiatingProcessParentFileName//, InitiatingProcessCommandLine\\n| extend DeviceFileEvents_Details = pack_all()\\n) on $left.UserId == $right.InitiatingProcessAccountUpn\\n| where DeviceFileEvent_StartTime \u003e= Alert_TimeGenerated\\n| join kind=inner (\\n// get device events where a USB drive was mounted\\nDeviceEvents\\n| where ActionType == \\\"UsbDriveMounted\\\"\\n| extend parsed = parse_json(AdditionalFields)\\n| extend USB_DriveLetter = tostring(AdditionalFields.DriveLetter), USB_ProductName = tostring(AdditionalFields.ProductName), USB_Volume = tostring(AdditionalFields.Volume)\\n| where isnotempty(USB_DriveLetter)\\n| project USB_TimeGenerated = TimeGenerated, DeviceId, USB_DriveLetter, USB_ProductName, USB_Volume\\n| extend USB_Details = pack_all()\\n) \\non DeviceId\\n// USB event occurs after the Alert\\n| where USB_TimeGenerated \u003e= Alert_TimeGenerated\\n| mv-expand DeviceFileEvent_Files\\n| extend DeviceFileEvent_Files = tostring(DeviceFileEvent_Files)\\n// make sure that we only pickup the files that have the USB drive letter\\n| where DeviceFileEvent_Files startswith USB_DriveLetter\\n| summarize USB_Drive_MatchedFiles = make_set_if(DeviceFileEvent_Files, DeviceFileEvent_Files startswith USB_DriveLetter) by Alert_TimeGenerated, USB_TimeGenerated, UserId, AADUserId, DeviceId, DeviceName, IPAddress, CloudAppEvents_Details = tostring(CloudAppEvents_Details), DeviceFileEvents_Details = tostring(DeviceFileEvents_Details), USB_Details = tostring(USB_Details)\\n| extend InitiatingProcessFileName = tostring(split(todynamic(DeviceFileEvents_Details).InitiatingProcessFolderPath, \\\"\\\\\\\\\\\")[-1]), InitiatingProcessFolderPath = tostring(todynamic(DeviceFileEvents_Details).InitiatingProcessFolderPath)\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DeviceName != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AADUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessFileName\"},{\"identifier\":\"Directory\",\"columnName\":\"InitiatingProcessFolderPath\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Mass Download \u0026 copy to USB device by single user\",\"description\":\"This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. \\nThis query could also reveal unintentional insider that had no intention of malicious activity but their actions may impact an organizations security posture.\\nReference:https://docs.microsoft.com/defender-cloud-apps/policy-template-reference\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-04-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"CloudAppEvents\",\"DeviceEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce74dc9a-cb3c-4081-8c2f-7d39f6b7bae1\",\"name\":\"ce74dc9a-cb3c-4081-8c2f-7d39f6b7bae1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688\\n| where Process has_any (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\") and CommandLine has_cs \\\"-exec bypass -w 1 -enc\\\"\\n| where CommandLine contains_cs \\\"UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA\\\"\\n| extend DvcHostname = Computer, ProcessId = tostring(ProcessId), ActorUsername = Account\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" and ProcessCommandLine has_cs \\\"-exec bypass -w 1 -enc\\\"\\n| where ProcessCommandLine contains_cs \\\"UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA\\\"\\n| extend DvcHostname = DeviceName, ProcessId = tostring(InitiatingProcessId), ActorUsername = strcat(AccountDomain, @\\\"\\\\\\\", AccountName)\\n),\\n(imProcessCreate\\n| where Process has_any (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\") and CommandLine has_cs \\\"-exec bypass -w 1 -enc\\\"\\n| where CommandLine contains_cs \\\"UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA\\\"\\n| extend ProcessId = tostring(TargetProcessId)\\n)\\n)\\n| extend AccountName = tostring(split(ActorUsername, \\\"\\\\\\\\\\\")[0]), AccountNTDomain = tostring(split(ActorUsername, \\\"\\\\\\\\\\\")[1])\\n| extend HostName = tostring(split(DvcHostname, \\\".\\\")[0]), DomainIndex = toint(indexof(DvcHostname, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DvcHostname, DomainIndex + 1), DvcHostname)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessId\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Identify Mango Sandstorm powershell commands\",\"description\":\"The query below identifies powershell commands used by the threat actor Mango Sandstorm.\\nReference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/\",\"lastUpdatedDateUTC\":\"2024-11-25T00:00:00Z\",\"createdDateUTC\":\"2022-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"name\":\"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let schedule_lookback = 14d;\\nlet join_lookback = 1d;\\n// If you want to whitelist specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet meetings = (\\nZoomLogs\\n| where TimeGenerated \u003e= ago(schedule_lookback)\\n| where Event =~ \\\"meeting.created\\\"\\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId)\\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone));\\nZoomLogs\\n| where TimeGenerated \u003e= ago(join_lookback)\\n| where Event =~ \\\"meeting.participant_joined\\\"\\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone)\\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName)\\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId)\\n| where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId\\n| where SchedTimezone != JoinedTimeZone\\n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1\\n| extend AccountName = tostring(split(JoiningUser, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(JoiningUser, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"JoiningUser\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"User joining Zoom meeting from suspicious timezone\",\"description\":\"The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"name\":\"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserID\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient,\\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort,\\nDestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"DestinationUserID\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"TI map Email entity to PaloAlto CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"name\":\"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.2\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\u0027127.0.0.1\u0027, \u0027::1\u0027, \u0027\u0027)\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons = (union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, TargetUserName, TargetDomainName, _ResourceId, Reason\\n),\\n(WindowsEvent\\n| where EventID == 4624 and has_any_ipv4(EventData, toscalar(suspicious_signins))\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend Activity = \\\"4624 - An account was successfully logged on.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend Account = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend AccountType =case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, TargetUserSid, TargetUserName, TargetDomainName, _ResourceId, Reason\\n)\\n);\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex+1), Computer)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"TargetDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"AzureID\",\"columnName\":\"_ResourceId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to host\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Microsoft Entra ID.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2024-10-17T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"name\":\"a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName =~ \\\"Update user\\\"\\n | where Result =~ \\\"success\\\"\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"TargetId.UserType\\\"\\n | extend UpdatingAppName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UpdatingServicePrincipalId = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend UpdatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatingUserAadUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend UpdatingUserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend UpdatingUser = iif(isnotempty(UpdatingServicePrincipalId), UpdatingServicePrincipalId, UpdatingUserPrincipalName)\\n | extend UpdatedUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n | project-reorder TimeGenerated, UpdatedUserPrincipalName, UpdatingUser\\n | where parse_json(tostring(TargetResources_modifiedProperties.newValue)) =~ \\\"\\\\\\\"Member\\\\\\\"\\\" and parse_json(tostring(TargetResources_modifiedProperties.oldValue)) =~ \\\"\\\\\\\"Guest\\\\\\\"\\\"\\n | extend InitiatingAccountName = tostring(split(UpdatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(UpdatingUserPrincipalName, \\\"@\\\")[1])\\n | extend TargetAccountName = tostring(split(UpdatedUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(UpdatedUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UpdatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"UpdatingServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UpdatingUserAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UpdatingUserIPAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User State changed from Guest to Member\",\"description\":\"Detects when a guest account in a tenant is converted to a member of the tenant.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts converted to members should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2023-12-30T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"name\":\"dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let threshold = 10;\\nlet default_ad_attributes = dynamic([\\\"LastDirSyncTime\\\", \\\"StsRefreshTokensValidFrom\\\", \\\"Included Updated Properties\\\", \\\"AccountEnabled\\\", \\\"Action Client Name\\\", \\\"SourceAnchor\\\"]);\\nlet addUsers = AuditLogs\\n| where OperationName =~ \\\"Add user\\\"\\n| where Result =~ \\\"success\\\"\\n| extend AccountProperties = TargetResources[0].modifiedProperties\\n| mv-expand AccountProperties\\n;\\naddUsers\\n| evaluate bag_unpack(AccountProperties) : (displayName:string, oldValue: string, newValue: string , TenantId : string, SourceSystem : string, TimeGenerated : datetime, ResourceId : string, OperationName : string, OperationVersion : string, Category : string, ResultType : string, ResultSignature : string, ResultDescription : string, DurationMs : long, CorrelationId : string, Resource : string, ResourceGroup : string, ResourceProvider : string, Identity : string, Level : string, Location : string, AdditionalDetails : dynamic, Id : string, InitiatedBy : dynamic, LoggedByService : string, Result : string, ResultReason : string, TargetResources : dynamic, AADTenantId : string, ActivityDisplayName : string, ActivityDateTime : datetime, AADOperationType : string, Type : string)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"Unknown Value\\\")\\n| summarize count() by displayName, TenantId\\n| where displayName !in (default_ad_attributes)\\n| top threshold by count_ desc\\n| summarize make_set(displayName) by TenantId\\n| join kind=inner (\\naddUsers\\n| extend CreatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend CreatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend CreatingUserIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n| extend PropName = tostring(AccountProperties.displayName)) \\non TenantId\\n| summarize makeset(PropName) by TimeGenerated, CorrelationId, CreatedUserPrincipalName, CreatingUserPrincipalName, CreatingAadUserId, CreatingUserIPAddress, tostring(set_displayName)\\n| extend missing_props = set_difference(todynamic(set_displayName), set_PropName)\\n| where array_length(missing_props) \u003e 0\\n| join kind=innerunique (\\nAuditLogs\\n| where Result =~ \\\"success\\\"\\n| where OperationName =~ \\\"Add user\\\"\\n| extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)) \\non CorrelationId, CreatedUserPrincipalName\\n| extend ExpectedProperties = set_displayName\\n| project-away set_displayName, set_PropName\\n| extend InitiatingAccountName = tostring(split(CreatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(CreatingUserPrincipalName, \\\"@\\\")[1])\\n| extend TargetAccountName = tostring(split(CreatedUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(CreatedUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"CreatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatedUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CreatingUserIPAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User account created without expected attributes defined\",\"description\":\"This query looks for accounts being created that do not have attributes populated that are commonly populated in the tenant.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2023-12-30T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"name\":\"d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"// Microsoft Entra ID Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\\n// Microsoft Entra ID Connect - cb1056e2-e479-49de-ae31-7812af012ed8\\nlet appList = dynamic([\u0027cf6d7e68-f018-4e0a-a7b3-126e053fb88d\u0027,\u0027cb1056e2-e479-49de-ae31-7812af012ed8\u0027]);\\nlet operationNamesList = dynamic([\u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027,\u0027Microsoft.ADHybridHealthService/services/delete\u0027]);\\nAzureActivity\\n| where CategoryValue =~ \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId has \u0027AdFederationService\u0027\\n| where OperationNameValue in~ (operationNamesList)\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid), AccountName = tostring(claimsJson.name), Name = tostring(split(Caller,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Caller,\u0027@\u0027,1)[0])\\n| where AppId !in (appList)\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Microsoft Entra ID Hybrid Health AD FS Suspicious Application\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify a suspicious application adding a server instance to an Microsoft Entra ID Hybrid Health AD FS service or deleting the AD FS service instance.\\nUsually the Microsoft Entra ID Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d and ID cb1056e2-e479-49de-ae31-7812af012ed8 is used to perform those operations.\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/218f60de-c269-457a-b882-9966632b9dc6\",\"name\":\"218f60de-c269-457a-b882-9966632b9dc6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"High\",\"query\":\"let AdminRecords = AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),\\n props = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = props on \\n (\\n where Property.displayName =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where RoleName contains \\\"Admin\\\";\\nAdminRecords\\n| summarize dcount(TargetUserPrincipalName) by bin(TimeGenerated, 1h)\\n| where dcount_TargetUserPrincipalName \u003e 9\\n| join kind=rightsemi (\\n AdminRecords\\n | extend TimeWindow = bin(TimeGenerated, 1h)\\n) on $left.TimeGenerated == $right.TimeWindow\\n| extend InitiatedByUser = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), \\\"\\\")\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend TargetName = tostring(split(TargetUserPrincipalName,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,\u0027@\u0027,1)[0])\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"customDetails\":{\"InitiatedByUser\":\"InitiatedByUser\",\"TargetUser\":\"TargetUserPrincipalName\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Bulk Changes to Privileged Account Permissions\",\"description\":\"Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"name\":\"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\")\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated)\\nby EventSource, EventName, UserIdentityType, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Elastic Load Balancer security groups\",\"description\":\"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications.\\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/. \",\"lastUpdatedDateUTC\":\"2024-03-27T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.3\",\"severity\":\"Low\",\"query\":\"let TeamsAddDel = (Op:string){\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation == Op\\n| where Members has (\\\"#EXT#\\\")\\n| mv-expand Members\\n| extend UPN = tostring(Members.UPN)\\n| where UPN has (\\\"#EXT#\\\")\\n| project TimeGenerated, Operation, UPN, UserId, TeamName, ClientIP\\n};\\nlet TeamsAdd = TeamsAddDel(\\\"MemberAdded\\\")\\n| project TimeAdded=TimeGenerated, Operation, MemberAdded = UPN, UserWhoAdded = UserId, TeamName, ClientIP;\\nlet TeamsDel = TeamsAddDel(\\\"MemberRemoved\\\")\\n| project TimeDeleted=TimeGenerated, Operation, MemberRemoved = UPN, UserWhoDeleted = UserId, TeamName, ClientIP;\\nTeamsAdd\\n| join kind=inner (TeamsDel) on $left.MemberAdded == $right.MemberRemoved\\n| where TimeDeleted \u003e TimeAdded\\n| project TimeAdded, TimeDeleted, MemberAdded_Removed = MemberAdded, UserWhoAdded, UserWhoDeleted, TeamName, ClientIP\\n| extend MemberAdded_RemovedAccountName = tostring(split(MemberAdded_Removed, \\\"@\\\")[0]), MemberAdded_RemovedAccountUPNSuffix = tostring(split(MemberAdded_Removed, \\\"@\\\")[1])\\n| extend UserWhoAddedAccountName = tostring(split(UserWhoAdded, \\\"@\\\")[0]), UserWhoAddedAccountUPNSuffix = tostring(split(UserWhoAdded, \\\"@\\\")[1])\\n| extend UserWhoDeletedAccountName = tostring(split(UserWhoDeleted, \\\"@\\\")[0]), UserWhoDeletedAccountUPNSuffix = tostring(split(UserWhoDeleted, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"MemberAdded_Removed\"},{\"identifier\":\"Name\",\"columnName\":\"MemberAdded_RemovedAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"MemberAdded_RemovedAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserWhoAdded\"},{\"identifier\":\"Name\",\"columnName\":\"UserWhoAddedAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UserWhoAddedAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserWhoDeleted\"},{\"identifier\":\"Name\",\"columnName\":\"UserWhoDeletedAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UserWhoDeletedAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"External user added and removed in short timeframe\",\"description\":\"This detection flags the occurrences of external user accounts that are added to a Team and then removed within one hour.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"name\":\"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url\\n| project timestamp = Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"HostIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map URL Entity to Syslog Data\",\"description\":\"This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in Syslog data.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"name\":\"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 6d;\\n// Adjust this to adjust the key export detection timeframe\\n//let timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer);\\n// Look for ADFS servers where Named Pipes event are present\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"),\\n TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\\n TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\"),\\n Image = column_ifexists(\\\"Image\\\", \\\"\\\"),\\n PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\"),\\n EventType = column_ifexists(\\\"EventType\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n// Look for Pipe related to querying the WID\\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Exclude expected processes\\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(UserName, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(UserName, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS Database Named Pipe Connection\",\"description\":\"This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\"name\":\"f110287e-1358-490d-8147-ed804b328514\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for AWSCloudTrail logs\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n // Filter out indicators without relevant IP address fields\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n // Select the IP entity based on availability of different IP fields\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and AWSCloudTrail logs to identify potential malicious activity\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n AWSCloudTrail\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated // Rename time column for clarity\\n )\\n on $left.TI_ipEntity == $right.SourceIpAddress\\n // Filter out logs that occurred after the expiration of the corresponding indicator\\n | where AWSCloudTrail_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and SourceIpAddress, and keep the log entry with the latest timestamp\\n | summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress\\n // Select the desired output fields\\n | project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\n NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n // Rename the timestamp field\\n | extend timestamp = AWSCloudTrail_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"ObjectGuid\",\"columnName\":\"UserIdentityUserName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to AWSCloudTrail\",\"description\":\"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"name\":\"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\")\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated)\\nby EventSource, EventName, UserIdentityType, RecipientAccountId, AccountName, AccountUPNSuffix, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Security Group ingress and egress settings\",\"description\":\"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic.\\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255. \",\"lastUpdatedDateUTC\":\"2024-03-27T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d71fc38-f249-454e-8479-0a358382ef9a\",\"name\":\"3d71fc38-f249-454e-8479-0a358382ef9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-44228\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMachine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMachine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"VirtualMachine\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to log4j CVE-2021-44228\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228.\\nLog4j is an open-source Apache logging library that is used in many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\\n Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bca9c877-2afc-4246-a26d-087ab1cdcd5f\",\"name\":\"bca9c877-2afc-4246-a26d-087ab1cdcd5f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let sha256Hashes = dynamic([\\\"5dd1ca0d471dee41eb3ea0b6ea117810f228354fc3b7b47400a812573d40d91d\\\", \\\"5fc44c7342b84f50f24758e39c8848b2f0991e8817ef5465844f5f2ff6085a57\\\", \\\"6cff0bbd62efe99f381e5cc0c4182b0fb7a9a34e4be9ce68ee6b0d0ea3eee39c\\\"]);\\nlet signames = dynamic([\\\"Ransom:Win32/Prestige\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, Algorithm = \\\"SHA256\\\", AccountNTName = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend AccountNT = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, AccountNT, IPAddress, CommandLine, FileHash, Algorithm = \\\"SHA256\\\"\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ProcessId = tolong(EventDetail.[3].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"]), CommandLine = tostring(EventDetail.[10].[\\\"#text\\\"]), Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", dynamic([\\\"\\\", \\\"\\\"])), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| mv-expand Hashes\\n| where Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, ProcessId, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend AccountNT = UserName, InitiatingProcessId = ProcessId\\n| extend Process = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), Algorithm = \\\"SHA256\\\", FileHash = tostring(Hashes[1]) \\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend AccountNT = InitiatingProcessAccountName, Computer = DeviceName\\n| extend Algorithm = \\\"SHA256\\\", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine, Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend AccountNT = InitiatingProcessAccountName, Computer = DeviceName\\n| extend Algorithm = \\\"SHA256\\\", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine, Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend AccountNT = InitiatingProcessAccountName, Computer = DeviceName\\n| extend Algorithm = \\\"SHA256\\\", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine, Image = InitiatingProcessFolderPath\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (signames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n)\\n)\\n| extend AccountNTName = tostring(split(AccountNT, \\\"\\\\\\\\\\\")[0]), AccountNTDomain = tostring(split(AccountNT, \\\"\\\\\\\\\\\")[1])\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"Algorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHash\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"InitiatingProcessId\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountNT\"},{\"identifier\":\"Name\",\"columnName\":\"AccountNTName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Prestige ransomware IOCs Oct 2022\",\"description\":\"This query looks for file hashes and AV signatures associated with Prestige ransomware payload.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"name\":\"f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.4\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| where isnotempty(Process)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend AccountName = tostring(split(ActorUsername, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(ActorUsername, @\u0027\\\\\u0027)[0])\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines (Normalized Process Events)\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\"name\":\"d564ff12-8f53-41b8-8649-44f76b37b99f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"// How many greater than Service Connections you want to view per build/release\\nlet ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\"\\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)\\n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName, ActorUPN, IpAddress\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iif(\\n Type == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\n strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| extend timestamp = StartTime\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Abuse\",\"description\":\"Flags builds/releases that use a large number of service connections if they aren\u0027t manually in the allow list.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cd8d946d-10a4-40a9-bac1-6d0a6c847d65\",\"name\":\"cd8d946d-10a4-40a9-bac1-6d0a6c847d65\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let BEC_Keywords = dynamic([ \u0027invoice\u0027,\u0027payment\u0027,\u0027paycheck\u0027,\u0027transfer\u0027,\u0027bank statement\u0027,\u0027bank details\u0027,\u0027closing\u0027,\u0027funds\u0027,\u0027bank account\u0027,\u0027account details\u0027,\u0027remittance\u0027,\u0027purchase\u0027,\u0027deposit\u0027,\\\"PO#\\\",\\\"Zahlung\\\",\\\"Rechnung\\\",\\\"Paiement\\\", \\\"virement bancaire\\\",\\\"Bankuberweisung\\\",\u0027hacked\u0027,\u0027phishing\u0027]);\\n// Adjust this threshold based on your environment\\nlet sensitivity = 2.5;\\nlet Events = materialize(imFileEvent\\n| where TimeGenerated between(startofday(ago(14d))..endofday(ago(0d)))\\n| where User !~ \\\"app@sharepoint\\\"\\n| where EventType =~ \\\"FileAccessed\\\"\\n| extend OriginalEvent = column_ifexists(\\\"EventOriginalType\\\",\\\"Unknown\\\")\\n| where OriginalEvent !~ \\\"FileSyncDownloadedFull\\\"\\n| where EventProduct in (\\\"SharePoint 365\\\", \\\"Azure File Storage\\\", \\\"OneDrive\\\" , \\\"SharePoint\\\")\\n| where FilePath has_any(BEC_Keywords)\\n| extend _AuthDetails = column_ifexists(\\\"AuthorizationDetails\\\", \\\"None\\\")\\n| extend SPuser = case(gettype(_AuthDetails) == \\\"array\\\", tostring(todynamic(_AuthDetails)[0].principals[0].id), \\\"Unknown\\\")\\n| extend User = case(isnotempty(User), User, SPuser)\\n| where isnotempty(User));\\nEvents\\n| summarize dcount(FileName) by User, bin(startofday(TimeGenerated), 1d)\\n| summarize CountOfDocs = make_list(dcount_FileName, 10000), TimeStamp = make_list(TimeGenerated, 10000) by User\\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(CountOfDocs, sensitivity, -1, \u0027linefit\u0027)\\n| mv-expand CountOfDocs to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)\\n| where Anomalies \u003e 0\\n| project TimeStamp, CountOfDocs, Baseline, Score, Anomalies, User\\n| join kind=inner(Events | extend TimeStamp = startofday(TimeGenerated)) on TimeStamp, User\\n| extend IpAddr = column_ifexists(\\\"IpAddr\\\", SrcIpAddr)\\n| extend Name = iif(User contains \\\"@\\\", split(User, \\\"@\\\")[0], split(User, \\\"\\\\\\\\\\\")[1])\\n| extend UPNSuffix = iif(User contains \\\"@\\\", split(User, \\\"@\\\")[1], \\\"\\\")\\n| extend NTDomain = iif(User contains \\\"@\\\", split(User, \\\"\\\\\\\\\\\")[0], \\\"\\\")\\n| project-reorder TimeGenerated, User, EventType, EventResult, EventProduct, FilePath, HttpUserAgent, IpAddr, CountOfDocs, Baseline, Score\",\"customDetails\":{\"Type\":\"EventType\",\"Result\":\"EventResult\",\"Product\":\"EventProduct\",\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddr\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FilePath\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Suspicious access of {{number_of_files_accessed}} BEC related documents by {{User}}\",\"alertDescriptionFormat\":\"This query looks for users (in this case {{User}}) with suspicious spikes in the number of files accessed (in this case {{number_of_files_accessed}} events) that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks. The query looks for access to files in storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. \\nThis query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities. This query uses the imFileEvent schema from ASIM, you will first need to ensure you have ASIM deployed in your environment. Ref https://learn.microsoft.com/azure/sentinel/normalization-about-parsers\\n\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Collection\"],\"displayName\":\"Suspicious access of BEC related documents\",\"description\":\"This query looks for users with suspicious spikes in the number of files accessed that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks.\\nThe query looks for access to files in storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. \\nThis query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities. This query uses the imFileEvent schema from ASIM, you will first need to ensure you have ASIM deployed in your environment. Ref https://learn.microsoft.com/azure/sentinel/normalization-about-parsers\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2023-02-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"name\":\"87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\\n// On the downloads page, click the \u0027details\u0027 button, and then replace just the filename in the URL below\\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n[\\\"https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/MSFTIPRanges/ServiceTags_Public.json\\\"] with(format=\u0027multijson\u0027)\\n| mv-expand values\\n| mv-expand values.properties.addressPrefixes\\n| mv-expand values_properties_addressPrefixes\\n| summarize by tostring(values_properties_addressPrefixes)\\n| extend isipv4 = parse_ipv4(values_properties_addressPrefixes)\\n| extend isipv6 = parse_ipv6(values_properties_addressPrefixes)\\n| extend ip_type = case(isnotnull(isipv4), \\\"v4\\\", \\\"v6\\\")\\n| summarize make_list(values_properties_addressPrefixes) by ip_type\\n;\\nSigninLogs\\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\\n| where ResultType == 0\\n| where AppDisplayName =~ \\\"Azure Portal\\\"\\n| extend isipv4 = parse_ipv4(IPAddress)\\n| extend ip_type = case(isnotnull(isipv4), \\\"v4\\\", \\\"v6\\\")\\n // Only get logons where the IP address is in an Azure range\\n| join kind=fullouter (azure_ranges) on ip_type\\n| extend ipv6_match = ipv6_is_in_any_range(IPAddress, list_values_properties_addressPrefixes)\\n| extend ipv4_match = ipv4_is_in_any_range(IPAddress, list_values_properties_addressPrefixes)\\n| where ipv4_match or ipv6_match \\n// Limit to where the user is external to the tenant\\n| where HomeTenantId != ResourceTenantId\\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\\n| where ResourceTenantId == AADTenantId\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId, UserId\\n| extend AccountName = split(UserPrincipalName, \\\"@\\\")[0]\\n| extend UPNSuffix = split(UserPrincipalName, \\\"@\\\")[1]\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Azure Portal sign in by {{UserPrincipalName}} from another Azure Tenant with IP Address {{IPAddress}}\",\"alertDescriptionFormat\":\"This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\\nand the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\\nto pivot to other tenants leveraging cross-tenant delegated access in this manner.\\nIn this instance {{UserPrincipalName}} logged in at {{FirstSeen}} from IP Address {{IPAddress}}.\\n\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Portal sign in from another Azure Tenant\",\"description\":\"This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant, and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look to pivot to other tenants leveraging cross-tenant delegated access in this manner.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"name\":\"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAZFWApplicationRule\\n| where Fqdn has_any (IPList)\\n| extend IPCustomEntity = SourceIp\\n),\\n(\\nAZFWNetworkRule\\n| where DestinationIp has_any (IPList)\\n| extend IPCustomEntity = SourceIp\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] -Known Barium IP\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWNetworkRule\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"name\":\"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA265 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"[Deprecated] - Known Diamond Sleet related maldoc hash\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"name\":\"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for OfficeActivity events\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\nlet OfficeActivity_ = materialize(OfficeActivity\\n | where isnotempty(ClientIP)\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]%]+)(%\\\\d+)?\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n | extend IPAddress = iff(array_length(ClientIPValues) \u003e 0, tostring(ClientIPValues[0]), \u0027\u0027)\\n | project-rename OfficeActivity_TimeGenerated = TimeGenerated);\\nlet ActivityIPs = OfficeActivity_ | summarize IPs = make_list(IPAddress);\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = materialize(ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = coalesce(NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress)\\n | where TI_ipEntity in (ActivityIPs)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now()\\n | where Description !contains_cs \\\"State: inactive;\\\" and Description !contains_cs \\\"State: falsepos;\\\");\\nIP_Indicators\\n// Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n| join kind=innerunique (OfficeActivity_)\\n on $left.TI_ipEntity == $right.IPAddress\\n// Filter out OfficeActivity events that occurred after the expiration of the corresponding indicator\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n// Group the results by IndicatorId and keep the OfficeActivity event with the latest timestamp\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId\\n// Select the desired output fields\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(UserId, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(UserId, \u0027@\u0027, 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"TI_ipEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to OfficeActivity\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\"name\":\"32555639-b639-4c2b-afda-c0ae0abefa55\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\"\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid,\\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTime\\n| sort by EndTime desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Monitor AWS Credential abuse or hijacking\",\"description\":\"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole\\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws \\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\"lastUpdatedDateUTC\":\"2024-03-27T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/229f71ba-d83b-42a5-b83b-11a641049ed1\",\"name\":\"229f71ba-d83b-42a5-b83b-11a641049ed1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P2D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// In User \u0026 Groups and in Applications, the following \\\"AccessType\\\" values in columns PremodifiedOutboundSettings and ModifiedOutboundSettings are interpreted accordingly\\n// When Access Type in premodified outbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified outbound settings value was 2 that means that the initial access was blocked.\\n// When Access Type in modified outbound settings value is 1 that means that now access is allowed. When Access Type in modified outbound settings value is 2 that means that now access is blocked.\\nAuditLogs\\n| where OperationName has \\\"Update a partner cross-tenant access setting\\\"\\n| mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type =~ \\\"Policy\\\"\\n | extend Properties = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = Properties on\\n (\\n where Property.displayName =~ \\\"b2bCollaborationOutbound\\\"\\n | extend PremodifiedOutboundSettings = trim(\u0027\\\"\u0027,tostring(Property.oldValue)),\\n ModifiedOutboundSettings = trim(@\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where PremodifiedOutboundSettings != ModifiedOutboundSettings\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed\",\"description\":\"Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Collaboration Settings are changed for \\\"Users \u0026 Groups\\\" and for \\\"Applications\\\".\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"name\":\"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.6\",\"severity\":\"Medium\",\"query\":\"let endpointData = \\n(union isfuzzy=true\\n(SecurityEvent\\n | where EventID == 4688\\n | extend shortFileName = tolower(tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1]))\\n ),\\n (WindowsEvent\\n | where EventID == 4688\\n | extend NewProcessName = tostring(EventData.NewProcessName)\\n | extend shortFileName = tolower(tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1]))\\n | extend TargetUserName = tostring(EventData.TargetUserName)\\n ));\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, \u0027/\u0027)[-1]))\\n| join kind=innerunique (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Network endpoint to host executable correlation\",\"description\":\"Correlates blocked URLs hosting [malicious] executables with host endpoint data to identify potential instances of executables of the same name having been recently run.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicro\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"name\":\"95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\\n),\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| mv-apply Property = modifiedProperties on\\n (\\n where Property.displayName =~ \\\"LiveType\\\"\\n | extend targetDisplayName = tostring(Property.displayName),\\n NewDomainValue = tostring(Property.newValue)\\n )\\n| where NewDomainValue has \\\"Federated\\\"\\n)\\n)\\n| mv-apply AdditionalDetail = AdditionalDetails on\\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend UserAgent = tostring(AdditionalDetail.value)\\n )\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2566e99f-ad0f-472a-b9ac-d3899c9283e6\",\"name\":\"2566e99f-ad0f-472a-b9ac-d3899c9283e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688\\n| where (CommandLine has_all (\u0027reg\u0027, \u0027add\u0027, \u0027HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\\u0027, \u0027/v\u0027,\u0027/t\u0027, \u0027REG_DWORD\u0027, \u0027/d\u0027, \u0027/f\u0027) and CommandLine has_any(\u0027DisableRealtimeMonitoring\u0027, \u0027UseTPMKey\u0027, \u0027UseTPMKeyPIN\u0027, \u0027UseAdvancedStartup\u0027, \u0027EnableBDEWithNoTPM\u0027, \u0027RecoveryKeyMessageSource\u0027))\\n or CommandLine has_all (\u0027reg\u0027, \u0027add\u0027, \u0027HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\\u0027, \u0027/v\u0027,\u0027/t\u0027, \u0027REG_DWORD\u0027, \u0027/d\u0027, \u0027/f\u0027, \u0027RecoveryKeyMessage\u0027, \u0027Your drives are Encrypted!\u0027, \u0027@\u0027)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(DeviceProcessEvents \\n| where (InitiatingProcessCommandLine has_all(@\u0027\\\"reg\\\"\u0027, \u0027add\u0027, @\u0027\\\"HKLM\\\\SOFTWARE\\\\Policies\\\\\u0027, \u0027/v\u0027,\u0027/t\u0027, \u0027REG_DWORD\u0027, \u0027/d\u0027, \u0027/f\u0027) \\n and InitiatingProcessCommandLine has_any(\u0027DisableRealtimeMonitoring\u0027, \u0027UseTPMKey\u0027, \u0027UseTPMKeyPIN\u0027, \u0027UseAdvancedStartup\u0027, \u0027EnableBDEWithNoTPM\u0027, \u0027RecoveryKeyMessageSource\u0027) ) \\n or InitiatingProcessCommandLine has_all(\u0027\\\"reg\\\"\u0027, \u0027add\u0027, @\u0027\\\"HKLM\\\\SOFTWARE\\\\Policies\\\\\u0027, \u0027/v\u0027,\u0027/t\u0027, \u0027REG_DWORD\u0027, \u0027/d\u0027, \u0027/f\u0027, \u0027RecoveryKeyMessage\u0027, \u0027Your drives are Encrypted!\u0027, \u0027@\u0027)\\n| extend Account = strcat(InitiatingProcessAccountDomain, @\u0027\\\\\u0027, InitiatingProcessAccountName), Computer = DeviceName\\n )\\n )\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(Account, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0270 Registry IOC - September 2022\",\"description\":\"The query below identifies modification of registry by Dev-0270 actor to disable security feature as well as to add ransom notes\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-09-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2bc08fa-030a-4eea-931a-762d27c6a042\",\"name\":\"d2bc08fa-030a-4eea-931a-762d27c6a042\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Threshold = 1; \\n AzureDiagnostics\\n | where Category == \\\"ApplicationGatewayFirewallLog\\\"\\n | where action_s == \\\"Matched\\\"\\n | project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s\\n | join kind = inner(\\n AzureDiagnostics\\n | where Category == \\\"ApplicationGatewayFirewallLog\\\"\\n | where action_s == \\\"Blocked\\\"\\n | parse Message with MessageText \u0027Total Inbound Score: \u0027 TotalInboundScore \u0027 - SQLI=\u0027 SQLI_Score \u0027,XSS=\u0027 XSS_Score \u0027,RFI=\u0027 RFI_Score \u0027,LFI=\u0027 LFI_Score \u0027,RCE=\u0027 RCE_Score \u0027,PHPI=\u0027 PHPI_Score \u0027,HTTP=\u0027 HTTP_Score \u0027,SESS=\u0027 SESS_Score \u0027): \u0027 Blocked_Reason \u0027; individual paranoia level scores:\u0027 Paranoia_Score\\n | where Blocked_Reason contains \\\"XSS\\\" and toint(TotalInboundScore) \u003e=15 and toint(XSS_Score) \u003e= 10 and toint(SQLI_Score) \u003c= 5) on transactionId_g\\n | extend Uri = strcat(hostname_s,requestUri_s)\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g), Message = make_set(Message), Detail_Message = make_set(details_message_s), Detail_Data = make_set(details_data_s), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s, SQLI_Score, XSS_Score, TotalInboundScore\\n | where Total_TransactionId \u003e= Threshold\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Uri\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"clientIp_s\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Application Gateway WAF - XSS Detection\",\"description\":\"Identifies a match for XSS attack in the Application gateway WAF logs. The Threshold value in the query can be changed as per your infrastructure\u0027s requirement.\\n References: https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"name\":\"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Low\",\"query\":\"(union isfuzzy=true\\n (SecurityEvent\\n | where EventID == 4720\\n | where AccountType == \\\"User\\\"\\n | project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\n CreatedUser = tolower(TargetAccount), CreatedUserAccountName = TargetUserName, CreatedUserDomainName = TargetDomainName, CreatedUserSid = TargetSid, \\n AccountUsedToCreateUser = SubjectAccount, CreatedByAccountName = SubjectUserName, CreatedByDomainName = SubjectDomainName, SidofAccountUsedToCreateUser = SubjectUserSid\\n ),\\n (WindowsEvent\\n | where EventID == 4720\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | where AccountType == \\\"User\\\"\\n | extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n | extend SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName)\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName) \\n | extend Activity=\\\"4720 - A user account was created.\\\"\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\n CreatedUser = tolower(TargetAccount), CreatedUserAccountName = TargetUserName, CreatedUserDomainName = TargetDomainName, CreatedUserSid = TargetSid, \\n AccountUsedToCreateUser = SubjectAccount, CreatedByAccountName = SubjectUserName, CreatedByDomainName = SubjectDomainName, SidofAccountUsedToCreateUser = SubjectUserSid\\n )\\n )\\n| join kind=inner\\n(\\n (union isfuzzy=true\\n (SecurityEvent \\n | where AccountType == \\\"User\\\"\\n // 4732 - A member was added to a security-enabled local group\\n | where EventID == 4732\\n // TargetSid is the builin Admins group: S-1-5-32-544\\n | where TargetSid == \\\"S-1-5-32-544\\\"\\n | project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\n GroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, AddedByAccountName = SubjectUserName, AddedByDomainName = SubjectDomainName,\\n CreatedUserSid = MemberSid\\n ),\\n ( WindowsEvent \\n // 4732 - A member was added to a security-enabled local group\\n | where EventID == 4732 and EventData has \\\"S-1-5-32-544\\\"\\n //TargetSid is the builin Admins group: S-1-5-32-544\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | where AccountType == \\\"User\\\"\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | where TargetSid == \\\"S-1-5-32-544\\\"\\n | extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n | extend SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName)\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend Activity=\\\"4732 - A member was added to a security-enabled local group.\\\"\\n | extend MemberSid = tostring(EventData.MemberSid)\\n | project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\n GroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, AddedByAccountName = SubjectUserName, AddedByDomainName = SubjectDomainName,\\n CreatedUserSid = MemberSid\\n )\\n )\\n)\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, CreatedUserAccountName, CreatedUserDomainName,\\nGroupAddTime, GroupAddEventID, GroupAddActivity, GroupName, GroupSid,\\nAccountUsedToCreateUser, SidofAccountUsedToCreateUser, CreatedByAccountName, CreatedByDomainName, \\nAccountThatAddedUser, SIDofAccountThatAddedUser, AddedByAccountName, AddedByDomainName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountUsedToCreateUser\"},{\"identifier\":\"Name\",\"columnName\":\"CreatedByAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"CreatedByDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountThatAddedUser\"},{\"identifier\":\"Name\",\"columnName\":\"AddedByAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AddedByDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatedUser\"},{\"identifier\":\"Name\",\"columnName\":\"CreatedUserAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"CreatedUserDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"CreatedUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"New user created and added to the built-in administrators group\",\"description\":\"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56fe0db0-6779-46fa-b3c5-006082a53064\",\"name\":\"56fe0db0-6779-46fa-b3c5-006082a53064\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"192\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv24\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where OperationNameValue in~ (operationList)\\n| where ActivityStatusValue startswith \\\"Accept\\\"\\n| where Properties has \u0027vmSize\u0027\\n| extend parsed_property= parse_json(tostring((parse_json(Properties).responseBody))).properties\\n| extend vmSize = tostring((parsed_property.hardwareProfile).vmSize)\\n| mv-apply token=tokens to typeof(string) on (where vmSize contains token)\\n| extend ComputerName = tostring((parsed_property.osProfile).computerName)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend Name = tostring(split(Caller,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Caller,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"ComputerName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size or expensive VMs (with GPUs or with a large number of virtual CPUs) in Azure.\\nAn adversary may create new or update existing virtual machines to evade defenses or use them for cryptomining purposes.\\nFor Windows/Linux Vm Sizes, see https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions, see https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b79f6190-d104-4691-b7db-823e05980895\",\"name\":\"b79f6190-d104-4691-b7db-823e05980895\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"OriginatingServer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"NRT Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.\\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/639aa695-9de9-4921-aa6b-6fdc35cb1eee\",\"name\":\"639aa695-9de9-4921-aa6b-6fdc35cb1eee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs \\n| where OperationName contains \\\"Update user\\\"\\n| where TargetResources[0].modifiedProperties[0].oldValue contains \\\"Guest\\\"\\n| extend InvitedUser = TargetResources[0].userPrincipalName\\n// Uncomment the below line if you want to get alerts for changed usertype from specific domains or users\\n//| where InvitedUser has_any (\\\"CUSTOM DOMAIN NAME#\\\", \\\"#EXT#\\\")\\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress \\n| extend OldUserType = TargetResources[0].modifiedProperties[0].oldValue contains \\\"Guest\\\"\\n| extend NewUserType = TargetResources[0].modifiedProperties[0].newValue contains \\\"Member\\\"\\n| mv-expand OldUserType = TargetResources[0].modifiedProperties[0].oldValue to typeof(string)\\n| mv-expand NewUserType = TargetResources[0].modifiedProperties[0].newValue to typeof(string)\\n| where OldUserType != NewUserType\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InvitedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatedByActionUserInformation\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatedByIPAdress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Guest accounts changed user type from guest to members in AzureAD\",\"description\":\"Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are changed from user type as should be in AzureAD to member and gain other rights in the tenant.\",\"lastUpdatedDateUTC\":\"2022-10-23T00:00:00Z\",\"createdDateUTC\":\"2022-10-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"name\":\"29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.8\",\"severity\":\"High\",\"query\":\"let UserAgentString = dynamic ([\\\"${jndi:ldap:/\\\", \\\"${jndi:rmi:/\\\", \\\"${jndi:ldaps:/\\\", \\\"${jndi:dns:/\\\", \\\"${jndi:iiop:/\\\",\\\"${jndi:\\\",\\\"${jndi:nds:/\\\",\\\"${jndi:corba/\\\"]);\\nlet UARegexMinimalString=dynamic([\u0027{\u0027,\u0027%7b\u0027, \u0027%7B\u0027]);\\nlet UARegex = @\u0027(\\\\\\\\$|%24)(\\\\\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\\\\\$|%24|}|%7D)\u0027;\\n(union isfuzzy=true\\n(OfficeActivity\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, Operation\\n),\\n(AzureDiagnostics\\n| where Category in (\\\"FrontdoorWebApplicationFirewallLog\\\", \\\"FrontdoorAccessLog\\\", \\\"ApplicationGatewayFirewallLog\\\", \\\"ApplicationGatewayAccessLog\\\")\\n| where userAgent_s has_any (UserAgentString) or userAgent_s matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = userAgent_s, SourceIP = column_ifexists(\\\"clientIp_s\\\",clientIP_s), Type, column_ifexists(\\\"originalHost_s\\\",host_s), Url = requestUri_s, HttpStatus = column_ifexists(\\\"httpStatusDetails_s\\\",httpStatus_d), column_ifexists(\\\"transactionId_g\\\",trackingReference_s), ruleName_s, ResourceType, ResourceId\\n),\\n(\\nW3CIISLog\\n| where csUserAgent has_any (UserAgentString) or csUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, Url = csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventName\\n),\\n(SigninLogs\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(_Im_WebSession (httpuseragent_has_any=array_concat(UserAgentString,UARegexMinimalString))\\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, Url, Type\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Account\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User agent search for log4j exploitation attempt\",\"description\":\"This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern.\\nLog4j is an open-source Apache logging library that is used in many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation.\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"name\":\"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT4H\",\"queryPeriod\":\"PT4H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"// Change to true to monitor for Project Administrator adds to *any* project\\nlet MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\\nlet ProjectsToMonitor = dynamic([\u0027\u003cproject_X\u003e\u0027,\u0027\u003cproject_Y\u003e\u0027]);\\nAzureDevOpsAuditing\\n| where Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has \u0027Administrators\u0027\\n| where Details has \\\"was added as a member of group\\\" and (Details endswith \u0027\\\\\\\\Project Administrators\u0027 or Details endswith \u0027\\\\\\\\Project Collection Administrators\u0027)\\n| parse Details with AddedIdentity \u0027 was added as a member of group [\u0027 EntityName \u0027]\\\\\\\\\u0027 GroupName\\n| extend Level = iif(GroupName == \u0027Project Collection Administrators\u0027, \u0027Organization\u0027, \u0027Project\u0027), AddedIdentityId = Data.MemberId\\n| extend Severity = iif(Level == \u0027Organization\u0027, \u0027High\u0027, \u0027Medium\u0027), AlertDetails = strcat(\u0027At \u0027, TimeGenerated, \u0027 UTC \u0027, ActorUPN, \u0027/\u0027, ActorDisplayName, \u0027 added \u0027, AddedIdentity, \u0027 to the \u0027, EntityName, \u0027 \u0027, Level)\\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == \u0027Organization\u0027\\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism,\\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(Adder, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(Adder, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Adder\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ActorIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Administrator Group Monitoring\",\"description\":\"This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"name\":\"875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| where AttributeLDAPDisplayName == \\\"servicePrincipalName\\\" and ObjectClass == \\\"user\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeValue\\\"\u003e\u0027 AttributeValue \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue, SubjectUserName, SubjectDomainName, SubjectUserSid\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"SubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Name (SPN) Assigned to User Account\",\"description\":\"This query identifies whether an Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. \\nThis query checks for event id 5136, that the Object Class field is \\\"user\\\" and the LDAP Display Name is \\\"servicePrincipalName\\\".\\nRef: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"name\":\"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let DomainNames = dynamic([\u0027onetechcompany.com\u0027, \u0027reyweb.com\u0027, \u0027srfnetwork.org\u0027, \u0027sense4baby.fr\u0027, \u0027nikeoutletinc.org\u0027, \u0027megatoolkit.com\u0027]);\\nlet IPList = dynamic([\u0027185.225.69.69\u0027]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (DomainNames)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = Fqdn\\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (DomainNames)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = QueryName\\n| extend IPCustomEntity = SourceIp\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Midnight Blizzard - Domain and IP IOCs - March 2021\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"name\":\"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(lookBack) and TimeGenerated \u003c ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlOriginal\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Rare User Agent Detected\",\"description\":\"Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"name\":\"bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.6\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where Process hassuffix \u0027rundll32.exe\u0027\\n| where CommandLine has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend AccountName = tostring(split(User, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(User, @\u0027\\\\\u0027)[0])\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events)\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"name\":\"7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.8\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role request denied (PIM activation)\u0027\\n| mv-apply ResourceItem = TargetResources on \\n (\\n where ResourceItem.type =~ \\\"Role\\\"\\n | extend Role = trim(@\u0027\\\"\u0027,tostring(ResourceItem.displayName))\\n )\\n| mv-apply ResourceItem = TargetResources on \\n (\\n where ResourceItem.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = trim(@\u0027\\\"\u0027,tostring(ResourceItem.userPrincipalName))\\n )\\n| where isnotempty(InitiatedBy.user)\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend TargetName = tostring(split(TargetUserPrincipalName,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,\u0027@\u0027,1)[0])\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\\n| project-reorder TimeGenerated, TargetUserPrincipalName, Role, OperationName, Result, ResultDescription\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c895c5b9-0fc6-40ce-9830-e8818862f2d5\",\"name\":\"c895c5b9-0fc6-40ce-9830-e8818862f2d5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P2D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// In User \u0026 Groups and in Applications, the following \\\"AccessType\\\" values in columns PremodifiedInboundSettings and ModifiedInboundSettings are interpreted accordingly\\n// When Access Type in premodified inbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified inbound settings value was 2 that means that the initial access was blocked.\\n// When Access Type in modified inbound settings value is 1 that means that now access is allowed. When Access Type in modified inbound settings value is 2 that means that now access is blocked.\\nAuditLogs\\n| where OperationName has \\\"Update a partner cross-tenant access setting\\\"\\n| mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type =~ \\\"Policy\\\"\\n | extend Properties = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = Properties on\\n (\\n where Property.displayName =~ \\\"b2bCollaborationInbound\\\"\\n | extend PremodifiedInboundSettings = trim(\u0027\\\"\u0027,tostring(Property.oldValue)),\\n ModifiedInboundSettings = trim(@\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where PremodifiedInboundSettings != ModifiedInboundSettings\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed\",\"description\":\"Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Collaboration Settings are changed for \\\"Users \u0026 Groups\\\" and for \\\"Applications\\\".\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0433c8a3-9aa6-4577-beef-2ea23be41137\",\"name\":\"0433c8a3-9aa6-4577-beef-2ea23be41137\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | where TimeGenerated \u003e ago(2d)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\" or GroupMembership has \\\"Admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName has \\\"Add eligible member\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(TargetUserPrincipalName) in (admin_users)\\n | extend TargetAadUserId = tostring(TargetResources[0].id)\\n | extend Group = tostring(TargetResources[0].displayName)\\n | extend RoleAddedTo = iif(isnotempty(TargetUserPrincipalName), TargetUserPrincipalName, Group)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend RoleAddedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)\\n | mv-expand mod_props\\n | where mod_props.displayName == \\\"Role.DisplayName\\\"\\n | extend UserAgent = tostring(AdditionalDetails[0].value)\\n | extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))\\n | extend TargetAccountName = tostring(split(TargetUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \\\"@\\\")[1])\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, OperationName, TargetUserPrincipalName, RoleAddedTo, RoleAdded, RoleAddedBy, InitiatingUserPrincipalName, InitiatingAppName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"TargetAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Account Permissions Changed\",\"description\":\"Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.\\nReview any modifications to ensure they were made legitimately.\\nRef: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2024-04-05T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\"name\":\"884c4957-70ea-4f57-80b9-1bca3890315b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"\u0026\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"\u0026\\\")[0]),tostring(split(csUriQuery, \\\"\u0026\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus)\\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status))\\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\",\\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\",\\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\",\\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\",\\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\",\\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\",\\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\",\\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\",\\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\",\\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(csUserName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(csUserName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"csUserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed logons by a user\",\"description\":\"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2023-12-28T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"name\":\"3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.1\",\"severity\":\"Medium\",\"query\":\"let authenticationWindow = 20m;\\nlet sensitivity = 2.5;\\nSigninLogs\\n| where AppDisplayName =~ \\\"Windows Sign In\\\"\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\"), IPAddresses = make_set(IPAddress,1000)\\n by bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName\\n| extend FailureSuccessDiff = FailureCount - SuccessCount\\n| where FailureSuccessDiff \u003e 0\\n| summarize Diff = make_list(FailureSuccessDiff, 10000), TimeStamp = make_list(TimeGenerated, 10000) by UserDisplayName, UserPrincipalName//, tostring(IPAddresses)\\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(Diff, sensitivity, -1, \u0027linefit\u0027) \\n| mv-expand Diff to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)\\n| where Anomalies \u003e 0\\n| summarize by UserDisplayName, UserPrincipalName, Anomalies, Score, Baseline, FailureToSuccessDiff = Diff\\n| join kind=leftouter (\\n SigninLogs\\n | where AppDisplayName =~ \\\"Windows Sign In\\\"\\n | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n | summarize StartTime = min(TimeGenerated), \\n EndTime = max(TimeGenerated), \\n IPAddresses = make_set(IPAddress,100), \\n OS = make_set(OS,20), \\n Browser = make_set(Browser,20), \\n City = make_set(City,100), \\n ResultType = make_set(ResultType,100)\\n by UserDisplayName, UserPrincipalName, UserId, AppDisplayName\\n ) on UserDisplayName, UserPrincipalName\\n| project-away UserDisplayName1, UserPrincipalName1\\n| extend IPAddressFirst = tostring(IPAddresses[0])\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddressFirst\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against a Cloud PC\",\"description\":\"Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.\",\"lastUpdatedDateUTC\":\"2024-04-05T00:00:00Z\",\"createdDateUTC\":\"2021-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"name\":\"66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet dt_lookBack = 1h; // Look back 1 hour for CommonSecurityLog events\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and CommonSecurityLog events\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n CommonSecurityLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MessageIP = extract(IPRegex, 0, Message)\\n | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)\\n | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\n on $left.TI_ipEntity == $right.CS_ipEntity\\n // Filter out logs that occurred after the expiration of the corresponding indicator\\n | where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and CS_ipEntity, and keep the log entry with the latest timestamp\\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity\\n // Select the desired output fields\\n | project timestamp = CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction, Type\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CS_ipEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to CommonSecurityLog\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in CommonSecurityLog.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"name\":\"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"version\":\"2.0.4\",\"severity\":\"Medium\",\"query\":\"// Adjust this figure to adjust how sensitive this detection is\\nlet sensitivity = 2.5;\\nlet AuthEvents = materialize(\\nunion isfuzzy=True SigninLogs, AADNonInteractiveUserSignInLogs\\n| where TimeGenerated \u003e ago(7d)\\n| where ResultType == 0\\n| extend LocationDetails = LocationDetails_dynamic\\n| extend Location = strcat(LocationDetails.countryOrRegion, \\\"-\\\", LocationDetails.state,\\\"-\\\", LocationDetails.city)\\n| where Location != \\\"--\\\");\\nAuthEvents\\n| summarize dcount(Location) by AppDisplayName, AppId, UserPrincipalName, UserId, bin(startofday(TimeGenerated), 1d)\\n| where dcount_Location \u003e 2\\n| make-series CountOfLocations = sum(dcount_Location) on TimeGenerated step 1d by AppId, UserId\\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(CountOfLocations, sensitivity, -1, \u0027linefit\u0027)\\n| mv-expand CountOfLocations to typeof(double), TimeGenerated to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)\\n| where Anomalies \u003e 0 and Baseline \u003e 0\\n| join kind=inner( AuthEvents | extend TimeStamp = startofday(TimeGenerated)) on UserId, AppId\\n| extend SignInDetails = bag_pack(\\\"TimeGenerated\\\", TimeGenerated1, \\\"Location\\\", Location, \\\"Source\\\", IPAddress, \\\"Device\\\", DeviceDetail_dynamic)\\n| summarize SignInDetailsSet=make_set(SignInDetails, 1000) by UserId, UserPrincipalName, CountOfLocations, TimeGenerated, AppId, AppDisplayName\\n| extend Name = split(UserPrincipalName, \\\"@\\\")[0], UPNSuffix = split(UserPrincipalName, \\\"@\\\")[1]\",\"customDetails\":{\"Application\":\"AppDisplayName\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Anomalous sign-in location by {{UserPrincipalName}} to {{AppDisplayName}}\",\"alertDescriptionFormat\":\"This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an\\nindividual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} \\ndifferent locations.\\n\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous sign-in location by user account and authenticating application\",\"description\":\"This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an individual application.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\"name\":\"44a555d8-ecee-4a25-95ce-055879b4b14b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus)\\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status))\\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\",\\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\",\\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\",\\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\",\\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\",\\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\",\\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\",\\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\",\\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\",\\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount \u003e= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"cIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High count of connections by client IP on many ports\",\"description\":\"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications.\\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"name\":\"14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService =~ \\\"Core Directory\\\" and OperationName =~ \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName)\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend TargetName = tostring(split(TargetUserPrincipalName,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,\u0027@\u0027,1)[0])\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"NRT Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"name\":\"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory has_any (\u0027Dynamic and Residential\u0027, \u0027Personal VPN\u0027)\\n| project TimeGenerated, SrcIpAddr, Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Identities\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Cisco Umbrella - Connection to non-corporate private network\",\"description\":\"IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7feb859-f03e-4e8d-8b21-617be0213b13\",\"name\":\"d7feb859-f03e-4e8d-8b21-617be0213b13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where OperationName =~ \\\"Admin registered security info\\\"\\n | where ResultReason =~ \\\"Admin registered temporary access pass method for user\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(TargetUserPrincipalName) in (admin_users)\\n | extend TargetAadUserId = tostring(TargetResources[0].id)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend TargetAccountName = tostring(split(TargetUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \\\"@\\\")[1])\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"TargetAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Addition of a Temporary Access Pass to a Privileged Account\",\"description\":\"Detects when a Temporary Access Pass (TAP) is created for a Privileged Account.\\n A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.\\n A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.\\n Review any TAP creations to ensure they were used legitimately.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b6ae038-f66e-4f74-9315-df52fd492be4\",\"name\":\"5b6ae038-f66e-4f74-9315-df52fd492be4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Low\",\"query\":\"imProcess\\n| where CommandLine has_all (\\\"accepteula\\\", \\\"-s\\\", \\\"-r\\\", \\\"-q\\\")\\n| where Process !endswith \\\"sdelete.exe\\\"\\n| where CommandLine !has \\\"sdelete\\\"\\n| extend AccountName = tostring(split(ActorUsername, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(ActorUsername, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"DvcHostname\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DvcDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage (ASIM Version)\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\\nThis detection uses the ASIM imProcess parser, this will need to be deployed before use - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"name\":\"9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category == \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | where TargetResources has \\\"AppIdentifierUri\\\"\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend TargetAppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | where mod_props.displayName has \\\"AppIdentifierUri\\\"\\n | extend OldURI = tostring(mod_props.oldValue)\\n | extend NewURI = tostring(mod_props.newValue)\\n | extend UpdatedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingAadUserId, InitiatingUserPrincipalName, InitiatingIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"OldURI\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURI\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application ID URI Changed\",\"description\":\"Detects changes to an Application ID URI.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c701f94-783c-4cd4-bc9b-3b3334976090\",\"name\":\"2c701f94-783c-4cd4-bc9b-3b3334976090\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let suspiciousCmdLineKeywords = dynamic([\\\"http://\\\", \\\"https://\\\"]);\\n// Identify exchange servers based on known paths\\n// Summarize these to get a list of exchange server hostnames\\nlet exchangeServers = W3CIISLog\\n| where csUriStem has_any(\\\"/owa/\\\",\\\"/ews/\\\",\\\"/ecp/\\\",\\\"/autodiscover/\\\")\\n// Only where successful, rule out failed scanning\\n| where scStatus startswith \\\"2\\\"\\n| summarize by Computer;\\nDeviceProcessEvents\\n| where DeviceName in~ (exchangeServers)\\n// Where the IIS worker process initiated CMD or PowerShell\\n| where InitiatingProcessParentFileName == \\\"w3wp.exe\\\"\\n| where InitiatingProcessFileName has_any(\\\"cmd.exe\\\", \\\"powershell.exe\\\")\\n// Where CMD or PowerShell command line included parameters associated with CVE-2022-41040/CVE-2022-41082 exploitation\\n| where ProcessCommandLine has_any(suspiciousCmdLineKeywords)\\n| project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName\\n| extend Account = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Exchange Worker Process Making Remote Call\",\"description\":\"This query dynamically identifies Exchange servers and then looks for instances where the IIS worker process initiates a call out to a remote URL using either cmd.exe or powershell.exe.\\nThis behaviour was described as post-compromise behaviour following exploitation of CVE-2022-41040 and CVE-2022-41082, this pattern of activity was use to download additional tools to the server. This suspicious activity is generic.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f40ed57-f54b-462f-906a-ac3a89cc90d4\",\"name\":\"1f40ed57-f54b-462f-906a-ac3a89cc90d4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Materialize a table named \\\"Azure_Bruforce\\\" containing Azure Portal sign-in logs within the last 1 day\\nlet Azure_Bruforce = materialize (\\n SigninLogs\\n// Filter sign-in logs related to the Azure Portal\\n | where AppDisplayName == \\\"Azure Portal\\\"\\n// Exclude entries with empty OriginalRequestId\\n | where isnotempty(OriginalRequestId)\\n// Summarize various counts and sets based on brute force criteria\\n | summarize \\n AzureSuccessfulEvent = countif(ResultType == 0), \\n AzureFailedEvent = countif(ResultType != 0), \\n totalAzureLoginEventId = dcount(OriginalRequestId), \\n AzureFailedEventsCount = dcountif(OriginalRequestId, ResultType != 0), \\n AzureSuccessfuleventsCount = dcountif(OriginalRequestId, ResultType == 0),\\n AzureSetOfFailedevents = makeset(iff(ResultType != 0, OriginalRequestId, \\\"\\\"), 5), \\n AzureSetOfSuccessfulEvents = makeset(iff(ResultType == 0, OriginalRequestId, \\\"\\\"), 5) \\n by \\n IPAddress, \\n UserPrincipalName, \\n bin(TimeGenerated, 1min), \\n UserAgent,\\n ConditionalAccessStatus,\\n OperationName,\\n RiskDetail,\\n AuthenticationRequirement,\\n ClientAppUsed\\n// Extracting the name and UPN suffix from UserPrincipalName\\n | extend\\n Name = tostring(split(UserPrincipalName, \u0027@\u0027)[0]),\\n UPNSuffix = tostring(split(UserPrincipalName, \u0027@\u0027)[1]));\\n// Materialize a table named \\\"AWS_Bruforce\\\" containing AWS CloudTrail events related to ConsoleLogins within the last 1 day\\nlet AWS_Bruforce = materialize (\\n AWSCloudTrail \\n// Filter CloudTrail events related to ConsoleLogin\\n | where EventName == \\\"ConsoleLogin\\\" \\n// Extract ActionType from ResponseElements JSON\\n | extend ActionType = tostring(parse_json(ResponseElements).ConsoleLogin) \\n// Summarize various counts and sets based on brute force criteria \\n | summarize \\n AWSSuccessful=countif(ActionType == \\\"Success\\\"), \\n AWSFailed = countif(ActionType == \\\"Failure\\\"), \\n totalAwsEventId= dcount(AwsEventId), \\n AWSFailedEventsCount = dcountif(AwsEventId, ActionType == \\\"Failure\\\"), \\n AWSSuccessfuleventsCount = dcountif(AwsEventId, ActionType == \\\"Success\\\"), \\n AWSFailedevents = makeset(iff(ActionType == \\\"Failure\\\", AwsEventId, \\\"\\\"), 5), \\n AWSSuccessfulEvents = makeset(iff(ActionType == \\\"Success\\\", AwsEventId, \\\"\\\"), 5) \\n// Grouping by various attributes\\n by \\n SourceIpAddress, \\n UserIdentityUserName,\\n bin(TimeGenerated, 1min), \\n UserAgent );\\n// Joining the Azure_Bruforce and AWS_Bruforce tables on matching IP addresses and UserAgents\\nAzure_Bruforce\\n| join kind=inner AWS_Bruforce on $left.IPAddress == $right.SourceIpAddress and $left.UserAgent == $right.UserAgent\\n// Filtering based on conditions for failed and successful events\\n| where (AWSFailedEventsCount \u003e= 4 and AzureFailedEventsCount \u003e= 5) and ((AzureSuccessfuleventsCount \u003e= 1 and AzureFailedEvent \u003e AzureSuccessfulEvent) or (AWSSuccessfuleventsCount \u003e= 1 and AWSFailedEventsCount \u003e AWSSuccessfuleventsCount))\",\"customDetails\":{\"AwsUser\":\"UserIdentityUserName\",\"UserAgent\":\"UserAgent\",\"AzureUser\":\"UserPrincipalName\",\"AzureClientAppUsed\":\"ClientAppUsed\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Cross-Cloud Password Spray detection\",\"description\":\"This detection focuses on identifying potential cross-cloud brute force / Password Spray attempts involving Azure and AWS platforms. It monitors sign-in activities within the Azure Portal and AWS ConsoleLogins where brute force attempts are successful on both platforms in a synchronized manner.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2023-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"name\":\"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\",\\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\",\\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\",\\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend HostName = iff(Computer has \u0027.\u0027, substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer)\\n| extend DnsDomain = iff(Computer has \u0027.\u0027, substring(Computer,indexof(Computer,\u0027.\u0027)+1),\\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"name\":\"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory contains \u0027Adult Themes\u0027 or\\n UrlCategory contains \u0027Adware\u0027 or\\n UrlCategory contains \u0027Alcohol\u0027 or\\n UrlCategory contains \u0027Illegal Downloads\u0027 or\\n UrlCategory contains \u0027Drugs\u0027 or\\n UrlCategory contains \u0027Child Abuse Content\u0027 or\\n UrlCategory contains \u0027Hate/Discrimination\u0027 or\\n UrlCategory contains \u0027Nudity\u0027 or\\n UrlCategory contains \u0027Pornography\u0027 or\\n UrlCategory contains \u0027Proxy/Anonymizer\u0027 or\\n UrlCategory contains \u0027Sexuality\u0027 or\\n UrlCategory contains \u0027Tasteless\u0027 or\\n UrlCategory contains \u0027Terrorism\u0027 or\\n UrlCategory contains \u0027Web Spam\u0027 or\\n UrlCategory contains \u0027German Youth Protection\u0027 or\\n UrlCategory contains \u0027Illegal Activities\u0027 or\\n UrlCategory contains \u0027Lingerie/Bikini\u0027 or\\n UrlCategory contains \u0027Weapons\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Identities\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request Allowed to harmful/malicious URI category\",\"description\":\"It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\"name\":\"35a0792a-1269-431e-ac93-7ae2980d4dde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n| where isnotempty(EmailSenderAddress)\\n| extend TI_emailEntity = EmailSenderAddress\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcUserUpn)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientEmail = SrcUserUpn\\n)\\non $left.TI_emailEntity == $right.ClientEmail\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail\\n| project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ClientEmail\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender in TI list\",\"description\":\"Email sender in TI list.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e715730-82c0-496c-983b-7a20c4590bd9\",\"name\":\"6e715730-82c0-496c-983b-7a20c4590bd9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let accountLookback = 3d;\\nlet requestLookback = 3d;\\nlet extraction_regex = @\\\"(?:\\\\?|\u0026)[a-zA-Z0-9\\\\%]*=([a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Collect account names and base64 encode them\\nDeviceEvents\\n| where TimeGenerated \u003e ago(accountLookback)\\n| summarize make_set(DeviceId), make_set(DeviceName) by InitiatingProcessAccountName\\n| where isnotempty(InitiatingProcessAccountName)\\n| extend base64_user = base64_encode_tostring(InitiatingProcessAccountName)\\n| join (\\n // Collect requests and extract base64 parameters\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(requestLookback)\\n | where isnotempty(RequestURL)\\n // Summarize early on the RequestURL\\n | summarize FirstRequest=min(TimeGenerated), LastRequest=max(TimeGenerated), NumberOfRequests=count() by RequestURL\\n | extend base64_candidate = extract_all(extraction_regex, RequestURL)\\n | mv-expand base64_candidate to typeof(string)\\n) on $left.base64_user == $right.base64_candidate\\n| project FirstRequest, LastRequest, NumberOfRequests, RequestURL, DeviceIds=set_DeviceId, DeviceNames=set_DeviceName, UserName=InitiatingProcessAccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Windows host username encoded in base64 web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table.\\nThis technique was seen usee by POLONIUM in their RunningRAT tool.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\"name\":\"871ba14c-88ef-48aa-ad38-810f26760ca3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1d;\\nlet queryperiod = 7d;\\nOfficeActivity\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n//| where Operation in (\\\"Set-Mailbox\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\")\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(bag_pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1 and EndTime \u003e ago(queryfrequency)\\n| mv-expand UserId to typeof(string)\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cd8b3d5-c9e0-4be3-80f7-0469d511c3f6\",\"name\":\"2cd8b3d5-c9e0-4be3-80f7-0469d511c3f6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"BehaviorAnalytics\\n// User modification is expected from this account so focus on logons\\n| where ActivityType =~ \\\"LogOn\\\"\\n| where UserName startswith \\\"Sync_\\\" and UsersInsights.AccountDisplayName =~ \\\"On-Premises Directory Synchronization Service Account\\\"\\n// Filter out this expected activity\\n| where ActivityInsights.App !~ \\\"Microsoft Azure Active Directory Connect\\\"\\n| where InvestigationPriority \u003e 0\\n| extend Name = split(UserPrincipalName, \\\"@\\\")[0], UPNSuffix = split(UserPrincipalName, \\\"@\\\")[1]\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIPAddress\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DestinationDevice\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Suspicious Sign In by AAD Connect Sync Account {{UserPrincipalName}} from {{SourceIPAddress}}\",\"alertDescriptionFormat\":\"This query looks for sign ins by the Azure AD Connect Sync account to Azure where properties about the logon are anomalous.\\nThis query uses Microsoft Sentinel\u0027s UEBA features to detect these suspicious properties.\\nA threat actor may attempt to steal the Sync account credentials and use them to access Azure resources. This alert should be \\nreviewed to ensure that the log in came was from a legitimate source.\\nIn this case {{UserPrincipalName}} logged in from {{SourceIPAddress}}.\\n\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"Suspicious Sign In by Entra ID Connect Sync Account\",\"description\":\"This query looks for sign ins by the Microsoft Entra ID Connect Sync account to Azure where properties about the logon are anomalous.\\nThis query uses Microsoft Sentinel\u0027s UEBA features to detect these suspicious properties.\\nA threat actor may attempt to steal the Sync account credentials and use them to access Azure resources. This alert should be \\nreviewed to ensure that the log in came was from a legitimate source.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2023-03-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\"name\":\"106813db-679e-4382-a51b-1bfc463befc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = column_ifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url\\n| project timestamp = CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"PA_Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map URL Entity to PaloAlto Data\",\"description\":\"This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in PaloAlto Data.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"name\":\"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\",\\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\",\\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\",\\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\",\\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\",\\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\",\\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\",\\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\",\\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend HostName = iff(Computer has \u0027.\u0027, substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer)\\n| extend DnsDomain = iff(Computer has \u0027.\u0027, substring(Computer,indexof(Computer,\u0027.\u0027)+1),\\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"name\":\"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.7\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nlet Signins = materialize(union isfuzzy=true\\n( SigninLogs | where TimeGenerated \u003e= ago(dt_lookBack)),\\n( AADNonInteractiveUserSignInLogs | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails))\\n| where isnotempty(UserPrincipalName) and UserPrincipalName matches regex emailregex\\n| extend UserPrincipalName = tolower(UserPrincipalName)\\n| extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend SigninLogs_TimeGenerated = TimeGenerated);\\nlet SigninUPNs = Signins | distinct UserPrincipalName | summarize make_list(UserPrincipalName);\\nThreatIntelligenceIndicator\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| where EmailSenderAddress in (SigninUPNs)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n| where Description !contains_cs \\\"State: inactive;\\\" and Description !contains_cs \\\"State: falsepos;\\\"\\n| join kind=innerunique (Signins) on $left.EmailSenderAddress == $right.UserPrincipalName\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, UserPrincipalName\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\\n| extend Name = tostring(split(UserPrincipalName, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(UserPrincipalName, \u0027@\u0027, 1)[0])\\n| extend timestamp = SigninLogs_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"TI map Email entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"name\":\"3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"let OMIVulnerabilityPatchVersion = \\\"OMIVulnerabilityPatchVersion:1.13.40-0\\\";\\nHeartbeat\\n| where Category == \\\"Direct Agent\\\"\\n| summarize arg_max(TimeGenerated,*) by Computer\\n| parse strcat(\\\"Version:\\\" , Version) with * \\\"Version:\\\" Major:long \\\".\\\"\\nMinor:long \\\".\\\" Patch:long \\\"-\\\" *\\n| parse OMIVulnerabilityPatchVersion with * \\\"OMIVulnerabilityPatchVersion:\\\"\\nOMIVersionMajor:long \\\".\\\" OMIVersionMinor:long \\\".\\\" OMIVersionPatch:long \\\"-\\\" *\\n| where Major \u003cOMIVersionMajor or (Major==OMIVersionMajor and Minor\\n\u003cOMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and\\nPatch\u003cOMIVersionPatch) \\n| project Version, Major,Minor,Patch,\\nComputer,ComputerIP,OSType,OSName,ResourceId\",\"customDetails\":{\"HostIp\":\"ComputerIP\",\"OSType\":\"OSType\",\"OSName\":\"OSName\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"OMI Vulnerability Exploitation\",\"description\":\"Following the September 14th, 2021 release of three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in the Open Management Infrastructure (OMI) Framework.\\nThis detection validates that any OMS-agent that is reporting to the Microsoft Sentinel workspace is updated with the patch. The detection will go over the heartbeats received from all agents over the last day and will create alert for those agents who are not updated.\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2021-09-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d173248-439b-4741-8b37-f63ad0c896ae\",\"name\":\"4d173248-439b-4741-8b37-f63ad0c896ae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\nWindowsEvent\\n| where EventID == \u00274688\u0027 and EventData has_any (process)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName has_any (process)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n , Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n , NewProcessId = tostring(EventData.NewProcessId)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n| project TimeGenerated, timestamp, File, AlertDetail, FilePath,Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend AccountCustomEntity = Account, HostCustomEntity = Computer, FileCustomEntity = File, FilePathCustomEntity = FilePath\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining IOC - June 2021\",\"description\":\"Identifies a match across IOC\u0027s related to Chia cryptocurrency farming/plotting activity\",\"lastUpdatedDateUTC\":\"2022-12-13T00:00:00Z\",\"createdDateUTC\":\"2022-02-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"name\":\"ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let SunburstURL=dynamic([\\\"panhardware.com\\\",\\\"databasegalore.com\\\",\\\"avsvmcloud.com\\\",\\\"freescanonline.com\\\",\\\"thedoccloud.com\\\",\\\"deftsecurity.com\\\"]);\\nDeviceNetworkEvents\\n| where ActionType == \\\"ConnectionSuccess\\\"\\n| where RemoteUrl in(SunburstURL)\\n| extend HashAlgorithm = \u0027MD5\u0027\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingProcessAccountDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"RemoteIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RemoteUrl\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"InitiatingProcessMD5\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST network beacons\",\"description\":\"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"name\":\"999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.8\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet DomainTIs= ThreatIntelligenceIndicator\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \\n | project DomainList = iff(NDomains \u003e HAS_ANY_MAX, dynamic([]), DomainsList) ;\\nDomainTIs\\n | join (\\n _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.DnsQuery\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, Domain, DnsQuery, DnsQueryType\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"DnsQuery\":\"DnsQuery\",\"QueryType\":\"DnsQueryType\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Domain\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map Domain entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any Domain IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2024-10-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"name\":\"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| where msg_s has_any (DomainNames)\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" to \\\" TargetIP \\\":\\\" TargetPortInt:int *\\n| parse kind=regex flags=U msg_s with * \\\". Action\\\\\\\\: \\\" Action1a \\\"\\\\\\\\.\\\"\\n| parse msg_s with * \\\". Policy: \\\" Policy \\\". Rule Collection Group: \\\" RuleCollectionGroup \\\".\\\" *\\n| parse msg_s with * \\\" Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\n| extend IPCustomEntity = SourceIP\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| where msg_s has_any (DomainNames)\\n| parse msg_s with \\\"DNS Request: \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" - \\\" QueryID:int \\\" \\\" RequestType \\\" \\\" RequestClass \\\" \\\" hostname \\\". \\\" protocol \\\" \\\" details\\n| extend\\n ResponseDuration = extract(\\\"[0-9]*.?[0-9]+s$\\\", 0, msg_s),\\n SourcePort = tostring(SourcePortInt),\\n QueryID = tostring(QueryID)\\n| extend IPCustomEntity = SourceIP\\n| project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\\n| order by TimeGenerated\\n),\\n(AZFWApplicationRule\\n| where Fqdn has_any (DomainNames)\\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (DomainNames)\\n| extend DNSName = QueryName\\n| extend IPCustomEntity = SourceIp\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"[Deprecated] - Emerald Sleet domains included in DCU takedown\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-01-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\"name\":\"9713e3c0-1410-468d-b79e-383448434b2d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for VMConnection events\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and VMConnection events\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n VMConnection\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n )\\n on $left.TI_ipEntity == $right.RemoteIp\\n // Filter out VMConnection events that occurred after the expiration of the corresponding indicator\\n | where VMConnection_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and keep the VMConnection event with the latest timestamp\\n | summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId, RemoteIp\\n // Select the desired output fields\\n | project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n | extend timestamp = VMConnection_TimeGenerated, HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"RemoteIp\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to VMConnection\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in VMConnection.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"name\":\"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Changes made to AWS CloudTrail logs\",\"description\":\"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity.\\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html \\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html \\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \u0027 \",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac9e233e-44d4-45eb-b522-6e47445f6582\",\"name\":\"ac9e233e-44d4-45eb-b522-6e47445f6582\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"imRegistry\\n | where EventType in (\\\"RegistryValueSet\\\", \\\"RegistryKeyCreated\\\")\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (imProcess\\n | where Process endswith \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass (ASIM Version)\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\"name\":\"84cf1d59-f620-4fee-b569-68daf7008b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"name\":\"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\nlet wef_fails =\\nWindowsEvent\\n| where EventID == 4625\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains \u0027auth\u0027 and ProcessName != \u0027sudo\u0027 and SyslogMessage has \u0027from\u0027 and not(SyslogMessage has_any (\u0027Disconnecting\u0027, \u0027Disconnected\u0027, \u0027Accepted\u0027, \u0027disconnect\u0027, @\u0027[preauth]\u0027))\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails) or IPAddress in (wef_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timestamp = TimeGenerated, Type = Type\\n| extend AccountName = tostring(split(UserPrincipalName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed host logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Microsoft Entra ID from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"name\":\"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to internet facing AWS RDS Database instances\",\"description\":\"Amazon Relational Database Service (RDS) is scalable relational database in the cloud.\\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service)\\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2024-03-27T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"name\":\"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Build Variable Modified by New User\",\"description\":\"Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify or add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build.\\nAs variables are often changed by users, just detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed modifying them before.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/572f3951-5fa3-4e42-9640-fe194d859419\",\"name\":\"572f3951-5fa3-4e42-9640-fe194d859419\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet lookback = 7d;\\nlet known_useragents = dynamic([]);\\nDynamics365Activity\\n| where TimeGenerated \u003e ago(timeframe)\\n| extend Message = tostring(split(OriginalObjectId, \u0027 \u0027)[0])\\n| where Message =~ \\\"UserSignIn\\\"\\n| extend IPAddress = tostring(split(ClientIP, \\\":\\\")[0])\\n| where isnotempty(UserAgent)\\n// Exclude user agents with a render agent to reduce noise\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| join kind=leftanti(\\nOfficeActivity\\n| where TimeGenerated \u003e ago(lookback)\\n| where UserAgent !in~ (known_useragents))\\non UserAgent\\n| summarize MostRecentActivity=max(TimeGenerated), IPs=make_set(IPAddress), Users=make_set(UserId), Actions=make_set(OriginalObjectId) by UserAgent\\n| extend timestamp = MostRecentActivity\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New Office User Agent in Dynamics 365\",\"description\":\"Detects users accessing Dynamics from a User Agent that has not been seen in any Office 365 workloads in the last 7 days. Has configurable filter for known good user agents such as PowerApps.\",\"lastUpdatedDateUTC\":\"2022-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Dynamics365\",\"dataTypes\":[\"Dynamics365Activity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/269435e3-1db8-4423-9dfc-9bf59997da1c\",\"name\":\"269435e3-1db8-4423-9dfc-9bf59997da1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService =~ \\\"Core Directory\\\" and OperationName =~ \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\" and Identity != \\\"MS-PIM-Fairfax\\\")\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName)\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend TargetName = tostring(split(TargetUserPrincipalName,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,\u0027@\u0027,1)[0])\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2024-10-18T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"Low\",\"query\":\"let fileAccessThrehold = 10;\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| extend MemberAdded = tostring(parse_json(Members)[0].UPN)\\n| where MemberAdded contains (\\\"#EXT#\\\")\\n| project TimeAdded=TimeGenerated, Operation, MemberAdded, UserWhoAdded = UserId, TeamName\\n| join kind = inner (\\n OfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberRemoved\\\"\\n | extend MemberAdded = tostring(parse_json(Members)[0].UPN)\\n | where MemberAdded contains (\\\"#EXT#\\\")\\n | project TimeDeleted=TimeGenerated, Operation, MemberAdded, UserWhoDeleted = UserId, TeamName\\n ) on MemberAdded\\n| where TimeDeleted \u003e TimeAdded\\n| join kind=inner (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | where Operation == \\\"FileUploaded\\\"\\n | extend MemberAdded = UserId\\n | join kind = inner (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where Operation == \\\"FileAccessed\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | summarize FileAccessCount = count() by OfficeObjectId\\n | where FileAccessCount \u003e fileAccessThrehold\\n ) on $left.OfficeObjectId == $right.OfficeObjectId\\n )on MemberAdded\\n| project-away MemberAdded1, MemberAdded2, OfficeObjectId1, Operation1, Operation2, TeamName1, TeamName2\\n| extend MemberAddedAccountName = tostring(split(MemberAdded, \\\"@\\\")[0]), MemberAddedAccountUPNSuffix = tostring(split(MemberAdded, \\\"@\\\")[1])\\n| extend UserWhoAddedAccountName = tostring(split(UserWhoAdded, \\\"@\\\")[0]), UserWhoAddedAccountUPNSuffix = tostring(split(UserWhoAdded, \\\"@\\\")[1])\\n| extend UserWhoDeletedAccountName = tostring(split(UserWhoDeleted, \\\"@\\\")[0]), UserWhoDeletedAccountUPNSuffix = tostring(split(UserWhoDeleted, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"MemberAdded\"},{\"identifier\":\"Name\",\"columnName\":\"MemberAddedAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"MemberAddedAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserWhoAdded\"},{\"identifier\":\"Name\",\"columnName\":\"UserWhoAddedAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UserWhoAddedAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserWhoDeleted\"},{\"identifier\":\"Name\",\"columnName\":\"UserWhoDeletedAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UserWhoDeletedAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Accessed files shared by temporary external user\",\"description\":\"This detection identifies when an external user is added to a Team or Teams chat and shares a file which is accessed by many users (\u003e10) and the users is removed within short period of time. This might be an indicator of suspicious activity.\",\"lastUpdatedDateUTC\":\"2024-10-28T00:00:00Z\",\"createdDateUTC\":\"2020-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (SharePoint)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1faf5e8-6958-11ec-90d6-0242ac120003\",\"name\":\"c1faf5e8-6958-11ec-90d6-0242ac120003\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4720 and TargetUserName endswith \\\"$\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectUserName, SubjectDomainName, SubjectAccount, SubjectUserSid, SubjectLogonId, \\nTargetUserName, TargetDomainName, TargetAccount, TargetSid, UserPrincipalName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"SubjectUserSid\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"TargetDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Fake computer account created\",\"description\":\"This query detects domain user accounts creation (event ID 4720) where the username ends with $. \\nAccounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights.html\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"name\":\"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlOriginal\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"Cisco Umbrella - Windows PowerShell User-Agent Detected\",\"description\":\"Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"name\":\"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Low\",\"query\":\"let User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"[Deprecated] - Possible Forest Blizzard attempted credential harvesting - Oct 2020\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\"name\":\"4ca74dc0-8352-4ac5-893c-73571cc78331\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let keywords = dynamic([\\\"secret\\\", \\\"secrets\\\", \\\"password\\\", \\\"PAT\\\", \\\"passwd\\\", \\\"pswd\\\", \\\"pwd\\\", \\\"cred\\\", \\\"creds\\\", \\\"credentials\\\", \\\"credential\\\", \\\"key\\\"]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend Type = tostring(Data.Type)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| mv-expand Data.Variables\\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\\n| where Type != \\\"AzureKeyVault\\\"\\n| where Data_Variables !has \\\"IsSecret\\\"\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps Variable Secret Not Secured\",\"description\":\"Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \\nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\"name\":\"3533f74c-9207-4047-96e2-0eb9383be587\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| mv-apply TargetResource=TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend ModifiedProperties = TargetResource.modifiedProperties,\\n AppDisplayName = tostring(TargetResource.displayName),\\n AppClientId = tolower(tostring(TargetResource.id))\\n )\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| mv-apply Properties=ModifiedProperties on \\n (\\n where Properties.displayName =~ \\\"ConsentAction.Permissions\\\"\\n | extend ConsentFull = tostring(Properties.newValue)\\n | extend ConsentFull = trim(@\u0027\\\"\u0027,tostring(ConsentFull))\\n )\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull has \\\"offline_access\\\" and ConsentFull has_any (\\\"Files.Read\\\", \\\"Mail.Read\\\", \\\"Notes.Read\\\", \\\"ChannelMessage.Read\\\", \\\"Chat.Read\\\", \\\"TeamsActivity.Read\\\", \\\"Group.Read\\\", \\\"EWS.AccessAsUser.All\\\", \\\"EAS.AccessAsUser.All\\\")\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantInitiatedByAppName = tostring(InitiatedBy.app.displayName)\\n| extend GrantInitiatedByAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend GrantInitiatedByUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend GrantInitiatedByAadUserId = tostring(InitiatedBy.user.id)\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(GrantInitiatedByUserPrincipalName), GrantInitiatedByUserPrincipalName, GrantInitiatedByAppName)\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantInitiatedByUserPrincipalName, GrantInitiatedByAadUserId, GrantInitiatedByAppName, GrantInitiatedByAppServicePrincipalId, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| mv-apply TargetResource=TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend ModifiedProperties = TargetResource.modifiedProperties,\\n AppClientId = tolower(TargetResource.id)\\n )\\n| mv-apply ModifiedProperties=TargetResource.modifiedProperties on \\n (\\n where ModifiedProperties.displayName =~ \\\"AppAddress\\\" and ModifiedProperties.newValue has \\\"AddressType\\\"\\n | extend AppReplyURLs = ModifiedProperties.newValue\\n )\\n | distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n | mv-apply TargetResource=TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\" and array_length(TargetResource.modifiedProperties) \u003e 0 and isnotnull(TargetResource.displayName)\\n | extend GrantAuthentication = tostring(TargetResource.displayName)\\n )\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantInitiatedByUserPrincipalName, GrantInitiatedByAadUserId, GrantInitiatedByAppName, GrantInitiatedByAppServicePrincipalId, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend Name = tostring(split(GrantInitiatedByUserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(GrantInitiatedByUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GrantInitiatedByUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"GrantInitiatedByAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"GrantInitiatedByAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"GrantIpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Suspicious application consent for offline access\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"name\":\"d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and AzureDiagnostics logs for SQL Security Audit events\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where ResourceProvider == \u0027MICROSOFT.SQL\u0027\\n | where Category == \u0027SQLSecurityAuditEvents\u0027\\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\\n | extend ClientIP = column_ifexists(\\\"client_ip_s\\\", \\\"Not Available\\\")\\n | extend Action = column_ifexists(\\\"action_name_s\\\", \\\"Not Available\\\")\\n | extend Application = column_ifexists(\\\"application_name_s\\\", \\\"Not Available\\\")\\n | extend HostName = column_ifexists(\\\"host_name_s\\\", \\\"Not Available\\\")\\n )\\n on $left.TI_ipEntity == $right.ClientIP\\n // Filter out logs that occurred after the expiration of the corresponding indicator\\n | where SQLSecurityAuditEvents_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and ClientIP, and keep the log entry with the latest timestamp\\n | summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n // Select the desired output fields\\n | project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n // Rename the timestamp field\\n | extend timestamp = SQLSecurityAuditEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to Azure SQL Security Audit Events\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SQL Security Audit Events.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureSql\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6dd2629c-534b-4275-8201-d7968b4fa77e\",\"name\":\"6dd2629c-534b-4275-8201-d7968b4fa77e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 4657\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\"), OperationType = column_ifexists(\u0027OperationType\u0027, \\\"\\\"), ObjectValueName = column_ifexists(\u0027ObjectValueName\u0027, \\\"\\\")\\n| where ObjectName has \u0027Schedule\\\\\\\\TaskCache\\\\\\\\Tree\u0027 and ObjectValueName == \\\"SD\\\" and OperationType == \\\"%%1906\\\" // %%1906 - Registry value deleted\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(TargetAccount, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(TargetAccount, @\u0027\\\\\u0027)[0])\\n| extend timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Scheduled Task Hide\",\"description\":\"This query detects attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task disappearing from schtasks /query and Task Scheduler.\\n The query requires auditing to be turned on for HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree registry hive as well as audit policy for registry auditing to be turned on.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\\n Reference: https://4sysops.com/archives/audit-changes-in-the-windows-registry/\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"name\":\"b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"let query_frequency = 15m;\\nlet missing_period = 1h;\\n//Enter a reference list of hostnames for your DC servers\\nlet DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\n//Alternatively, a Watchlist can be used\\n//let DCServersList = _GetWatchlist(\u0027HostName-DomainControllers\u0027) | project HostName;\\nHeartbeat\\n| summarize arg_max(TimeGenerated, *) by Computer\\n| where Computer in (DCServersList)\\n//You may specify the OS type of your Domain Controllers\\n//| where OSType == \u0027Windows\u0027\\n| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))\\n| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions\\n| sort by TimeGenerated asc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\",\"DefenseEvasion\"],\"displayName\":\"Missing Domain Controller Heartbeat\",\"description\":\"This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2021-11-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\"name\":\"074ce265-f684-41cd-af07-613c5f3e6d0d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n (CommonSecurityLog\\n | where Message has_any (DomainNames)\\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n | extend AccountName = SourceUserID, DeviceName, IPAddress = SourceIP\\n ),\\n (_Im_Dns(domain_has_any=DomainNames)\\n | where DnsQuery has_any (DomainNames)\\n | extend IPAddress = SrcIpAddr, DeviceName = Dvc\\n ),\\n (VMConnection\\n | where RemoteDnsCanonicalNames has_any (DomainNames)\\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | extend IPAddress = RemoteIp, DeviceName = Computer\\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where DestinationHost has_any (DomainNames)\\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ),\\n (AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | project TimeGenerated,Resource, msg_s, Type\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (DomainNames)\\n | extend DNSName = Request_Name\\n | extend IPAddress = ClientIP\\n ),\\n (AZFWApplicationRule\\n | where isnotempty(Fqdn)\\n | where Fqdn has_any (DomainNames) \\n | extend DNSName = Fqdn \\n | extend IPAddress = SourceIp\\n ),\\n (AZFWDnsQuery\\n | where isnotempty(QueryName)\\n | where QueryName has_any (DomainNames)\\n | extend DNSName = QueryName\\n | extend IPAddress = SourceIp\\n ),\\n (\\n _Im_WebSession(url_has_any=DomainNames)\\n | extend IPAddress=IpAddr, DeviceName=Hostname, AccountName = tostring(split(User, \\\"@\\\")[0]), AccountDomain = tostring(split(User, \\\"@\\\")[1])\\n )\\n)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Forest Blizzard group domains - July 2019\",\"description\":\"Matches domain name IOCs related to Forest Blizzard group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2019-07-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"name\":\"c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft 365 Insider Risk Management\",\"displayName\":\"(Private Preview) Create incidents based on Microsoft 365 Insider Risk Management\",\"description\":\"Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management\",\"lastUpdatedDateUTC\":\"2021-05-13T00:00:00Z\",\"createdDateUTC\":\"2021-05-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeIRM\",\"dataTypes\":[\"SecurityAlert (OfficeIRM)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"name\":\"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"DeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName has \\\"Solorigate\\\"\\n) on $left.DeviceName == $right.CompromisedEntity\\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Solorigate Defender Detections\",\"description\":\"Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as\\n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"name\":\"c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog =~ \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppCert DLL Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec.\\nRef: https://attack.mitre.org/techniques/T1546/009/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"name\":\"4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"let Hive_threats = dynamic([\\\"Ransom:Win64/Hive\\\", \\\"Ransom:Win32/Hive\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Hive_threats) or ThreatFamilyName in~ (Hive_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by bin(TimeGenerated, 1d), DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Hive Ransomware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Hive Ransomware.\\nIn Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9adbd1c3-a4be-44ef-ac2f-503fd25692ee\",\"name\":\"9adbd1c3-a4be-44ef-ac2f-503fd25692ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 100;\\nlet timeRange = ago(7d);\\nlet timeBuffer = 1;\\nSigninLogs \\n| where TimeGenerated \u003e timeRange\\n| where ResultType == \\\"50057\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \\napplicationSet = make_set(AppDisplayName) by IPAddress, AppId\\n| order by disabledAccountLoginAttempts desc\\n| join kind=inner (\\n // IPs are considered suspicious - and any related successful sign-ins are detected\\n SigninLogs\\n | where TimeGenerated \u003e timeRange\\n | where ResultType == 0\\n | summarize successSigninStart = min(TimeGenerated), successSigninEnd = max(TimeGenerated), successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c threshold\\n) on IPAddress \\n// IPs where attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where successfulAccountSigninCount != 0\\n// Successful Account Signins occur within the same lookback period as the failed \\n| extend SuccessBeforeFailure = iff(successSigninStart \u003e= StartTime and successSigninEnd \u003c= EndTime, true, false) \\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, successSigninStart, successSigninEnd, AppId\\n| order by disabledAccountLoginAttempts\\n// Break up the string of Succesfully signed into accounts into individual events\\n| mvexpand successfulAccountSigninSet\\n| extend JoinedOnIp = IPAddress\\n| join kind = inner (\\n OfficeActivity\\n | where TimeGenerated \u003e timeRange\\n | where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\", \\\"Set-TransportRule\\\") and not(UserId has_any (\u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\u0027, \u0027NT AUTHORITY\\\\\\\\SYSTEM (w3wp)\u0027, \u0027devilfish-applicationaccount\u0027))\\n // Remove port from the end of the IP and/or square brackets around IP, if they exist \\n | extend JoinedOnIp = case(\\n ClientIP matches regex @\u0027\\\\[((25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\.){3}(25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\]-\\\\d{1,5}\u0027, tostring(extract(\u0027\\\\\\\\[([0-9]+\\\\\\\\.[0-9]+\\\\\\\\.[0-9]+)\\\\\\\\]-[0-9]+\u0027, 1, ClientIP)),\\n ClientIP matches regex @\u0027\\\\[((25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\.){3}(25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\]\u0027, tostring(extract(\u0027\\\\\\\\[([0-9]+\\\\\\\\.[0-9]+\\\\\\\\.[0-9]+)\\\\\\\\]\u0027, 1, ClientIP)), \\n ClientIP matches regex @\u0027(((25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\.){3}(25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?))-\\\\d{1,5}\u0027, tostring(extract(\u0027([0-9]+\\\\\\\\.[0-9]+\\\\\\\\.[0-9]+)-[0-9]+\u0027, 1, ClientIP)),\\n ClientIP matches regex @\u0027((25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\.){3}(25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\u0027, ClientIP, \\n ClientIP matches regex @\u0027\\\\[((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\\\d{1,3}(?:\\\\.\\\\d{1,3}){3})\\\\]-\\\\d{1,5}\u0027, tostring(extract(\u0027\\\\\\\\[((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\\\\\\\d{1,3}(?:\\\\\\\\.\\\\\\\\d{1,3}){3})\\\\\\\\]-[0-9]+\u0027, 1, ClientIP)),\\n ClientIP matches regex @\u0027\\\\[((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\\\d{1,3}(?:\\\\.\\\\d{1,3}){3})\\\\]\u0027, tostring(extract(\u0027\\\\\\\\[((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\\\\\\\d{1,3}(?:\\\\\\\\.\\\\\\\\d{1,3}){3})\\\\\\\\]\u0027, 1, ClientIP)), \\n ClientIP matches regex @\u0027((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\\\d{1,3}(?:\\\\.\\\\d{1,3}){3})-\\\\d{1,5}\u0027, tostring(extract(\u0027((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\\\\\\\d{1,3}(?:\\\\\\\\.\\\\\\\\d{1,3}){3})-[0-9]+\u0027, 1, ClientIP)),\\n ClientIP matches regex @\u0027((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\\\d{1,3}(?:\\\\.\\\\d{1,3}){3})\u0027, ClientIP,\\n \\\"\\\")\\n | where isnotempty(JoinedOnIp)\\n | extend OfficeTimeStamp = ElevationTime, UserPrincipalName = UserId\\n) on JoinedOnIp\\n// Rare and risky operations only happen within a certain time range of the successful sign-in\\n| where OfficeTimeStamp \u003e= successSigninStart and datetime_diff(\u0027day\u0027, OfficeTimeStamp, successSigninEnd) \u003c= timeBuffer\\n| extend AccountName = tostring(split(UserPrincipalName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"JoinedOnIp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"AppId\",\"columnName\":\"ApplicationId\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Collection\"],\"displayName\":\"High risk Office operation conducted by IP Address that recently attempted to log into a disabled account\",\"description\":\"It is possible that a disabled user account is compromised and another account on the same IP is used to perform operations that are not typical for that user.\\n The query filters the SigninLogs for entries where ResultType is indicates a disabled account and the TimeGenerated is within a defined time range.\\n It then summarizes these entries by IPAddress and AppId, calculating various statistics such as number of login attempts, distinct UPNs, App IDs etc and joins these results with another set of results from SigninLogs, filtering for entries with less than normal number of successful sign-ins.\\n It then filters out entries where there were no successful sign-ins or where successful sign-ins did not occur within the same lookback period as the failed sign-ins, later projecting relevant fields by the count of login attempts, and expands the set of successful sign-ins into individual events.\\n Finally, it joins these results with entries from OfficeActivity where certain operations deemed rare and high risk have been performed, ensuring their occurrance within a certain time range of the successful sign-ins.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2023-10-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"name\":\"d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let IPList = dynamic([\\\"185.63.90.137\\\"]); \\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = \\ndynamic([\\\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\\\",\\n\\\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\\\",\\n\\\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\\\",\\n\\\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\\\",\\n\\\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\\\",\\n\\\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\\\",\\n\\\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\",\\n\\\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\"\\n]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost) \\n| where SourceHost in (IPList) or DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where SourceIp in (IPList) or Fqdn in (IPList)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = Fqdn\\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where SourceIp in (IPList) or QueryName in (IPList)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = QueryName\\n| extend IPCustomEntity = SourceIp\\n),\\n(DeviceFileEvents\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n| where FileHash in (sha256Hashes)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where CommandLine has_any (IPList) \\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n(WindowsEvent\\n| where EventID == \u00274688\u0027 and has_any_ipv4(EventData, toscalar(IPList)) \\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName in (IPList) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"[Deprecated] - Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-09-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18dbdc22-b69f-4109-9e39-723d9465f45f\",\"name\":\"18dbdc22-b69f-4109-9e39-723d9465f45f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet AVHits = (iocs | where Type =~ \\\"AVDetection\\\"| project IoC);\\nSecurityAlert\\n| where ProviderName == \u0027MDATP\u0027\\n| extend ThreatName_ = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName_ has_any (AVHits)\\n| extend Directory = tostring(parse_json(Entities)[0].Directory), SHA256 = tostring(parse_json(tostring(parse_json(Entities)[0].FileHashes))[2].Value), FileName = tostring(parse_json(Entities)[0].Name), Hostname = tostring(parse_json(Entities)[6].FQDN)| extend AccountName = tostring(parse_json(tostring(parse_json(Entities)[6].LoggedOnUsers))[0].AccountName)\\n| project TimeGenerated, AlertName, ThreatName_, ProviderName, AlertSeverity, Description, RemediationSteps, ExtendedProperties, Entities, FileName,SHA256, Directory, Hostname, AccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Hostname , AccountCustomEntity = AccountName, FileHashCustomEntity = SHA256, FileHashType = \\\"SHA256\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Aqua Blizzard AV hits - Feb 2022\",\"description\":\"Identifies a match in the Security Alert table for MDATP hits related to the Aqua Blizzard actor\",\"lastUpdatedDateUTC\":\"2023-07-18T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"name\":\"b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let oneDriveCalls = dynamic([\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content\u0027,\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/response.json:/content\u0027]);\\nlet oneDriveCallsRegex = dynamic([@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Uploaded\\\\/.*\\\\:\\\\/content\u0027,@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Downloaded\\\\/.*\\\\:\\\\/content\u0027]);\\nCommonSecurityLog\\n| where RequestURL has_any (oneDriveCalls) or RequestURL matches regex tostring(oneDriveCallsRegex[0]) or RequestURL matches regex tostring(oneDriveCallsRegex[1])\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive URLs\",\"description\":\"CreepyDrive uses OneDrive for command and control. This detection identifies URLs specific to CreepyDrive.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/186970ee-5001-41c1-8c73-3178f75ce96a\",\"name\":\"186970ee-5001-41c1-8c73-3178f75ce96a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let Europium_threats = dynamic([\\\"TrojanDropper:ASP/WebShell!MSR\\\", \\\"Trojan:Win32/BatRunGoXml\\\", \\\"DoS:Win64/WprJooblash\\\", \\\"Ransom:Win32/Eagle!MSR\\\", \\\"Trojan:Win32/Debitom.A\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Europium_threats) or ThreatFamilyName in~ (Europium_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId, bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(CompromisedEntity != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Europium actors\",\"description\":\"This query looks for Microsoft Defender AV detections related to Europium actor. \\nIn Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government \",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\",\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"name\":\"0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| where SessionIssuerUserName !contains \\\"AWSReservedSSO\\\"\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\n UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"NRT Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for administrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used and the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15049017-527f-4d3b-b011-b0e99e68ef45\",\"name\":\"15049017-527f-4d3b-b011-b0e99e68ef45\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityEvent\\n| where EventID == 4688 and Process has_any (procList) and not (NewProcessName has (\\\"C:\\\\\\\\Windows\\\\\\\\\\\"))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SubjectUserName, NewProcessName, Process, CommandLine\\n| extend Name=tostring(split(SubjectUserName, \\\"@\\\")[0]), UPNSuffix=tostring(split(SubjectUserName, \\\"@\\\")[1])\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Executed from Non-Default Directory\",\"description\":\"The query detects Windows binaries, that can be executed from a non-default directory (e.g. C:\\\\Windows\\\\, C:\\\\Windows\\\\System32 etc.). \\nRef: https://lolbas-project.github.io/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"name\":\"595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), Account = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), File = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, Account = UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, Account = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, Computer, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost\\n),\\n(AZFWApplicationRule\\n| where isnotempty (Fqdn)\\n| where Fqdn has_any (domains)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = Fqdn\\n| extend IPEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (domains) or SourceIp in (IPList)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = QueryName\\n| extend IPEntity = SourceIp\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) \\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessFolderPath has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashAlgo = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| project TimeGenerated, EventDetail, UserName, Computer, Type\\n| extend Image = tostring(EventDetail.[4].[\\\"#text\\\"]), CommandLine = tostring(EventDetail.[10].[\\\"#text\\\"]), Account = UserName, FileHash = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| where Image has_any (process)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath= replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceEvents\\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName has_any (process)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n)\\n)\\n| extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"[Deprecated] - Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/93a25f10-593d-4c57-a752-a8a75f031425\",\"name\":\"93a25f10-593d-4c57-a752-a8a75f031425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let baseline_time = 14d;\\nlet detection_time = 1d;\\nDynamics365Activity\\n| where TimeGenerated between(ago(baseline_time)..ago(detection_time-1d))\\n| extend Message = tostring(split(OriginalObjectId, \u0027 \u0027)[0])\\n| where Message =~ \\\"RetrieveMultiple\\\"\\n| extend numQueryCount = todouble(QueryResults)\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), \u0027,\u0027) + 1), numQueryCount)\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\n| summarize sum(QueryCount) by UserId\\n| extend HistoricalBaseline = sum_QueryCount\\n| join (Dynamics365Activity\\n| where TimeGenerated \u003e ago(detection_time)\\n| extend Message = tostring(split(OriginalObjectId, \u0027 \u0027)[0])\\n| where Message =~ \\\"RetrieveMultiple\\\"\\n| extend numQueryCount = todouble(QueryResults)\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), \u0027,\u0027) + 1), numQueryCount)\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\n| summarize sum(QueryCount) by UserId\\n| extend CurrentExportRate = sum_QueryCount) on UserId\\n| where CurrentExportRate \u003e HistoricalBaseline\\n| project UserId, HistoricalBaseline, CurrentExportRate\\n| join kind=inner(Dynamics365Activity\\n| where TimeGenerated \u003e ago(detection_time)\\n| extend Message = tostring(split(OriginalObjectId, \u0027 \u0027)[0])\\n| where Message =~ \\\"RetrieveMultiple\\\"\\n| extend numQueryCount = todouble(QueryResults)\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), \u0027,\u0027) + 1), numQueryCount)\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))) on UserId\\n| project TimeGenerated, UserId, QueryCount, UserAgent, Message, ClientIP, HistoricalBaseline, CurrentExportRate, CorrelationId, CrmOrganizationUniqueName, Query\\n| summarize QuerySizes = make_set(QueryCount), MostRecentQuery = max(TimeGenerated), IPs = make_set(ClientIP), UserAgents = make_set(UserAgent), make_set(Query) by UserId, CrmOrganizationUniqueName, HistoricalBaseline, CurrentExportRate\\n| extend timestamp = MostRecentQuery, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Dynamics 365 - User Bulk Retrieval Outside Normal Activity\",\"description\":\"This query detects users retrieving significantly more records from Dynamics 365 than they have in the past 2 weeks. This could indicate potentially unauthorized access to data within Dynamics 365.\",\"lastUpdatedDateUTC\":\"2022-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Dynamics365\",\"dataTypes\":[\"Dynamics365Activity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"name\":\"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlOriginal matches regex @\u0027\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Identities\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - URI contains IP address\",\"description\":\"Malware can use IP address to communicate with C2.\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3705158d-e008-49c9-92dd-e538e1549090\",\"name\":\"3705158d-e008-49c9-92dd-e538e1549090\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let Zinc_threats = dynamic([\\\"Trojan:Win32/ZetaNile.A\\\", \\\"Trojan:Win32/EventHorizon.A\\\", \\\"Trojan:Win32/FoggyBrass.A\\\", \\\"Trojan:Win32/FoggyBrass.B\\\", \\\"Trojan:Win32/PhantomStar.A\\\",\\\"Trojan:Win32/PhantomStar.C\\\",\\\"TrojanDropper:Win32/PhantomStar.A\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Zinc_threats) or ThreatFamilyName in~ (Zinc_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\\n| extend HostName = tostring(split(CompromisedEntity, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(CompromisedEntity, \u0027.\u0027), 1, -1), \u0027.\u0027))\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Zinc actors\",\"description\":\"This query looks for Microsoft Defender AV detections related to Zinc threat actor. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, etc. \\n This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\",\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"name\":\"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous RDP Login Detections\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2020-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"name\":\"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.7\",\"severity\":\"Low\",\"query\":\"let selfServicePasswordReset = dynamic([\\\"Self-service password reset flow activity progress\\\", \\\"Change password (self-service)\\\", \\\"Reset password (self-service)\\\"]); \\n//Self-service password reset flow activity progress is typically caused by a password policy which requires users to rotate passwords. This operation already implies the user has signed in successfully and therefore the password reset is non-malicious.\\nlet PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nWindowsEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \\\"success\\\"\\n| where OperationName !in (selfServicePasswordReset)\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend AccountType = tostring(TargetResource.type),\\n Account = tostring(InitiatedBy.user.userPrincipalName),\\n TargetUserName = tolower(tostring(TargetResource.userPrincipalName))\\n )\\n| project TimeGenerated, AccountType, Account, TargetUserName, Computer = \\\"\\\", Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\"\\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId\\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| where SyslogMessage matches regex \\\".*password changed for.*\\\"\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\\n(union isfuzzy=true\\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\\n| where Total \u003e PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"),\\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\\n| where Total \u003e TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027)), Name = tostring(split(Account, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(Account, \u0027@\u0027, 1)[0]), TargetName = tostring(split(TargetUserName,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(TargetUserName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Multiple Password Reset by user\",\"description\":\"This query will determine multiple password resets by user across multiple data sources.\\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\"name\":\"75bf9902-0789-47c1-a5d8-f57046aa72df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet recycle_bin_paths = dynamic([@\\\":\\\\RECYCLER\\\", @\\\":\\\\$RECYCLE.BIN\\\"]);\\nlet ProcessCreationEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688 and EventData has_any (procList) and EventData has_any (recycle_bin_paths)\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName) \\n| extend NewProcessName = tostring(EventData.NewProcessName) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n));\\nProcessCreationEvents \\n| where FileName in~ (procList)\\n| where CommandLine has_any (recycle_bin_paths)\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin\",\"description\":\"The query detects Windows binaries that can be used for executing malware and have been hidden in the recycle bin.\\nThe list of these binaries is sourced from https://lolbas-project.github.io/\\nReferences: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\"lastUpdatedDateUTC\":\"2024-07-16T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4902eddb-34f7-44a8-ac94-8486366e9494\",\"name\":\"4902eddb-34f7-44a8-ac94-8486366e9494\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.7\",\"severity\":\"Medium\",\"query\":\"let threshold = 5000;\\n_Im_NetworkSession(eventresult=\u0027Failure\u0027)\\n| summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m)\\n| where Count \u003e threshold\\n| extend timestamp = TimeGenerated, threshold\",\"customDetails\":{\"NumberOfDenies\":\"Count\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of failed connections from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} generated more than {{threshold}} failures over a 5 minutes time window, which may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"Excessive number of failed connections from a single source (ASIM Network Session schema)\",\"description\":\"This rule identifies a single source that generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"AzureNSG\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoAsaAma\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"AIVectraStream\",\"dataTypes\":[\"VectraStream\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoMeraki\",\"dataTypes\":[\"Syslog\",\"CiscoMerakiNativePoller\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"name\":\"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"2.0.3\",\"severity\":\"Low\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"192\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv24\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where OperationNameValue in~ (operationList)\\n| where ActivityStatusValue startswith \\\"Accept\\\"\\n| where Properties has \u0027vmSize\u0027\\n| extend parsed_property= parse_json(tostring((parse_json(Properties).responseBody))).properties\\n| extend vmSize = tostring((parsed_property.hardwareProfile).vmSize)\\n| mv-apply token=tokens to typeof(string) on (where vmSize contains token)\\n| extend ComputerName = tostring((parsed_property.osProfile).computerName)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend Name = tostring(split(Caller,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Caller,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"ComputerName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size or expensive VMs (with GPUs or with a large number of virtual CPUs) in Azure.\\nAn adversary may create new or update existing virtual machines to evade defenses or use them for cryptomining purposes.\\nFor Windows/Linux Vm Sizes, see https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions, see https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\"name\":\"f8127962-7739-4211-a4a9-390a7a00e91f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet lbperiod = 14d;\\nlet knownrecipients = ProofpointPOD\\n| where TimeGenerated \u003e ago(lbperiod)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where SrcUserUpn != \u0027\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated between (ago(lbtime) .. now())\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend isProtected = todynamic(MsgParts)[0][\u0027isProtected\u0027]\\n| extend mimePgp = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where isProtected == \u0027true\u0027 or mimePgp == \u0027application/pgp-encrypted\u0027\\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple protected emails to unknown recipient\",\"description\":\"Detects when multiple protected messages where sent to early not seen recipient.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\"name\":\"d3980830-dd9d-40a5-911f-76b44dfdce16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let locationThreshold = 1;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppDisplayName =~ \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location,100), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\\n| where CountOfLocations \u003e locationThreshold\\n| extend timestamp = BurstStartTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"GitHub Signin Burst from Multiple Locations\",\"description\":\"This detection triggers when there is a Signin burst from multiple locations in GitHub (Entra ID SSO).\\n This detection is based on configurable threshold which can be prone to false positives. To view the anomaly based equivalent of thie detection, please see here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml. \",\"lastUpdatedDateUTC\":\"2024-01-04T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"name\":\"bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nimFileEvent\\n| where TargetFileMD5 in (SunburstMD5) or TargetFileMD5 in (SupernovaMD5)\\n| extend AccountName = tostring(split(User, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(User, @\u0027\\\\\u0027)[0])\\n| extend AlgorithmType = \\\"MD5\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"DvcHostname\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DvcDomain\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmType\"},{\"identifier\":\"Value\",\"columnName\":\"TargetFileMD5\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimFileEvent)\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1baaaf00-655f-4de9-8ff8-312e902cda71\",\"name\":\"1baaaf00-655f-4de9-8ff8-312e902cda71\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let known_locations = (\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location);\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend City = tostring(parse_json(LocationDetails).city)\\n | extend State = tostring(parse_json(LocationDetails).state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(Place) by ServicePrincipalName, Location\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Service Principal Authentication Attempt from New Country\",\"description\":\"Detects when there is a Service Principal login attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"name\":\"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations above which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet AzureBuiltInRole = externaldata(Role:string,RoleDescription:string,ID:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/AzureBuiltInRole.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationNameValue =~ \\\"microsoft.authorization/roleassignments/write\\\";\\nlet RoleAssignedActivity = createRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, bin(TimeGenerated, 1d)\\n| where count_ \u003e= alertOperationThreshold\\n// Returns all the records from the right side that don\u0027t have matches from the left.\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| extend parsed_property = tostring(parse_json(Properties).requestbody)\\n| extend PrincipalId = case(parsed_property has_cs \u0027PrincipalId\u0027,parse_json(parsed_property).Properties.PrincipalId, parsed_property has_cs \u0027principalId\u0027,parse_json(parsed_property).properties.principalId,\\\"\\\")\\n| extend PrincipalType = case(parsed_property has_cs \u0027PrincipalType\u0027,parse_json(parsed_property).Properties.PrincipalType, parsed_property has_cs \u0027principalType\u0027,parse_json(parsed_property).properties.principalType, \\\"\\\")\\n| extend Scope = case(parsed_property has_cs \u0027Scope\u0027,parse_json(parsed_property).Properties.Scope, parsed_property has_cs \u0027scope\u0027,parse_json(parsed_property).properties.scope,\\\"\\\")\\n| extend RoleAddedDetails = case(parsed_property has_cs \u0027RoleDefinitionId\u0027,parse_json(parsed_property).Properties.RoleDefinitionId,parsed_property has_cs \u0027roleDefinitionId\u0027,parse_json(parsed_property).properties.roleDefinitionId,\\\"\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup, PrincipalId, PrincipalType, Scope, RoleAddedDetails\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress;\\nlet RoleAssignedActivitywithRoleDetails = RoleAssignedActivity\\n| extend RoleAssignedID = tostring(split(RoleAddedDetails, \\\"/\\\")[-1])\\n// Returns all matching records from left and right sides.\\n| join kind = inner (AzureBuiltInRole \\n) on $left.RoleAssignedID == $right.ID;\\nlet CallerIPCountSummary = RoleAssignedActivitywithRoleDetails | summarize AssignmentCountbyCaller = count() by Caller, CallerIpAddress;\\nlet RoleAssignedActivityWithCount = RoleAssignedActivitywithRoleDetails | join kind = inner (CallerIPCountSummary | project Caller, AssignmentCountbyCaller, CallerIpAddress) on Caller, CallerIpAddress;\\nRoleAssignedActivityWithCount\\n| summarize arg_max(StartTimeUtc, *) by PrincipalId, RoleAssignedID\\n// \\tReturns all the records from the left side and only matching records from the right side.\\n| join kind = leftouter( IdentityInfo\\n| summarize arg_max(TimeGenerated, *) by AccountObjectId\\n) on $left.PrincipalId == $right.AccountObjectId\\n// Check if assignment count is greater than the threshold.\\n| where AssignmentCountbyCaller \u003e= alertOperationThreshold\\n| project ActivityTimeStamp, OperationNameValue, Caller, CallerIpAddress, PrincipalId, RoleAssignedID, RoleAddedDetails, Role, RoleDescription, AccountUPN, AccountCreationTime, GroupMembership, UserType, ActivityStatusValue, ResourceGroup, PrincipalType, Scope, CorrelationId, timestamp, AccountCustomEntity, IPCustomEntity, AssignmentCountbyCaller\\n| extend Name = tostring(split(Caller,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Caller,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Suspicious granting of permissions to an account\",\"description\":\"Identifies IPs from which users grant access to other users on Azure resources and alerts when a previously unseen source IP address is used.\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fe3c520-04f1-44b8-8398-782ed21435f8\",\"name\":\"3fe3c520-04f1-44b8-8398-782ed21435f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.4\",\"severity\":\"Low\",\"query\":\"let torProxies=dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\n_Im_Dns(domain_has_any=torProxies)\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"name\":\"a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.8\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| where TimeGenerated \u003e ago(1d)\\n| where ProductName == \\\"Azure Active Directory Identity Protection\\\"\\n| where AlertName == \\\"Sign-in from an infected device\\\"\\n| mv-apply EntityAccount=todynamic(Entities) on\\n(\\nwhere EntityAccount.Type == \\\"account\\\"\\n| extend AadTenantId = tostring(EntityAccount.AadTenantId), AadUserId = tostring(EntityAccount.AadUserId)\\n)\\n| mv-apply EntityIp=todynamic(Entities) on\\n(\\nwhere EntityIp.Type == \\\"ip\\\"\\n| extend IpAddress = tostring(EntityIp.Address)\\n)\\n| join kind=inner (\\nIdentityInfo\\n| distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName\\n| extend UserAccount = AccountUPN\\n| extend UserName = AccountDisplayName\\n| where isnotempty(AccountDisplayName) and isnotempty(UserAccount)\\n| project AccountTenantId, AccountObjectId, UserAccount, UserName\\n)\\non\\n$left.AadTenantId == $right.AccountTenantId,\\n$left.AadUserId == $right.AccountObjectId\\n| extend CompromisedEntity = iff(CompromisedEntity == \\\"N/A\\\" or isempty(CompromisedEntity), UserAccount, CompromisedEntity)\\n| project AlertName, AlertSeverity, CompromisedEntity, UserAccount, IpAddress, TimeGenerated, UserName\\n| join kind=inner \\n(\\nAzureActivity\\n| where OperationNameValue has_any (\\\"/workspaces/computes/delete\\\", \\\"workspaces/delete\\\") \\n| where ActivityStatusValue has_any (\\\"Succeeded\\\", \\\"Success\\\")\\n| project TimeGenerated, ResourceProviderValue, _ResourceId, SubscriptionId, UserAccount=Caller, IpAddress=CallerIpAddress, CorrelationId, OperationId, ResourceGroup, TenantId\\n) on IpAddress, UserAccount\\n| extend AccountName = tostring(split(UserAccount, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserAccount, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"tactics\":[\"InitialAccess\",\"Impact\"],\"displayName\":\"Workspace deletion activity from an infected device\",\"description\":\"This query will alert on any sign-ins from devices infected with malware in correlation with workspace deletion activity. \\nAttackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-04-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45076281-35ae-45e0-b443-c32aa0baf965\",\"name\":\"45076281-35ae-45e0-b443-c32aa0baf965\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.6\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nimProcessCreate\\n//looks for execution from a shell\\n| where ActingProcessName has_any (parentProcesses)\\n| extend ActingProcessFileName = tostring(split(ActingProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ActingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where Process hassuffix \\\"AdFind.exe\\\" or TargetProcessSHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n// AdFind common Flags to check for from various threat actor TTPs\\nor CommandLine has_any (args)\\n| extend AlgorithmType = \\\"SHA256\\\"\\n| extend AccountName = tostring(split(User, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(User, @\u0027\\\\\u0027)[0])\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ActingProcessName\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmType\"},{\"identifier\":\"Value\",\"columnName\":\"TargetProcessSHA256\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage (Normalized Process Events)\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2021-06-09T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"name\":\"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center for IoT\",\"displayName\":\"Create incidents based on Microsoft Defender for IOT alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for IOT\",\"lastUpdatedDateUTC\":\"2019-12-24T00:00:00Z\",\"createdDateUTC\":\"2019-12-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"IoT\",\"dataTypes\":[\"SecurityAlert (ASC for IoT)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"name\":\"884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = column_ifexists(\\\"ResultType\\\", \\\"NoResultType\\\"), \\nrequestUri_s = column_ifexists(\\\"requestUri_s\\\", \\\"None\\\"), \\nidentity_claim_oid_g = column_ifexists(\\\"identity_claim_oid_g\\\", \\\"None\\\"), CallerIPAddress = column_ifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), \\nclientInfo_s = column_ifexists(\\\"clientInfo_s\\\", \\\"None\\\"), \\nidentity_claim_upn_s = column_ifexists(\\\"identity_claim_upn_s\\\", \\\"None\\\"),\\nidentity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = column_ifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in~ (SensitiveOperationList)\\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=make_list(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, identity_claim_upn_s, clientInfo_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = StartTimeUtc\\n| extend Name = tostring(split(identity_claim_upn_s,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(identity_claim_upn_s,\u0027@\u0027,1)[0]), AadUserId = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AadUserId\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPMax\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup.\\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"name\":\"ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue =~ \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId has \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid), AccountName = tostring(claimsJson.name), Name = tostring(split(Caller,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Caller,\u0027@\u0027,1)[0])\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Microsoft Entra ID Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Microsoft Entra ID Hybrid Health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-premises AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/60f31001-018a-42bf-8045-a92e1f361b7b\",\"name\":\"60f31001-018a-42bf-8045-a92e1f361b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Define a variable \u0027AwsAlert\u0027 to collect Unauthorized user access alerts from AWS GuardDuty table\\nlet AwsAlert = materialize (\\n AWSGuardDuty\\n | where ActivityType has_any (\\\"UnauthorizedAccess:IAMUser/TorIPCaller\\\", \\\"UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom\\\", \\n \\\"UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS\\\", \\\"UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS\\\",\\n \\\"UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B\\\",\\\"UnauthorizedAccess:IAMUser/MaliciousIPCaller\\\")\\n | extend\\n AWSAlertId = Id, \\n AWSAlertTitle = Title,\\n AWSAlertDescription = Description,\\n AWSresourceType = tostring(parse_json(ResourceDetails).resourceType),\\n AWSNetworkEntity = tostring(parse_json(ServiceDetails).action.awsApiCallAction.remoteIpDetails.ipAddressV4),\\n AWSAlertUserNameEntity = tostring(parse_json(ResourceDetails).accessKeyDetails.userName),\\n InstanceType = tostring(parse_json(ResourceDetails).instanceDetails.instanceType),\\n AWSTargetingService = parse_json(ServiceDetails).additionalInfo.apiCalls,\\n AWSAlertTime = TimeCreated,\\n AWSAlertLink= tostring(strcat(\u0027https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current\u0026fId=\u0027,Id)),\\n Severity = \\n case (\\n Severity \u003e= 7.0, \\\"High\\\",\\n Severity between (4.0 .. 6.9), \\\"Medium\\\",\\n Severity between (1.0 .. 3.9), \\\"Low\\\",\\n \\\"Unknown\\\")\\n | mv-apply AIPCall = AWSTargetingService on \\n ( \\n where AIPCall has \\\"name\\\" \\n | extend APICallName = tostring(AIPCall.name), APICallCount = tostring(AIPCall[\\\"count\\\"])\\n ) \\n | distinct\\n AWSAlertTime,\\n ActivityType,\\n Severity,\\n AWSAlertId,\\n AWSAlertTitle,\\n AWSAlertDescription,\\n AWSAlertLink,\\n Arn,\\n AWSresourceType,\\n AWSNetworkEntity,\\n AWSAlertUserNameEntity,\\n InstanceType,\\n APICallName,\\n APICallCount \\n );\\n // Define a variable \u0027Azure_sigin\u0027 to collect Azure portal Signing activity from SigninLogs Table\\n let Azure_sigin = materialize (SigninLogs\\n | where AppDisplayName == \\\"Azure Portal\\\"\\n | where isnotempty(OriginalRequestId)\\n | summarize \\n totalAzureLoginEventId = dcount(OriginalRequestId), \\n AzureFailedEventsCount = dcountif(OriginalRequestId, ResultType != 0), \\n AzureSuccessfulEventsCount = dcountif(OriginalRequestId, ResultType == 0),\\n AzureSetOfFailedEvents = makeset(iff(ResultType != 0, OriginalRequestId, \\\"\\\"), 5), \\n AzureSetOfSuccessfulEvents = makeset(iff(ResultType == 0, OriginalRequestId, \\\"\\\"), 5) \\n by \\n IPAddress, \\n UserPrincipalName, \\n bin(TimeGenerated, 1min), \\n UserAgent,\\n ConditionalAccessStatus,\\n OperationName,\\n RiskDetail,\\n AuthenticationRequirement,\\n ClientAppUsed \\n // Extracting the name and UPN suffix from UserPrincipalName\\n | extend\\n Name = tostring(split(UserPrincipalName, \\\"@\\\")[0]),\\n UPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n );\\n // Join \u0027AwsAlert\u0027 and \u0027Azure_sigin\u0027 on the AWS Network Entity and Azure IP Address\\n AwsAlert\\n | join kind=inner Azure_sigin on $left.AWSNetworkEntity == $right.IPAddress\",\"customDetails\":{\"AWSAlertUserName\":\"AWSAlertUserNameEntity\",\"AWSArn\":\"Arn\",\"AWSresourceType\":\"AWSresourceType\",\"AWSInstanceType\":\"InstanceType\",\"AWSAPICallName\":\"APICallName\",\"AWSAPICallCount\":\"APICallCount\",\"AzureUserAgent\":\"UserAgent\",\"AzureUser\":\"UserPrincipalName\",\"AzureClientAppUsed\":\"ClientAppUsed\",\"AzConditionalAccess\":\"ConditionalAccessStatus\",\"AzureOperationName\":\"OperationName\",\"AzureRiskDetail\":\"RiskDetail\",\"AzAuthRequirement\":\"AuthenticationRequirement\",\"alertSeverity\":\"Severity\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"{{AWSNetworkEntity}} from {{AWSAlertTitle}} observed in Azure Singins with {{UserPrincipalName}}\",\"alertDescriptionFormat\":\" This detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty With Alert Description \u0027{{AWSAlertDescription}}\u0027 with Azure portal sign-in activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources. \\n\\n AWS ALert Link : \u0027{{AWSAlertLink}}\u0027 \\n\\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":\"Severity\"},\"tactics\":[\"CredentialAccess\",\"Exfiltration\",\"Discovery\"],\"displayName\":\"Unauthorized user access across AWS and Azure\",\"description\":\"\\nThis detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty with Azure portal sign-in activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The ditection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources.\\n\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2023-09-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\"name\":\"78979d32-e63f-4740-b206-cfb300c735e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcIpAddr)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientIP = SrcIpAddr\\n )\\non $left.TI_ipEntity == $right.ClientIP\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientIP\\n| project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUserUpn\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender IP in TI list\",\"description\":\"Email sender IP in TI list.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5c847e47-0a07-4c01-ab99-5817ad6cb11e\",\"name\":\"5c847e47-0a07-4c01-ab99-5817ad6cb11e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// Materialize AWS GuardDuty findings\\nlet AwsAlert = materialize (\\n AWSGuardDuty\\n // Filter for specific activity types in AWS GuardDuty\\n | where ActivityType has_any (\\n \\\"Backdoor:EC2/DenialOfService.UnusualProtocol\\\",\\n \\\"CredentialAccess:Kubernetes/MaliciousIPCaller\\\",\\n \\\"CredentialAccess:Kubernetes/SuccessfulAnonymousAccess\\\",\\n \\\"CredentialAccess:Kubernetes/TorIPCaller\\\",\\n \\\"CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteForce\\\",\\n \\\"CredentialAccess:RDS/TorIPCaller.FailedLogin\\\",\\n \\\"CredentialAccess:RDS/TorIPCaller.SuccessfulLogin\\\",\\n \\\"Discovery:Kubernetes/MaliciousIPCaller\\\",\\n \\\"Recon:IAMUser/MaliciousIPCaller.Custom\\\",\\n \\\"UnauthorizedAccess:EC2/TorClient\\\",\\n \\\"UnauthorizedAccess:IAMUser/TorIPCaller\\\",\\n \\\"UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom\\\",\\n \\\"UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS\\\",\\n \\\"UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS\\\",\\n \\\"UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B\\\"\\n )\\n // Extract and transform AWS GuardDuty attributes\\n | extend\\n AWSAlertId = Id, \\n AWSAlertTitle = Title,\\n AWSAlertDescription = Description,\\n AWSresourceType = tostring(parse_json(ResourceDetails).resourceType),\\n AWSNetworkEntity = tostring(parse_json(ServiceDetails).action.awsApiCallAction.remoteIpDetails.ipAddressV4),\\n AWSAlertUserNameEntity = tostring(parse_json(ResourceDetails).accessKeyDetails.userName),\\n InstanceType = tostring(parse_json(ResourceDetails).instanceDetails.instanceType),\\n AWSTargetingService = parse_json(ServiceDetails).additionalInfo.apiCalls,\\n AWSAlertTime = TimeCreated,\\n AWSAlertLink= tostring(strcat(\u0027https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current\u0026fId=\u0027, Id)),\\n Severity = \\n case (\\n Severity \u003e= 7.0,\\n \\\"High\\\",\\n Severity between (4.0 .. 6.9),\\n \\\"Medium\\\",\\n Severity between (1.0 .. 3.9),\\n \\\"Low\\\",\\n \\\"Unknown\\\"\\n)\\n // Extract API call details and count\\n | mv-apply AIPCall = AWSTargetingService on \\n ( \\n where AIPCall has \\\"name\\\" \\n | extend APICallName = tostring(AIPCall.name), APICallCount = tostring(AIPCall[\\\"count\\\"])\\n ) \\n // Select distinct attributes for further analysis\\n | distinct\\n AWSAlertTime,\\n ActivityType,\\n Severity,\\n AWSAlertId,\\n AWSAlertTitle,\\n AWSAlertDescription,\\n AWSAlertLink,\\n Arn,\\n AWSresourceType,\\n AWSNetworkEntity,\\n AWSAlertUserNameEntity,\\n InstanceType,\\n APICallName,\\n APICallCount \\n );\\n// Materialize GCP Audit Logs related to VM instance creation\\nlet GCPVMActivity= materialize(\\n GCPAuditLogs \\n // Filter for Compute Engine instances insertions\\n | where ServiceName == \\\"compute.googleapis.com\\\" and MethodName endswith \\\"instances.insert\\\"\\n // Extract and transform relevant GCP Audit Log attributes\\n | extend\\n GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),\\n GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),\\n GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),\\n VMDetails= parse_json(AuthorizationInfo),\\n VMStatus = tostring(parse_json(Response).status),\\n VMOperation=tostring(parse_json(Response).operationType),\\n VMName= tostring(parse_json(Request).name),\\n VMDescription= tostring(parse_json(Request).description),\\n VMType = tostring(split(parse_json(Request).machineType, \\\"/\\\")[-1]),\\n Tags= tostring(parse_json(Request).tags),\\n RequestJS = parse_json(Request)\\n // Filter out service account-related activities and private IP addresses\\n | where GCPUserUPN !has \\\"gserviceaccount.com\\\"\\n | extend Name = tostring(split(GCPUserUPN, \\\"@\\\")[0]), UPNSuffix = tostring(split(GCPUserUPN, \\\"@\\\")[1])\\n | where VMOperation == \\\"insert\\\" and isnotempty(GCPUserIp) and GCPUserIp != \\\"private\\\"\\n // Select relevant attributes for further analysis\\n | project\\n GCPOperationTime=TimeGenerated,\\n VMName,\\n VMStatus,\\n MethodName,\\n GCPUserUPN,\\n ProjectId,\\n GCPUserIp,\\n GCPUserUA,\\n VMOperation,\\n VMType,\\n Name,\\n UPNSuffix\\n );\\n// Join AWS and GCP activities based on matching IP addresses\\nAwsAlert\\n| join kind= inner (GCPVMActivity)\\n on\\n $left.AWSNetworkEntity == $right.GCPUserIp\",\"customDetails\":{\"AWSAlertUserName\":\"AWSAlertUserNameEntity\",\"AWSArn\":\"Arn\",\"AWSresourceType\":\"AWSresourceType\",\"AWSInstanceType\":\"InstanceType\",\"AWSAPICallName\":\"APICallName\",\"AWSAPICallCount\":\"APICallCount\",\"GCPUserAgent\":\"GCPUserUA\",\"GCPVMName\":\"VMName\",\"GCPProjectId\":\"ProjectId\",\"GCPVMType\":\"VMType\",\"CorrelationWith\":\"GCPAuditLogs\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"GCPUserIp\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"{{AWSNetworkEntity}} from {{AWSAlertTitle}} observed in GCP compute activity with {{GCPUserUPN}}\",\"alertDescriptionFormat\":\" This detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty With Alert Description \u0027{{AWSAlertDescription}}\u0027 assocated with GCP compute activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources. \\n\\n AWS ALert Link : \u0027{{AWSAlertLink}}\u0027 \\n\\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":\"Severity\"},\"tactics\":[\"InitialAccess\",\"Execution\",\"Persistence\",\"PrivilegeEscalation\",\"CredentialAccess\",\"Discovery\",\"LateralMovement\"],\"displayName\":\"Cross-Cloud Suspicious Compute resource creation in GCP\",\"description\":\"\\nThis detection identifies potential suspicious activity across multi-cloud environments by combining AWS GuardDuty findings with GCP Audit Logs. It focuses on AWS activities related to unauthorized access, credential abuse, and unusual behaviors, as well as GCP instances creation with non-Google service account users. The query aims to provide a comprehensive view of cross-cloud security incidents for proactive threat detection and response.\\n\",\"lastUpdatedDateUTC\":\"2023-10-06T00:00:00Z\",\"createdDateUTC\":\"2023-10-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"GCPAuditLogsDefinition\",\"dataTypes\":[\"GCPAuditLogs\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"name\":\"50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog =~ \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" *\\n| where ParentCommandLine =~ \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k DcomLaunch\\\" and CommandLine =~ \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe -Embedding\\\"\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Lateral Movement via DCOM\",\"description\":\"This query detects a fairly uncommon attack technique using the Windows Distributed Component Object Model (DCOM) to make a remote execution call to another computer system and gain lateral movement throughout the network.\\nRef: http://thenegative.zone/incident%20response/2017/02/04/MMC20.Application-Lateral-Movement-Analysis.html\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\"name\":\"dd0a6029-ecef-4507-89c4-fc355ac52111\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour\\nlet ioc_lookBack = 14d; // Look back 14 days\\n// Create a list of top-level domains (TLDs) from the threat feed data for later validation\\nlet SecurityLog = materialize(\\n CommonSecurityLog\\n // Filter common security logs based on the specified time range\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceEventClassID =~ \u0027url\u0027\\n // Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n // Extract the domain from RequestURL, if not present, extract it from AdditionalExtensions\\n | extend PA_Url = column_ifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\\\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(\u0027\\\"\u0027, tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n);\\nlet LogDomains = SecurityLog | distinct Domain | summarize make_list(Domain);\\n// Retrieve threat intelligence indicators within the specified time range\\nlet Domain_Indicators = materialize(\\n ThreatIntelligenceIndicator\\n | where isnotempty(DomainName)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_DomainEntity = tolower(DomainName)\\n | where TI_DomainEntity in (LogDomains)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now());\\n// Join threat intelligence indicators with common security logs\\nDomain_Indicators | join kind=innerunique (SecurityLog) on $left.TI_DomainEntity == $right.Domain\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod, Type, TI_DomainEntity\\n| extend timestamp = CommonSecurityLog_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"PA_Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map Domain entity to PaloAlto CommonSecurityLog\",\"description\":\"Identifies a match in PaloAlto CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"name\":\"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| where FilterModulesSpamScoresOverall == \u0027100\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - High risk message not discarded\",\"description\":\"Detects when email with high risk score was not rejected or discarded by filters.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ec3a7f9-9f55-4be3-aeb6-9188f91b278e\",\"name\":\"8ec3a7f9-9f55-4be3-aeb6-9188f91b278e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet user_accounts = \\\"(([a-zA-Z]{1,})\\\\\\\\.([a-zA-Z]{1,}))@.*\\\";\\nlet known_useragents = dynamic([]);\\nDynamics365Activity\\n| where TimeGenerated between(ago(lookback)..ago(timeframe))\\n| where isnotempty(UserAgent)\\n| summarize by UserAgent, UserId\\n| join kind = rightanti (Dynamics365Activity\\n| where TimeGenerated \u003e ago(timeframe)\\n| where isnotempty(UserAgent)\\n| where UserAgent !in~ (known_useragents)\\n| where UserAgent !hasprefix \\\"azure-logic-apps\\\" and UserAgent !hasprefix \\\"PowerApps\\\"\\n| where UserId matches regex user_accounts)\\non UserAgent, UserId\\n// Uncomment this section to exclude user agents with a rendering engine, indicating browsers.\\n//| join kind = leftanti(\\n//Dynamics365Activity\\n//| where TimeGenerated between(ago(lookback)..ago(timeframe))\\n//| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")) on UserAgent\\n| summarize FirstSeen = min(TimeGenerated), IPs = make_set(ClientIP) by UserAgent, UserId\\n| extend timestamp = FirstSeen, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New Dynamics 365 User Agent\",\"description\":\"Detects users accessing Dynamics from a User Agent that has not been seen the 14 days. Has configurable filter for known good user agents such as PowerApps. Also includes optional section to exclude User Agents to indicate a browser being used.\",\"lastUpdatedDateUTC\":\"2022-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Dynamics365\",\"dataTypes\":[\"Dynamics365Activity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29e99017-e28d-47be-8b9a-c8c711f8a903\",\"name\":\"29e99017-e28d-47be-8b9a-c8c711f8a903\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let security_info_actions = dynamic([\\\"User registered security info\\\", \\\"User changed default security info\\\", \\\"User deleted security info\\\", \\\"Admin updated security info\\\", \\\"User reviewed security info\\\", \\\"Admin deleted security info\\\", \\\"Admin registered security info\\\"]);\\nlet VIPUsers = (_GetWatchlist(\u0027VIPUsers\u0027) | distinct \\\"User Principal Name\\\");\\nAuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName in (security_info_actions)\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend Target = trim(@\u0027\\\"\u0027,tolower(tostring(TargetResource.userPrincipalName)))\\n )\\n| where Target in~ (VIPUsers)\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason) by InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, Result, Target\\n| extend TargetName = tostring(split(Target,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(Target,\u0027@\u0027,1)[0])\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Target\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NRT Authentication Methods Changed for VIP Users\",\"description\":\"Identifies authentication methods being changed for a list of VIP users watchlist. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/67775878-7f8b-4380-ac54-115e1e828901\",\"name\":\"67775878-7f8b-4380-ac54-115e1e828901\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.4\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = \\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| extend IoC = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n| where IoC != \\\"NO_IP\\\"\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now();\\nIP_TI\\n| join kind=innerunique // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n(\\n_Im_Dns(starttime=ago(dt_lookBack))\\n| where isnotempty(DnsResponseName)\\n| summarize imDns_mintime=min(TimeGenerated), imDns_maxtime=max(TimeGenerated) by SrcIpAddr, DnsQuery, DnsResponseName, Dvc, EventProduct, EventVendor\\n| extend addresses = extract_all (@\u0027(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)\u0027, DnsResponseName)\\n| mv-expand IoC = addresses to typeof(string)\\n)\\non IoC\\n| where imDns_mintime \u003c ExpirationDateTime\\n| project imDns_mintime, imDns_maxtime, Description, ActivityGroupNames, IndicatorId, ThreatType, LatestIndicatorTime, ExpirationDateTime, ConfidenceScore, SrcIpAddr, IoC, Dvc, EventVendor, EventProduct, DnsQuery, DnsResponseName\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"imDns_mintime\",\"SourceIPAddress\":\"SrcIpAddr\",\"DnsQuery\":\"DnsQuery\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IoC\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The response {{IoC}} to DNS query matched an IoC\",\"alertDescriptionFormat\":\"The response address {{IoC}} to a DNS query matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to DNS Events (ASIM DNS schema)\",\"description\":\"This rule identifies DNS requests for which response IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\"name\":\"48607a29-a26a-4abf-8078-a06dbdd174a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Medium\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet aadFunc = (tableName:string){\\nlet identityLookup = table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\\n// collect window threshold breaches\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\\n| where FailedPrincipalCount \u003e= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend LocationDetails = todynamic(LocationDetails)\\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed,20), make_set(FullLocation,20), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup\\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName,20), make_set(UserDisplayName,20), make_set(set_ClientAppUsed,20), make_set(set_FullLocation,20), make_list(FailureCount,20) by IPAddress, AppDisplayName, Type\\n| extend FailedPrincipalCount = array_length(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\\n| join kind= inner (\\ntable(tableName) // get data on success vs. failure history for each IP\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in (successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in (successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in (failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in (failureCodes))) by IPAddress, Type\\n| where GlobalFailPrincipalCount \u003e GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Microsoft Entra ID application\",\"description\":\"Identifies evidence of password spray activity against Microsoft Entra ID applications by looking for failures from multiple accounts from the same IP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range are bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 1 day\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"name\":\"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.7\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nlet OfficeEvents = materialize(\\n OfficeActivity\\n | where isnotempty(UserId)\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where UserId matches regex emailregex\\n | project-rename OfficeActivity_TimeGenerated = TimeGenerated);\\nlet OfficeActivityUPNs = OfficeEvents | distinct UserId = tolower(UserId) | summarize make_list(UserId);\\nThreatIntelligenceIndicator\\n| where isnotempty(EmailSenderAddress)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| where tolower(EmailSenderAddress) in (OfficeActivityUPNs)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n| where Description !contains_cs \\\"State: inactive;\\\" and Description !contains_cs \\\"State: falsepos;\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (OfficeEvents) on $left.EmailSenderAddress == $right.UserId\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, UserId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend Name = tostring(split(UserId, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(UserId, \u0027@\u0027, 1)[0])\\n| extend timestamp = OfficeActivity_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"TI map Email entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\"name\":\"a04cf847-a832-4c60-b687-b0b6147da219\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Collection\"],\"displayName\":\"[Deprecated] - Known Manganese IP and UserAgent activity\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2019-10-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\"name\":\"78422ef2-62bf-48ca-9bab-72c69818a425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.6\",\"severity\":\"Low\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account = tolower(Account), IpAddress, AccountType, Activity, LogonTypeName),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account = tolower(Account), IpAddress, AccountType, Activity, LogonTypeName)\\n)\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress)\\n)\\n) on Account, IpAddress\\n| extend Ratio = iff(isempty(ComputerCountPrev7Days), toreal(ComputerCountToday), ComputerCountToday / (ComputerCountPrev7Days * 1.0))\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio \u003e threshold\\n| project StartTime, EndTime, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend AccountName = tostring(split(Account, @\\\"\\\\\\\")[1]), AccountNTDomain = tostring(split(Account, @\\\"\\\\\\\")[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Multiple RDP connections from Single System\",\"description\":\"Identifies when an RDP connection is made to multiple systems and above the normal connection count for the previous 7 days.\\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"name\":\"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed.\\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated \u003e= ago(auditLookback) and TimeGenerated \u003c ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are\\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName has \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(InitiatedBy.user.userPrincipalName)),\\n tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend TargetResourceName = tolower(tostring(TargetResource.displayName))\\n )\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount \u003e threshold;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated \u003e= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(InitiatedBy.user.ipAddress)) and tostring(InitiatedBy.user.ipAddress) != \u0027null\u0027, tostring(InitiatedBy.user.ipAddress),\\n isnotempty(tostring(InitiatedBy.app.ipAddress)) and tostring(InitiatedBy.app.ipAddress) != \u0027null\u0027, tostring(InitiatedBy.app.ipAddress),\\n \u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(InitiatedBy.user.userPrincipalName)),\\n tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend TargetResourceName = tolower(tostring(TargetResource.displayName)),\\n props = TargetResource.modifiedProperties\\n )\\n| parse props with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend UserAgent = tostring(AdditionalDetail.value)\\n )\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy\\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = make_set(Reason,100) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\\n| extend timestamp = TimeGenerated, Name = tolower(tostring(split(InitiatedBy,\u0027@\u0027,0)[0])), UPNSuffix = tolower(tostring(split(InitiatedBy,\u0027@\u0027,1)[0]))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatedBy\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetResourceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Rare application consent\",\"description\":\"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor.\\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events.\\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-01-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\"name\":\"06a9b845-6a95-4432-a78b-83919b28c375\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n// Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal \u003e percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIPMax\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly detection for total volume of traffic\",\"description\":\"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"name\":\"3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Hacking Tool\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername\\n| extend AccountName = tostring(split(SrcUsername, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(SrcUsername, \\\"@\\\")[1])\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running a hacking tool\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by a hacking tool and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Execution\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"A host is potentially running a hacking tool (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.\u003cbr\u003eYou can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\"name\":\"53e936c6-6c30-4d12-8343-b8a0456e8429\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend timestamp=TimeGenerated\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingProcessAccountDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT malware hashes\",\"description\":\"This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceImageLoadEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7b9df32-1367-402d-b385-882daf6e3020\",\"name\":\"a7b9df32-1367-402d-b385-882daf6e3020\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog =~ \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==10\\n| parse EventData with * \u0027TargetImage\\\"\u003e\u0027 TargetImage \\\"\u003c\\\" * \u0027GrantedAccess\\\"\u003e\u0027 GrantedAccess \\\"\u003c\\\" * \u0027CallTrace\\\"\u003e\u0027 CallTrace \\\"\u003c\\\" * \\n| where GrantedAccess =~ \\\"0x1FFFFF\\\" and TargetImage =~ \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and CallTrace has_any (\\\"dbghelp.dll\\\",\\\"dbgcore.dll\\\")\\n| parse EventData with * \u0027SourceProcessGUID\\\"\u003e\u0027 SourceProcessGUID \\\"\u003c\\\" * \u0027SourceImage\\\"\u003e\u0027 SourceImage \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"SourceImage\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Dumping LSASS Process Into a File\",\"description\":\"Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\\nAfter a user logs on, the system generates and stores a variety of credential materials in LSASS process memory.\\nThese credential materials can be harvested by an administrative user or system and used to conduct lateral movement using alternate authentication materials.\\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\\nRef: https://attack.mitre.org/techniques/T1003/001/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2399891-383c-4caf-ae67-68a008b9f89e\",\"name\":\"e2399891-383c-4caf-ae67-68a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = materialize (\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n | where TI_ipEntity != \\\"NO_IP\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now()\\n);\\nIP_TI\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique \\n(\\n _Im_NetworkSession (starttime=ago(dt_lookBack))\\n | where isnotempty(SrcIpAddr)\\n | summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated) by SrcIpAddr, DstIpAddr, Dvc, EventProduct, EventVendor \\n | lookup (IP_TI | project TI_ipEntity, Active) on $left.SrcIpAddr == $right.TI_ipEntity\\n | project-rename SrcMatch = Active\\n | lookup (IP_TI | project TI_ipEntity, Active) on $left.DstIpAddr == $right.TI_ipEntity\\n | project-rename DstMatch = Active\\n | where SrcMatch or DstMatch\\n | extend \\n IoCIP = iff(SrcMatch, SrcIpAddr, DstIpAddr),\\n IoCDirection = iff(SrcMatch, \\\"Source\\\", \\\"Destination\\\")\\n)on $left.TI_ipEntity == $right.IoCIP\\n| where imNWS_mintime \u003c ExpirationDateTime\\n| project imNWS_mintime, imNWS_maxtime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SrcIpAddr, DstIpAddr, IoCDirection, IoCIP, Dvc, EventVendor, EventProduct\",\"customDetails\":{\"EventStartTime\":\"imNWS_mintime\",\"EventEndTime\":\"imNWS_maxtime\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\",\"IoCIPDirection\":\"IoCDirection\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IoCIP\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A network session {{IoCDirection}} address {{IoCIP}} matched an IoC.\",\"alertDescriptionFormat\":\"The {{IoCDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to Network Session Events (ASIM Network Session schema)\",\"description\":\"This rule identifies a match Network Sessions for which the source or destination IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"AzureNSG\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"AIVectraStream\",\"dataTypes\":[\"VectraStream\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"CiscoMeraki\",\"dataTypes\":[\"Syslog\",\"CiscoMerakiNativePoller\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"name\":\"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.7\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.Caller\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, Caller\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, EmailSenderName, EmailRecipient,\\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue,\\nResourceGroup, SubscriptionId\\n| extend Name = tostring(split(Caller, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(Caller, \u0027@\u0027, 1)[0])\\n| extend timestamp = AzureActivity_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"TI map Email entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\"name\":\"40ba9493-4183-4eee-974f-87fe39c8f267\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Identity alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Identity\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (AATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"name\":\"d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, NewProcessId, Computer\\n | join kind=inner (SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ParentProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend newProcess = Process\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.NewProcessId == $right.ProcessId, timekey, Computer\\n | extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n | extend AccountName = tostring(split(TargetAccount, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(TargetAccount, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"name\":\"70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),\\n modProps = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = modProps on \\n (\\n where Property.displayName =~ \\\"Role.WellKnownObjectName\\\"\\n | extend DisplayName = trim(\u0027\\\"\u0027,tostring(Property.displayName)),\\n GroupName = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| extend InitiatingAppId = tostring(InitiatedBy.app.appId)\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingAppServicePrincipalName = tostring(InitiatedBy.app.servicePrincipalName)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) \\n| extend InitiatingUserRoles = InitiatedBy.user.roles\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatingAppName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppId, InitiatingAppServicePrincipalId, InitiatingIpAddress, InitiatingUserRoles, DisplayName, GroupName, TargetUserPrincipalName\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\\n| extend TargetName = tostring(split(TargetUserPrincipalName,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"NRT User added to Microsoft Entra ID Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Microsoft Entra ID please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"name\":\"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n (WindowsEvent\\n| where EventID == 4663 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\") and EventData has_any (scriptExtensions) \\n| where EventData has_any (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (scriptExtensions)\\n| extend AccessMask = tostring(EventData.AccessMask)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n and\\n TargetFileName has_any (scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where FileName has_any(scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"[Deprecated] - Silk Typhoon UM Service writing suspicious file\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\"name\":\"04384937-e927-4595-8f3c-89ff58ed231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.1\",\"severity\":\"Low\",\"query\":\"let IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible Forest Blizzard attempted credential harvesting - Sept 2020\",\"description\":\"Surfaces potential Forest Blizzard group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7965f0be-c039-4d18-8ee8-9a6add8aecf3\",\"name\":\"7965f0be-c039-4d18-8ee8-9a6add8aecf3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688\\n| where CommandLine has_all (\u0027net user\u0027, \u0027/add\u0027) \\n| parse CommandLine with * \\\"user \\\" username \\\" \\\"*\\n| extend password = extract(@\\\"\\\\buser\\\\s+[^\\\\s]+\\\\s+([^\\\\s]+)\\\", 1, CommandLine) \\n| where username in(\u0027DefaultAccount\u0027) or password in(\u0027P@ssw0rd1234\u0027, \u0027_AS_@1394\u0027) \\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(DeviceProcessEvents \\n| where InitiatingProcessCommandLine has_all(\u0027net user\u0027, \u0027/add\u0027) \\n| parse InitiatingProcessCommandLine with * \\\"user \\\" username \\\" \\\"* \\n| extend password = extract(@\\\"\\\\buser\\\\s+[^\\\\s]+\\\\s+([^\\\\s]+)\\\", 1, InitiatingProcessCommandLine) \\n| where username in(\u0027DefaultAccount\u0027) or password in(\u0027P@ssw0rd1234\u0027, \u0027_AS_@1394\u0027) \\n| extend Account = strcat(InitiatingProcessAccountDomain, @\u0027\\\\\u0027, InitiatingProcessAccountName), Computer = DeviceName\\n)\\n)\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(Account, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"DEV-0270 New User Creation\",\"description\":\"The following query tries to detect creation of a new user using a known DEV-0270 username/password schema\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-09-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/042f2801-a375-4cfd-bd29-041fc7ed88a0\",\"name\":\"042f2801-a375-4cfd-bd29-041fc7ed88a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n//Find risky Signin\\n| where RiskState == \\\"atRisk\\\" and ResultType == 0\\n| extend Signin_Time = TimeGenerated\\n| summarize\\n AppDisplayName=make_set(AppDisplayName),\\n ClientAppUsed=make_set(ClientAppUsed),\\n UserAgent=make_set(UserAgent),\\n CorrelationId=make_set(CorrelationId),\\n Signin_Time= min(Signin_Time),\\n RiskEventTypes=make_set(RiskEventTypes)\\n by\\n ConditionalAccessStatus,\\n IPAddress,\\n IsRisky,\\n ResourceDisplayName,\\n RiskDetail,\\n ResultType,\\n RiskLevelAggregated,\\n RiskLevelDuringSignIn,\\n RiskState,\\n UserPrincipalName=tostring(tolower(UserPrincipalName)),\\n SourceSystem\\n| join kind=inner (\\n CommonSecurityLog\\n | where DeviceVendor has_any (\\\"Palo Alto Networks\\\", \\\"Fortinet\\\", \\\"Check Point\\\", \\\"Zscaler\\\")\\n | where DeviceProduct startswith \\\"FortiGate\\\" or DeviceProduct startswith \\\"PAN\\\" or DeviceProduct startswith \\\"VPN\\\" or DeviceProduct startswith \\\"FireWall\\\" or DeviceProduct startswith \\\"NSSWeblog\\\" or DeviceProduct startswith \\\"URL\\\"\\n | where DeviceAction != \\\"Block\\\"\\n | where isnotempty(RequestURL)\\n | where isnotempty(SourceUserName)\\n | extend SourceUserName = tolower(SourceUserName)\\n | summarize\\n min(TimeGenerated),\\n max(TimeGenerated),\\n Activity=make_set(Activity)\\n by DestinationHostName, DestinationIP, RequestURL, SourceUserName=tostring(tolower(SourceUserName)),DeviceVendor,DeviceProduct\\n | extend 3p_observed_Time= min_TimeGenerated,Name = tostring(split(SourceUserName,\\\"@\\\")[0]),UPNSuffix =tostring(split(SourceUserName,\\\"@\\\")[1]))\\n on $left.IPAddress == $right.DestinationIP and $left.UserPrincipalName == $right.SourceUserName\\n| extend Timediff = datetime_diff(\u0027day\u0027, 3p_observed_Time, Signin_Time)\\n| where Timediff \u003c= 1 and Timediff \u003e= 0\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DestinationHostName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Risky user signin observed in non-Microsoft network device\",\"description\":\"This content is utilized to identify instances of successful login by risky users, who have been observed engaging in potentially suspicious network activity on non-Microsoft network devices.\",\"lastUpdatedDateUTC\":\"2024-06-14T00:00:00Z\",\"createdDateUTC\":\"2023-05-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/594c653d-719a-4c23-b028-36e3413e632e\",\"name\":\"594c653d-719a-4c23-b028-36e3413e632e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend Name = iif(Actor contains \\\"@\\\", split(Actor, \\\"@\\\")[0], Actor)\\n| extend UPNSuffix = iif(Actor contains \\\"@\\\", split(Actor, \\\"@\\\")[1], \\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Actor\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPaddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\"name\":\"500415fb-bba7-4227-a08a-9857fb61b6a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", OfficeObjectId,\\n Operation =~ \\\"New-TransportRule\\\", ParsedParameters.Name,\\n \\\"Unknown\\\")\\n| mv-expand ExpandedParameters = todynamic(Parameters)\\n| where ExpandedParameters.Name in~ (\\\"BlindCopyTo\\\", \\\"RedirectMessageTo\\\") and isnotempty(ExpandedParameters.Value)\\n| extend RedirectTo = ExpandedParameters.Value\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend From = ParsedParameters.From\\n| project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, From, Operation, RuleName, Parameters\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Mail redirect via ExO transport rule\",\"description\":\"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-05-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"name\":\"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"W3CIISLog\\n| where csMethod == \u0027GET\u0027\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp = TimeGenerated\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(csUserName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(csUserName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"csUserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"cIP\"}]}],\"tactics\":[\"Persistence\",\"CommandAndControl\"],\"displayName\":\"SUPERNOVA webshell\",\"description\":\"Identifies SUPERNOVA webshell based on W3CIISLog data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2021-01-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"name\":\"7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, AccountName = SubjectUserName, AccountNTDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName, SubjectAccount\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection.\\nThe first CommandLine component is looking for Python decoding base64.\\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\"name\":\"5efb0cfd-063d-417a-803b-562eae5b0301\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need to exhibit execution of more \\\"new\\\" connections than this number.\\nlet NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\"\\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName))\\n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\"\\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)\\n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iff(\\nType == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\nstrcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| where CurrentCount \u003e= HistoricCount + NewConnectionThreshold\\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount,\\n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend timestamp = StartTime\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Addition/Abuse - Historic allow list\",\"description\":\"This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and not historically included in the allow list Build/Release runs.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"name\":\"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.3\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has_any (\\\".decode(\u0027base64\u0027)\\\", \\\"base64 --decode\\\", \\\".decode64(\\\" )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend FileName=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, CommandLine, ParentProcessName\\n));\\nProcessCreationEvents \\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"name\":\"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by FileHashValue\\n| project CommonSecurityLog_TimeGenerated, FileHashValue, FileHashType, Description, ThreatType,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend AccountName = tostring(split(SourceUserName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(SourceUserName, \\\"@\\\")[1])\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Microsoft COVID-19 file hash indicator matches\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\"lastUpdatedDateUTC\":\"2024-11-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CefAma\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"name\":\"572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let inviting_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend InitiatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(InitiatingUserPrincipalName)\\n | summarize by InitiatingUserPrincipalName);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend InitiatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | where isnotempty(InitiatingUserPrincipalName) and InitiatingUserPrincipalName !in (inviting_users)\\n | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend TargetAadUserId = tostring(TargetResources[0].id)\\n | extend invitingUser = InitiatingUserPrincipalName, invitedUserPrincipalName = TargetUserPrincipalName\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | extend TargetAccountName = tostring(split(TargetUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, OperationName, Result, TargetUserPrincipalName, TargetAadUserId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"TargetAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Guest Users Invited to Tenant by New Inviters\",\"description\":\"Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts added should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0255b5f-2a3c-4112-8744-e6757af3283a\",\"name\":\"d0255b5f-2a3c-4112-8744-e6757af3283a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P4D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"// You can leave out Anomalies that are already monitored through other Analytics Rules\\n//let _MonitoredRules = dynamic([\\\"TestAlertName\\\"]);\\nlet query_frequency = 1h;\\nlet query_lookback = 3d;\\nAnomalies\\n| where TimeGenerated \u003e ago(query_frequency)\\n//| where not(RuleName has_any (_MonitoredRules))\\n| join kind = leftanti (\\n Anomalies\\n | where TimeGenerated between (ago(query_frequency + query_lookback)..ago(query_frequency))\\n | distinct RuleName\\n) on RuleName\\n| extend Name = tostring(split(UserPrincipalName, \\\"@\\\")[0]), UPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Unusual Anomaly - {{RuleName}}\",\"alertDescriptionFormat\":null,\"alertTacticsColumnName\":\"Tactics\",\"alertSeverityColumnName\":null},\"displayName\":\"Unusual Anomaly\",\"description\":\"Anomaly Rules generate events in the Anomalies table. This scheduled rule tries to detect Anomalies that are not usual, they could be a type of Anomaly that has recently been activated, or an infrequent type. The detected Anomaly should be reviewed, if it is relevant enough, eventually a separate scheduled Analytics Rule could be created specifically for that Anomaly Type, so an alert and/or incident is generated everytime that type of Anomaly happens.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"name\":\"06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\MicrosoftOnline\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n ( WindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n( WindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend Name = tostring(split(Account, \\\"\\\\\\\\\\\")[1]), NTDomain = tostring(split(Account, \\\"\\\\\\\\\\\")[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Microsoft Entra ID Health Service Agents Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Microsoft Entra ID Health service agents (e.g AD FS).\\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent.\\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ac77493-3cae-4840-8634-15fb23f8fb68\",\"name\":\"8ac77493-3cae-4840-8634-15fb23f8fb68\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let BEC_Keywords = dynamic([ \u0027invoice\u0027,\u0027payment\u0027,\u0027paycheck\u0027,\u0027transfer\u0027,\u0027bank statement\u0027,\u0027bank details\u0027,\u0027closing\u0027,\u0027funds\u0027,\u0027bank account\u0027,\u0027account details\u0027,\u0027remittance\u0027,\u0027purchase\u0027,\u0027deposit\u0027,\\\"PO#\\\",\\\"Zahlung\\\",\\\"Rechnung\\\",\\\"Paiement\\\", \\\"virement bancaire\\\",\\\"Bankuberweisung\\\",\u0027hacked\u0027,\u0027phishing\u0027]);\\nOfficeActivity\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (BEC_Keywords)\\n or BodyContainsWords has_any (BEC_Keywords)\\n or SubjectOrBodyContainsWords has_any (BEC_Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend UserName = split(UserId, \u0027@\u0027)[0], DomainName = split(UserId, \u0027@\u0027)[1]\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"UserName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"DomainName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious BEC Inbox Rule\",\"description\":\"Often times after the initial compromise in a BEC attack the attackers create inbox rules to delete emails that contain certain keywords related to their BEC attack.\\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. \",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"name\":\"3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1\\n| mv-expand UserId to typeof(string)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"NRT Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination.\\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"name\":\"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.9\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\n// let ioc_lookBack = 14d;\\n// ThreatIntelligenceIndicator\\n// // Picking up only IOC\u0027s that contain the entities we want\\n// | where isnotempty(Url)\\n// | where TimeGenerated \u003e= ago(ioc_lookBack)\\n// | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n// | where Active == true and ExpirationDateTime \u003e now()\\n// // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n// | join kind=innerunique (\\n// OfficeActivity\\n// | where TimeGenerated \u003e= ago(dt_lookBack)\\n// //Extract the Url from a number of potential fields\\n// | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n// | where isnotempty(Url)\\n// // Ensure we get a clean URL\\n// | extend Url = tostring(split(Url, \u0027;\u0027)[0])\\n// | extend OfficeActivity_TimeGenerated = TimeGenerated\\n// // Project a single user identity that we can use for entity mapping\\n// | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))\\n// ) on Url\\n// | where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n// | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url\\n// | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation,\\n// UserType, OfficeWorkload, Parameters, Url, User\\n// | extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(User, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(User, \u0027@\u0027, 1)[0])\\ndatatable() []\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map URL Entity to OfficeActivity Data [Deprecated]\",\"description\":\"This query is Deprecated as its filter conditions will never yield results. This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in OfficeActivity data.\",\"lastUpdatedDateUTC\":\"2024-09-12T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"name\":\"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Low\",\"query\":\"// Add or remove operation names below as per your requirements. For operations lists, please refer to https://learn.microsoft.com/en-us/Azure/role-based-access-control/resource-provider-operations#all\\nlet szOperationNames = dynamic([\\\"Microsoft.Compute/virtualMachines/write\\\", \\\"Microsoft.Resources/deployments/write\\\", \\\"Microsoft.Resources/subscriptions/resourceGroups/write\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue, bin(TimeGenerated,1d)\\n// Returns all the records from the right side that don\u0027t have matches from the left.\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated,100), ActivityStatusValue = make_set(ActivityStatusValue,100), CorrelationIds = make_set(CorrelationId,100), ResourceGroups = make_set(ResourceGroup,100), ResourceIds = make_set(_ResourceId,100), ActivityCountByCallerIPAddress = count()\\nby CallerIpAddress, Caller, OperationNameValue) on CallerIpAddress, Caller, OperationNameValue;\\nRareCaller\\n| extend Name = iif(Caller has \u0027@\u0027,tostring(split(Caller,\u0027@\u0027,0)[0]),\\\"\\\")\\n| extend UPNSuffix = iif(Caller has \u0027@\u0027,tostring(split(Caller,\u0027@\u0027,1)[0]),\\\"\\\")\\n| extend AadUserId = iif(Caller !has \u0027@\u0027,Caller,\\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious Resource deployment\",\"description\":\"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen caller.\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"name\":\"c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where isnotempty(CommandLine)\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n | extend HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Base64 Encoded Windows Process Command-lines\",\"description\":\"This detection identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"name\":\"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.5\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project TimeGenerated, Total, baseline, anomalies, score;\\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e ago(2d)\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress, 1000), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString, 1000) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h)\\n | where HourlyCount \u003e 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\\n | order by HourlyCount desc\\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100\\n| where PercentofTotal \u003e percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\\n| order by PercentofTotal desc\\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId, SourceIPMax, IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"Client_IPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIPMax\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Exchange workflow MailItemsAccessed operation anomaly\",\"description\":\"Identifies anomalous increases in Exchange mail items accessed operations.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\"name\":\"69b7723c-2889-469f-8b55-a2d355ed9c87\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for DNS events\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and DNS events\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | mv-expand SingleIP = split(IPAddresses, \\\", \\\") to typeof(string)\\n | extend DNS_TimeGenerated = TimeGenerated\\n )\\n on $left.TI_ipEntity == $right.SingleIP\\n // Filter out DNS events that occurred after the expiration of the corresponding indicator\\n | where DNS_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and SingleIP, and keep the DNS event with the latest timestamp\\n | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated, *) by IndicatorId, SingleIP\\n // Select the desired output fields\\n | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n | extend timestamp = DNS_TimeGenerated, HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to DnsEvents\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DnsEvents.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f4a28082-2808-4783-9736-33c1ae117475\",\"name\":\"f4a28082-2808-4783-9736-33c1ae117475\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Retrieve Azure AD SigninLogs within the last day\\nSigninLogs \\n// Filter for specific AppDisplayNames, ResultType, and Risk Levels\\n| where AppDisplayName in (\\\"Azure Portal\\\", \\\"ADFS Trust\\\", \\\"Microsoft Azure PowerShell\\\")\\n and RiskLevelAggregated == \\\"high\\\"\\n and RiskLevelDuringSignIn == \\\"high\\\"\\n// Summarize AppDisplayNames by relevant attributes\\n| extend Result = iff(ResultType == 0, \\\"Successful Signin\\\", \\\"Failed Signin\\\")\\n| summarize make_set(AppDisplayName)\\n by\\n IPAddress,\\n signInTime=TimeGenerated,\\n UserPrincipalName,\\n RiskEventTypes,\\n RiskEventTypes_V2\\n// Inner join with AWS CloudTrail events\\n| join kind=inner (\\n AWSCloudTrail\\n | where isempty(ErrorMessage)\\n | where EventSource in (\\\"iam.amazonaws.com\\\", \\\"identitystore.amazonaws.com\\\", \\\"workmail.amazonaws.com\\\", \\\"workdocs.amazonaws.com\\\")\\n // List of AWS event names\\n | where EventName in~ (\\\"CreateRole\\\", \\\"DeleteRole\\\", \\\"CreateUser\\\", \\\"CreateAccessKey\\\", \\\"DeleteAccessKey\\\", \\\"CreateGroup\\\", \\\"AddUserToGroup\\\", \\\"ChangePassword\\\", \\\"DeleteGroup\\\", \\\"DeleteUser\\\", \\\"RemoveUserFromGroup\\\", \\\"CreateVirtualMFADevice\\\", \\\"DeleteLoginProfile\\\", \\\"CreateOrganization\\\", \\\"SetDefaultMailDomain\\\", \\\"SetMailUserDetails\\\", \\\"CreateMailUser\\\", \\\"ResetPassword\\\", \\\"RegisterToWorkMail\\\", \\\"DisableMailUsers\\\", \\\"EnableMailUsers\\\", \\\"DeleteServiceSpecificCredential\\\", \\\"CreateServiceSpecificCredential\\\", \\\"UpdateAccountEmailAddress\\\", \\\"DeleteGroupPolicy\\\", \\\"UploadServerCertificate\\\") \\n // Summarize relevant attributes\\n | summarize make_set(RequestParameters), make_set(ResponseElements)\\n by\\n SourceIpAddress,\\n UserIdentityArn,\\n UserIdentityType,\\n EventName,\\n EventTime=TimeGenerated,\\n EventSource\\n )\\n on $left.IPAddress == $right.SourceIpAddress \\n// Calculate time difference in hours between AWS event and Azure sign-in\\n| extend timedef = datetime_diff(\\\"hour\\\", EventTime, signInTime)\\n// Filter for time differences within a certain range\\n| where timedef between (0 .. 8)\",\"customDetails\":{\"AwsUser\":\"UserIdentityArn\",\"RiskEventTypes\":\"RiskEventTypes\",\"AzureUser\":\"UserPrincipalName\",\"AWSEventName\":\"EventName\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"High-Risk Cross-Cloud User Impersonation\",\"description\":\"This detection focuses on identifying high-risk cross-cloud activities and sign-in anomalies that may indicate potential security threats. The query starts by analyzing Microsoft Entra ID Signin Logs to pinpoint instances where specific applications, risk levels, and result types align. It then correlates this information with relevant AWS CloudTrail events to identify activities across Azure and AWS environments.\",\"lastUpdatedDateUTC\":\"2023-11-12T00:00:00Z\",\"createdDateUTC\":\"2023-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\"name\":\"155f40c6-610d-497d-85fc-3cf06ec13256\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\",\\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList))\\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList)))\\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames)\\n| extend DNSName = Request_Name \\n| extend IPCustomEntity = ClientIP\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (DomainNames) \\n| extend DNSName = Fqdn \\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (DomainNames)\\n| extend DNSName = QueryName\\n| extend IPCustomEntity = SourceIp\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Known Phosphorus group domains/IP\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"name\":\"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.2.4\",\"severity\":\"Medium\",\"query\":\"// Set threshold for the number of downloads/uploads from a new user agent\\nlet threshold = 5;\\n// Define constants for SharePoint file operations\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\n// Define the historical activity for analysis\\nlet starttime = 14d; // Define the start time for historical data (14 days ago)\\nlet endtime = 1d; // Define the end time for historical data (1 day ago)\\n// Extract the base events for analysis\\nlet Baseevents =\\n OfficeActivity\\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where RecordType =~ szSharePointFileOperation\\n | where Operation in~ (szOperations)\\n | where isnotempty(UserAgent);\\n// Identify frequently occurring user agents\\nlet FrequentUA = Baseevents\\n | summarize FUACount = count() by UserAgent, RecordType, Operation\\n | where FUACount \u003e= threshold\\n | distinct UserAgent;\\n// Calculate a user baseline for further analysis\\nlet UserBaseLine = Baseevents\\n | summarize Count = count() by UserId, Operation, Site_Url\\n | summarize AvgCount = avg(Count) by UserId, Operation, Site_Url;\\n// Extract recent activity for analysis\\nlet RecentActivity = OfficeActivity\\n | where TimeGenerated \u003e ago(endtime)\\n | where RecordType =~ szSharePointFileOperation\\n | where Operation in~ (szOperations)\\n | where isnotempty(UserAgent)\\n | where UserAgent in~ (FrequentUA)\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OfficeObjectIdCount = dcount(OfficeObjectId), OfficeObjectIdList = make_set(OfficeObjectId), UserAgentSeenCount = count() \\n by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url;\\n// Analyze user behavior based on baseline and recent activity\\nlet UserBehaviorAnalysis = UserBaseLine\\n | join kind=inner (RecentActivity) on UserId, Operation, Site_Url\\n | extend Deviation = abs(UserAgentSeenCount - AvgCount) / AvgCount;\\n// Filter and format results for specific user behavior analysis\\nUserBehaviorAnalysis\\n | where Deviation \u003e 25\\n | extend UserIdName = tostring(split(UserId, \u0027@\u0027)[0]), UserIdUPNSuffix = tostring(split(UserId, \u0027@\u0027)[1])\\n | project-reorder StartTime, EndTime, UserAgent, UserAgentSeenCount, UserId, ClientIP, Site_Url\\n | project-away Site_Url1, UserId1, Operation1\\n | order by UserAgentSeenCount desc, UserAgent asc, UserId asc, Site_Url asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"UserIdName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UserIdUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Site_Url\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via devices with previously unseen user agents\",\"description\":\"Identifies anomalies if the number of documents uploaded or downloaded from device(s) associated with a previously unseen user agent exceeds a threshold (default is 5) and deviation (default is 25).\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0101e08d-99cd-4a97-a9e0-27649c4369ad\",\"name\":\"0101e08d-99cd-4a97-a9e0-27649c4369ad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P2D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// In User \u0026 Groups and in Applications, the following \\\"AccessType\\\" values in columns PremodifiedOutboundSettings and ModifiedOutboundSettings are interpreted accordingly\\n// When Access Type in premodified outbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified outbound settings value was 2 that means that the initial access was blocked.\\n// When Access Type in modified outbound settings value is 1 that means that now access is allowed. When Access Type in modified outbound settings value is 2 that means that now access is blocked.\\nAuditLogs\\n| where OperationName has \\\"Update a partner cross-tenant access setting\\\"\\n| mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type =~ \\\"Policy\\\"\\n | extend Properties = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = Properties on\\n (\\n where Property.displayName =~ \\\"b2bDirectConnectOutbound\\\"\\n | extend PremodifiedOutboundSettings = trim(\u0027\\\"\u0027,tostring(Property.oldValue)),\\n ModifiedOutboundSettings = trim(@\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where PremodifiedOutboundSettings != ModifiedOutboundSettings\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Cross-tenant Access Settings Organization Outbound Direct Settings Changed\",\"description\":\"Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Direct Settings are changed for \\\"Users \u0026 Groups\\\" and for \\\"Applications\\\".\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8955c0fb-3408-47b0-a3b9-a1faec41e427\",\"name\":\"8955c0fb-3408-47b0-a3b9-a1faec41e427\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^\u0027]*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange Server Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types on an Exchange Server. This could indicate attempted deployment of webshells. \\nThis query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nThis log is commonly found at C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\Logging\\\\OABGeneratorLog on the Exchange server. Details on collecting custom logs into Sentinel\\ncan be found here: https://learn.microsoft.com/azure/sentinel/connect-custom-logs\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"name\":\"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.3\",\"severity\":\"Medium\",\"query\":\"// Define the lookback periods for time-based filters\\nlet dt_lookBack = 1h; // Look back 1 hour for DNS events\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to domains\\nlet Domain_Indicators = ThreatIntelligenceIndicator\\n // Filter out indicators without domain names\\n | where isnotempty(DomainName)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now()\\n | extend TI_DomainEntity = DomainName;\\n// Create a list of TLDs in our threat feed for later validation\\nlet maxListSize = 100000; // Define the maximum allowed size for each list\\nlet list_tlds = Domain_Indicators\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | project tld\\n | summarize make_list(tld, maxListSize);\\n// Perform a join between domain indicators and DNS events to identify potential malicious activity\\nDomain_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n // Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n ) on $left.TI_DomainEntity==$right.Name\\n // Filter out DNS events that occurred after the expiration of the corresponding indicator\\n | where DNS_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and Name, and keep the DNS event with the latest timestamp\\n | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated, *) by IndicatorId, Name\\n // Select the desired output fields\\n | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType, Type, TI_DomainEntity\\n // Extract hostname and DNS domain from the Computer field\\n | extend HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\\n // Rename the timestamp field\\n | extend timestamp = DNS_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map Domain entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1080fc1-13d1-479b-8340-255f0290d96c\",\"name\":\"a1080fc1-13d1-479b-8340-255f0290d96c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | where TargetResources has \\\"AppAddress\\\"\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend AddedBy = iif(isnotempty(InitiatingUserPrincipalName), InitiatingUserPrincipalName, InitiatingAppName)\\n | extend TargetAppName = tostring(TargetResources.displayName)\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, TargetAppName, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, AddedUrls, AddedBy, UserAgent\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application Redirect URL Update\",\"description\":\"Detects the redirect URL of an app being changed.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"name\":\"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where isnotempty(FileHashValue)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| extend FileHashValue = toupper(FileHashValue)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique ( union isfuzzy=true\\n (SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(FileHash)\\n ),\\n (WindowsEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(EventData.FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(EventData.FileHash)\\n )\\n)\\non $left.FileHashValue == $right.FileHash\\n| where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, FileHash\\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nProcess, FileHash, Computer, Account, Event, FileHashValue, FileHashType\\n| extend NTDomain = tostring(split(Account, \u0027\\\\\\\\\u0027, 0)[0]), Name = tostring(split(Account, \u0027\\\\\\\\\u0027, 1)[0])\\n| extend HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027)) \\n| extend timestamp = SecurityEvent_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map File Hash to Security Event\",\"description\":\"Identifies a match in Security Event data from any File Hash IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"name\":\"a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Extracts plaintext IPv4 addresses\\nlet ipv4_plaintext_extraction_regex = @\\\"((?:(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(?:\\\\.)){3}(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]){1,3})\\\";\\n// Identified base64 encoded IPv4 addresses\\nlet ipv4_encoded_identification_regex = @\\\"\\\\=([a-zA-Z0-9\\\\/\\\\+]*(?:(?:MC|Au|wL|MS|Eu|xL|Mi|Iu|yL|My|Mu|zL|NC|Qu|0L|NS|Uu|1L|Ni|Yu|2L|Ny|cu|3L|OC|gu|4L|OS|ku|5L){1}[a-zA-Z0-9\\\\/\\\\+]{2,4}){3}[a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Extractes IPv4 addresses as hex values\\nlet ipv4_decoded_hex_extract = @\\\"((?:(?:61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|2f|2b|3d),){7,15})\\\";\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n// Identify requests with encoded IPv4 addresses\\n| where RequestURL matches regex ipv4_encoded_identification_regex\\n| project TimeGenerated, RequestURL\\n// Extract IP candidates in their base64 encoded format, significantly reducing the dataset\\n| extend extracted_encoded_ip_candidate = extract_all(ipv4_encoded_identification_regex, RequestURL)\\n// We could have more than one candidate, expand them out\\n| mv-expand extracted_encoded_ip_candidate to typeof(string)\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), make_set(RequestURL) by extracted_encoded_ip_candidate\\n// Pad if we need to\\n| extend extracted_encoded_ip_candidate = iff(strlen(extracted_encoded_ip_candidate) % 2 == 0, extracted_encoded_ip_candidate, strcat(extracted_encoded_ip_candidate, \\\"=\\\"))\\n// Now decode the candidate to a long array, we cannot go straight to string as it cannot handle non-UTF8, we need to strip that first\\n| extend extracted_encoded_ip_candidate = tostring(base64_decode_toarray(extracted_encoded_ip_candidate))\\n// Extract the IP candidates from the array\\n| extend hex_extracted = extract_all(ipv4_decoded_hex_extract, extracted_encoded_ip_candidate)\\n// Expand, it\u0027s still possible that we might have more than 1 IP\\n| mv-expand hex_extracted\\n// Now we should have a clean string. We need to put it back into a dynamic array to convert back to a string.\\n| extend hex_extracted = trim_end(\\\",\\\", tostring(hex_extracted))\\n| extend hex_extracted = strcat(\\\"[\\\",hex_extracted,\\\"]\\\")\\n| extend hex_extracted = todynamic(hex_extracted)\\n| extend extracted_encoded_ip_candidate = todynamic(extracted_encoded_ip_candidate)\\n// Convert the array back into a string\\n| extend decoded_ip_candidate = make_string(hex_extracted)\\n| summarize by decoded_ip_candidate, tostring(set_RequestURL), Start, End\\n// Now the IP candidates will be in plaintext, extract the IPs using a regex\\n| extend ipmatch = extract_all(ipv4_plaintext_extraction_regex, decoded_ip_candidate)\\n// If it\u0027s not an IP, throw it out\\n| where isnotnull(ipmatch)\\n| mv-expand ipmatch to typeof(string)\\n// Join with DeviceNetworkEvents to find instances where an IP of a machine in our MDE estate sent it\u0027s IP in a base64 encoded string\\n| join (\\n DeviceNetworkEvents\\n | summarize make_set(DeviceId), make_set(DeviceName) by RemoteIP\\n) on $left.ipmatch == $right.RemoteIP\\n| project Start, End, IPmatch=ipmatch, RequestURL=set_RequestURL, DeviceNames=set_DeviceName, DeviceIds=set_DeviceId, RemoteIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPmatch\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"IP address of Windows host encoded in web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded IP addresses. After identifying candidates the query joins with DeviceNetworkEvents to idnetify any machine within the network using that IP address. Alerts indicate that the IP address of a machine within your network was seen with it\u0027s IP address base64 encoded in an outbound web request. This method of egressing the IP was seen used in POLONIUM\u0027s RunningRAT tool, however the detection is generic.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"name\":\"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, \\ntimekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n| where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, FileEditDomain = InitiatingProcessAccountDomain, FileEditUpn = InitiatingProcessAccountUpn, \\nDeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, DeviceName\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess) by timekey, DeviceName, BuildParentProcess, BuildProcess, FileEditAccount, FileEditDomain, FileEditUpn\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"FileEditUpn\"},{\"identifier\":\"Name\",\"columnName\":\"FileEditAccount\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"FileEditDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise - MDE\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\"name\":\"2560515c-07d1-434e-87fb-ebe3af267760\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\") \\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\" and array_length(TargetResource.modifiedProperties) \u003e 0 and isnotnull(TargetResource.displayName)\\n | extend props = TargetResource.modifiedProperties,\\n Type = tostring(TargetResource.type),\\n PermissionsAddedTo = tostring(TargetResource.displayName)\\n )\\n| mv-apply Property = props on \\n (\\n where Property.displayName =~ \\\"DelegatedPermissionGrant.Scope\\\"\\n | extend DisplayName = tostring(Property.displayName), Permissions = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend InitiatingUserAgent = tostring(AdditionalDetail.value)\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| project-away props, TargetResource, AdditionalDetail, Property\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName has \\\"Consent to application\\\"\\n | mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend AppName = tostring(TargetResource.displayName),\\n AppId = tostring(TargetResource.id)\\n )\\n| project AppName, AppId, CorrelationId) on CorrelationId\\n| project-away CorrelationId1\\n| project-reorder TimeGenerated, OperationName, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, InitiatingUserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\\n| extend Name = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Mail.Read Permissions Granted to Application\",\"description\":\"This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.\",\"lastUpdatedDateUTC\":\"2024-01-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"name\":\"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),\\n modProps = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = modProps on \\n (\\n where Property.displayName =~ \\\"Role.WellKnownObjectName\\\"\\n | extend DisplayName = trim(\u0027\\\"\u0027,tostring(Property.displayName)),\\n GroupName = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| extend InitiatingAppId = InitiatedBy.app.appId\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingAppServicePrincipalName = tostring(InitiatedBy.app.servicePrincipalName)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingUserRoles = InitiatedBy.user.roles\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatingAppName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppId, InitiatingAppName, InitiatingAppServicePrincipalName, InitiatingAppServicePrincipalId, InitiatingIpAddress, DisplayName, GroupName, InitiatingUserRoles, TargetUserPrincipalName\\n| extend AccountName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), AccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\\n| extend TargetName = tostring(split(TargetUserPrincipalName,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User added to Microsoft Entra ID Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Microsoft Entra ID please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a779e2d5-9109-4f0a-a75e-f3d4f3c58560\",\"name\":\"a779e2d5-9109-4f0a-a75e-f3d4f3c58560\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let sha256Hashes = dynamic([\\\"78c255a98003a101fa5ba3f49c50c6922b52ede601edac5db036ab72efc57629\\\", \\\"0588f61dc7e4b24554cffe4ea56d043d8f6139d2569bc180d4a77cf75b68792f\\\", \\\"441a3810b9e89bae12eea285a63f92e98181e9fb9efd6c57ef6d265435484964\\\", \\\"cbae79f66f724e0fe1705d6b5db3cc8a4e89f6bdf4c37004aa1d45eeab26e84b\\\", \\\"fd6515a71530b8329e2c0104d0866c5c6f87546d4b44cc17bbb03e64663b11fc\\\", \\\"5d169e083faa73f2920c8593fb95f599dad93d34a6aa2b0f794be978e44c8206\\\", \\\"7f29b69eb1af1cc6c1998bad980640bfe779525fd5bb775bc36a0ce3789a8bfc\\\", \\\"02a59fe2c94151a08d75a692b550e66a8738eb47f0001234c600b562bf8c227d\\\", \\\"7f84bf6a016ca15e654fb5ebc36fd7407cb32c69a0335a32bfc36cb91e36184d\\\", \\\"afab2e77dc14831f1719e746042063a8ec107de0e9730249d5681d07f598e5ec\\\", \\\"894138dfeee756e366c65a197b4dbef8816406bc32697fac6621601debe17d53\\\", \\\"4611340fdade4e36f074f75294194b64dcf2ec0db00f3d958956b4b0d6586431\\\", \\\"c96ae21b4cf2e28eec222cfe6ca903c4767a068630a73eca58424f9a975c6b7d\\\", \\\"fa30be45c5c5a8f679b42ae85410f6099f66fe2b38eb7aa460bcc022babb41ca\\\", \\\"e64bea4032cf2694e85ede1745811e7585d3580821a00ae1b9123bb3d2d442d6\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\\n| where (Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = tostring(Hashes[1])\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"[Deprecated] - Denim Tsunami File Hashes July 2022\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"name\":\"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\" \\n| where Operation =~ \\\"New-InboxRule\\\" and (ResultStatus =~ \\\"True\\\" or ResultStatus =~ \\\"Succeeded\\\")\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\\n| extend OriginatingServerName = tostring(split(OriginatingServer, \\\" \\\")[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"OriginatingServerName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.\\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\"name\":\"bf07ca9c-e408-443a-8939-6860a45a929e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps New Extension Added\",\"description\":\"Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \\nThis query looks for new extensions that are not from a configurable list of approved publishers.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"name\":\"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 1102 and EventSourceName =~ \\\"Microsoft-Windows-Eventlog\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n),\\n(\\nWindowsEvent\\n| where EventID == 1102 and Provider =~ \\\"Microsoft-Windows-Eventlog\\\"\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend Activity= \\\"1102 - The audit log was cleared.\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n)\\n)\\n| extend Name=tostring(split(Account, \\\"@\\\")[0]), UPNSuffix=tostring(split(Account, \\\"@\\\")[1])\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared.\\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"name\":\"d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n| join (\\n DuoSecurityAuthentication_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(access_device_ip_s)\\n // renaming time column so it is clear the log this came from\\n | extend Duo_TimeGenerated = isotimestamp_t\\n)\\non $left.TI_ipEntity == $right.access_device_ip_s\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\\n| extend timestamp = Duo_TimeGenerated, Name = tostring(split(user_name_s, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(user_name_s, \u0027@\u0027, 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"user_name_s\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"access_device_ip_s\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to Duo Security\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DuoSecurity.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"CiscoDuoSecurity\",\"dataTypes\":[\"CiscoDuo\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"name\":\"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"let cmdTokens0 = dynamic([\u0027vbscript\u0027,\u0027jscript\u0027]);\\nlet cmdTokens1 = dynamic([\u0027mshtml\u0027,\u0027RunHTMLApplication\u0027]);\\nlet cmdTokens2 = dynamic([\u0027Execute\u0027,\u0027CreateObject\u0027,\u0027RegRead\u0027,\u0027window.close\u0027]);\\n(union isfuzzy=true \\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688 and EventData has_all(cmdTokens2) and EventData has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(EventData has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId)\\n| extend Name = tostring(split(Account, \\\"\\\\\\\\\\\")[1]), NTDomain = tostring(split(Account, \\\"\\\\\\\\\\\")[0])\\n| extend DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027)), HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Midnight Blizzard - Script payload stored in Registry\",\"description\":\"This query identifies when a process execution command-line indicates that a registry value is written to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"name\":\"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents\\n| where TimeGenerated \u003e ago(endtime)\\n| where Name has \\\"in-addr.arpa\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name), ReverseDNSLookup_List = make_set(Name,100) by ClientIP\\n| where dcount_Name \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name, ReverseDNSLookup_List\\n// Filter out previously seen IPs\\n// Returns all the records from the left side that don\u0027t have matches from the right\\n| join kind=leftanti (DnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name has \\\"in-addr.arpa\\\"\\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name \u003e threshold\\n | project ClientIP , dcount_Name\\n) on ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Rare client observed with high reverse DNS lookup count\",\"description\":\"Identifies clients with a high reverse DNS counts that could be carrying out reconnaissance or discovery activity.\\nAlerts are generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\"name\":\"46ac55ae-47b8-414a-8f94-89ccd1962178\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let queryperiod = 1d;\\nlet mode = dynamic([\u0027Blocked\u0027, \u0027Detected\u0027]);\\nlet successCode = dynamic([\u0027200\u0027, \u0027101\u0027,\u0027204\u0027, \u0027400\u0027,\u0027504\u0027,\u0027304\u0027,\u0027401\u0027,\u0027500\u0027]);\\nlet sessionBin = 30m;\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where ResourceProvider == \u0027MICROSOFT.NETWORK\u0027 and Category =~ \u0027ApplicationGatewayFirewallLog\u0027 and action_s in (mode)\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\\n| extend SessionBlockedStarted = row_window_session(TimeGenerated, queryperiod, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| summarize SessionBlockedEnded = max(TimeGenerated), SessionBlockedCount = count() by hostname_s, clientIp_s, SessionBlockedStarted\\n| extend TimeKey = range(bin(SessionBlockedStarted, sessionBin), bin(SessionBlockedEnded, sessionBin), sessionBin)\\n| mv-expand TimeKey to typeof(datetime)\\n| join kind = inner(\\n AzureDiagnostics\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where Category =~ \u0027ApplicationGatewayAccessLog\u0027 and (isempty(httpStatus_d) or httpStatus_d in (successCode))\\n | extend TimeKey = bin(TimeGenerated, sessionBin)\\n | extend hostname_s = coalesce(hostname_s,host_s), clientIp_s = coalesce(clientIp_s,clientIP_s)\\n) on TimeKey, hostname_s , clientIp_s\\n| where TimeGenerated between (SessionBlockedStarted..SessionBlockedEnded)\\n| extend\\n originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", \\\"\\\"),\\n serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", \\\"\\\")\\n| summarize\\n SuccessfulAccessCount = count(),\\n UserAgents = make_set(userAgent_s, 250),\\n RequestURIs = make_set(requestUri_s, 250),\\n OriginalRequestURIs = make_set(originalRequestUriWithArgs_s, 250),\\n SuccessCodes = make_set(httpStatus_d, 250),\\n SuccessCodes_BackendServer = make_set(serverStatus_s, 250),\\n take_any(SessionBlockedEnded, SessionBlockedCount)\\n by hostname_s, clientIp_s, SessionBlockedStarted\\n| where SessionBlockedCount \u003e SuccessfulAccessCount\\n| extend BlockvsSuccessRatio = SessionBlockedCount/toreal(SuccessfulAccessCount)\\n| sort by BlockvsSuccessRatio desc, SessionBlockedStarted asc\\n| project-reorder SessionBlockedStarted, SessionBlockedEnded, hostname_s, clientIp_s, SessionBlockedCount, SuccessfulAccessCount, BlockvsSuccessRatio, SuccessCodes, RequestURIs, OriginalRequestURIs, UserAgents\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"clientIp_s\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"A potentially malicious web request was executed against a web server\",\"description\":\"Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the ratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric).\\nA high ratio value for a given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number of blocked requests and a few unobstructed logs that may be malicious but have passed undetected through the WAF. The successCode variable defines what the detection thinks is a successful status code and should be altered to fit the environment.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"name\":\"6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.6\",\"severity\":\"High\",\"query\":\"let IPList = externaldata(IPAddress:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//Network logs\\nlet CSlogSourceIP = CommonSecurityLog | summarize by IPAddress = SourceIP, Type;\\nlet CSlogDestIP = CommonSecurityLog | summarize by IPAddress = DestinationIP, Type;\\nlet CSlogMsgIP = CommonSecurityLog | extend MessageIP = extract(IPRegex, 0, Message) | summarize by IPAddress = MessageIP, Type;\\nlet DnsIP = DnsEvents | summarize by IPAddress = IPAddresses, Type;\\n// If you have enabled the _Im_Dns and/or imNetworkSession normalization in your workspace, you can uncomment one or both below. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let imDnsIP = _Im_Dns (response_has_any_prefix=IPList) | summarize by IPAddress = ResponseName, Type;\\n//let imNetSessIP = imNetworkSession (dstipaddr_has_any_prefix=IPList) | summarize by IPAddress = DstIpAddr, Type;\\n//Cloud service logs\\nlet officeIP = OfficeActivity | summarize by IPAddress = ClientIP, Type;\\nlet signinIP = SigninLogs | summarize by IPAddress, Type;\\nlet nonintSigninIP = AADNonInteractiveUserSignInLogs | summarize by IPAddress, Type;\\nlet azureActIP = AzureActivity | summarize by IPAddress = CallerIpAddress, Type;\\nlet awsCtIP = AWSCloudTrail | summarize by IPAddress = SourceIpAddress, Type;\\n//Device logs\\nlet vmConnSourceIP = VMConnection | summarize by IPAddress = SourceIp, Type;\\nlet vmConnDestIP = VMConnection | summarize by IPAddress = DestinationIp, Type;\\nlet iisLogIP = W3CIISLog | summarize by IPAddress = cIP, Type;\\nlet devNetIP = DeviceNetworkEvents | summarize by IPAddress = RemoteIP, Type;\\n//need to parse to get IP\\nlet azureDiagIP = AzureDiagnostics | where ResourceType == \\\"AZUREFIREWALLS\\\" | where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\")\\n| where msg_s has_any (IPList) | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action | summarize by IPAddress = DestinationHost, Type;\\nlet sysEvtIP = Event | where Source == \\\"Microsoft-Windows-Sysmon\\\" | where EventID == 3 | where EventData has_any (IPList) | extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) | extend IPAddress = iff(SourceIP in (IPList), SourceIP, DestinationIP) | summarize by IPAddress, Type;\\n// If you have enabled the _Im_DNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP, imDnsIP, imNetSessIP\\n// If you uncomment above, then comment out the line below\\nlet ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP\\n| summarize by IPAddress\\n| where isnotempty(IPAddress) | where not(ipv4_is_private(IPAddress)) and IPAddress !in (\u00270.0.0.0\u0027,\u0027127.0.0.1\u0027);\\nlet ipMatch = ipsort | where IPAddress in (IPList);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch) or Message has_any (ipMatch)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", MessageIP in (ipMatch), \\\"Message\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"No Match\\\")\\n),\\n(OfficeActivity\\n| where ClientIP in (ipMatch)\\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| extend timestamp = TimeGenerated , IPEntity = SourceIPAddress , AccountEntity = Account\\n),\\n(DnsEvents\\n| where IPAddresses has_any (ipMatch)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress, HostEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (ipMatch) or DestinationIp in (ipMatch)\\n| project TimeGenerated, Computer, SourceIp, DestinationIp, Type\\n| extend IPMatch = case( SourceIp in (ipMatch), \\\"SourceIP\\\", DestinationIp in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| where EventData has_any (ipMatch)\\n| project TimeGenerated, EventData, UserName, Computer, Type\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch)\\n| extend IPMatch = case( SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountEntity = UserName, HostEntity = Computer , IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountEntity = UserPrincipalName, IPEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountEntity = UserPrincipalName, IPEntity = IPAddress\\n),\\n(W3CIISLog\\n| where cIP in (ipMatch)\\n| project TimeGenerated, Computer, cIP, csUserName, Type\\n| extend timestamp = TimeGenerated, IPEntity = cIP, HostEntity = Computer, AccountEntity = csUserName\\n),\\n(AzureActivity\\n| where CallerIpAddress in (ipMatch)\\n| project TimeGenerated, CallerIpAddress, Caller, Type\\n| extend timestamp = TimeGenerated, IPEntity = CallerIpAddress, AccountEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where SourceIpAddress in (ipMatch)\\n| project TimeGenerated, SourceIpAddress, UserIdentityUserName, Type\\n| extend timestamp = TimeGenerated, IPEntity = SourceIpAddress, AccountEntity = UserIdentityUserName\\n),\\n(\\nDeviceNetworkEvents\\n| where RemoteIP in (ipMatch)\\n| where ActionType =~ \\\"InboundConnectionAccepted\\\"\\n| project TimeGenerated, RemoteIP, DeviceName, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, HostEntity = DeviceName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\")\\n| where msg_s has_any (ipMatch)\\n| project TimeGenerated, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceIP \u0027:\u0027 SourcePort \u0027to \u0027 DestinationIP \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationIP has_any (ipMatch)\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIP\\n)\\n// If you have enabled the _Im_Dns and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//,\\n//(_Im_Dns (response_has_any_prefix=IPList)\\n//| project TimeGenerated, ResponseName, SrcIpAddr, Type\\n//| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr\\n//| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress, HostEntity = Host\\n//),\\n//(imNetworkSession (dstipaddr_has_any_prefix=IPList)\\n//| project TimeGenerated, DstIpAddr, SrcIpAddr, Type\\n//| extend timestamp = TimeGenerated, IPEntity = DstIpAddr, HostEntity = SrcIpAddr\\n//)\\n)\\n| extend Name = tostring(split(AccountEntity, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(AccountEntity, \u0027@\u0027, 1)[0])\\n| extend HostName = tostring(split(HostEntity, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(HostEntity, \u0027.\u0027), 1, -1), \u0027.\u0027))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Log4j vulnerability exploit aka Log4Shell IP IOC\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228.\\n References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228\",\"lastUpdatedDateUTC\":\"2024-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoAsaAma\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"name\":\"32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"// Enter a reference list of malicious file artifacts\\nlet MaliciousFileArtifacts = dynamic ([\\\"lsass.dmp\\\",\\\"test.pwd\\\",\\\"lsremora.dll\\\",\\\"lsremora64.dll\\\",\\\"fgexec.exe\\\",\\\"pwdump\\\",\\\"kirbi\\\",\\\"wce_ccache\\\",\\\"wce_krbtkts\\\",\\\"wceaux.dll\\\",\\\"PwHashes\\\",\\\"SAM.out\\\",\\\"SECURITY.out\\\",\\\"SYSTEM.out\\\",\\\"NTDS.out\\\" \\\"DumpExt.dll\\\",\\\"DumpSvc.exe\\\",\\\"cachedump64.exe\\\",\\\"cachedump.exe\\\",\\\"pstgdump.exe\\\",\\\"servpw64.exe\\\",\\\"servpw.exe\\\",\\\"pwdump.exe\\\",\\\"fgdump-log\\\"]);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==11\\n| parse EventData with * \u0027TargetFilename\\\"\u003e\u0027 TargetFilename \\\"\u003c\\\" *\\n| where TargetFilename has_any (MaliciousFileArtifacts)\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, Image, ProcessGuid, TargetFilename\\n| extend HostName = split(Computer, \u0027.\u0027, 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027)\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetFilename\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Image\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - File Artifacts\",\"description\":\"This query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names.\\nRef: https://jpcertcc.github.io/ToolAnalysisResultSheet/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"name\":\"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"let opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\n| summarize make_set(Operation, 500);\\nOfficeActivity\\n// Only admin or global-admin can disable/remove policy\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Office Policy Tampering\",\"description\":\"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"name\":\"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(domain_lookBack) and TimeGenerated \u003c ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to unpopular website (possible malicious payload delivery)\\\"\\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlOriginal\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Connection to Unpopular Website Detected\",\"description\":\"Detects first connection to an unpopular website (possible malicious payload delivery).\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"name\":\"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"High\",\"query\":\"// We can use this configuration TimeDeltaInMinutes if you want to chnage the time window that we try to match the alerts\\nlet TimeDeltaInMinutes = 10;\\nlet Alert_UnfamiliarSignInProps = \\nSecurityAlert\\n| where TimeGenerated \u003e ago(1d)\\n| where ProductName =~ \\\"Azure Active Directory Identity Protection\\\"\\n| where AlertName =~ \\\"Unfamiliar sign-in properties\\\"\\n| mv-expand Entity = todynamic(Entities)\\n| where Entity.Type =~ \\\"account\\\"\\n| extend AadTenantId = tostring(Entity.AadTenantId)\\n| extend AadUserId = tostring(Entity.AadUserId)\\n| join kind=inner (\\nIdentityInfo\\n| distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName\\n| extend UserName = AccountDisplayName\\n| extend UserAccount = AccountUPN\\n| where isnotempty(AccountDisplayName) and isnotempty(UserAccount)\\n| project AccountTenantId, AccountObjectId, UserAccount, UserName\\n)\\non\\n$left.AadTenantId == $right.AccountTenantId,\\n$left.AadUserId == $right.AccountObjectId\\n| extend CompromisedEntity = iff(CompromisedEntity == \\\"N/A\\\" or isempty(CompromisedEntity), UserAccount, CompromisedEntity)\\n| extend Alert_UnfamiliarSignInProps_Time = TimeGenerated\\n| extend Alert_UnfamiliarSignInProps_Name = AlertName\\n| extend Alert_UnfamiliarSignInProps_Severity = AlertSeverity\\n| project AadTenantId, AadUserId, AccountTenantId, AccountObjectId, Alert_UnfamiliarSignInProps_Name, Alert_UnfamiliarSignInProps_Severity, Alert_UnfamiliarSignInProps_Time, UserAccount, UserName\\n;\\nlet Alert_AtypicalTravels = \\nSecurityAlert\\n| where TimeGenerated \u003e ago(1d)\\n| where ProductName =~ \\\"Azure Active Directory Identity Protection\\\"\\n| where AlertName =~ \\\"Atypical travel\\\"\\n| mv-expand Entity = todynamic(Entities)\\n| where Entity.Type =~ \\\"account\\\"\\n| extend AadTenantId = tostring(Entity.AadTenantId)\\n| extend AadUserId = tostring(Entity.AadUserId)\\n| join kind=inner (\\nIdentityInfo\\n| distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName\\n| extend UserName = AccountDisplayName\\n| extend UserAccount = AccountUPN\\n| where isnotempty(AccountDisplayName) and isnotempty(UserAccount)\\n| project AccountTenantId, AccountObjectId, UserAccount, UserName\\n)\\non\\n$left.AadTenantId == $right.AccountTenantId,\\n$left.AadUserId == $right.AccountObjectId\\n| extend CompromisedEntity = iff(CompromisedEntity == \\\"N/A\\\" or isempty(CompromisedEntity), UserAccount, CompromisedEntity)\\n| extend Alert_AtypicalTravels_Time = TimeGenerated\\n| extend Alert_AtypicalTravels_Name = AlertName\\n| extend Alert_AtypicalTravels_Severity = AlertSeverity\\n| extend ExtendedProperties_json= parse_json(ExtendedProperties)\\n| extend CurrentLocation = tostring(ExtendedProperties_json.[\\\"Current Location\\\"])\\n| extend PreviousLocation = tostring(ExtendedProperties_json.[\\\"Previous Location\\\"])\\n| extend CurrentIPAddress = tostring(ExtendedProperties_json.[\\\"Current IP Address\\\"])\\n| extend PreviousIPAddress = tostring(ExtendedProperties_json.[\\\"Previous IP Address\\\"])\\n| project AadTenantId, AadUserId, AccountTenantId, AccountObjectId, Alert_AtypicalTravels_Name, Alert_AtypicalTravels_Severity, Alert_AtypicalTravels_Time, CurrentIPAddress, PreviousIPAddress, CurrentLocation, PreviousLocation, UserAccount, UserName, CompromisedEntity\\n;\\nAlert_UnfamiliarSignInProps\\n| join kind=inner Alert_AtypicalTravels on UserAccount\\n| where abs(datetime_diff(\u0027minute\u0027, Alert_UnfamiliarSignInProps_Time, Alert_AtypicalTravels_Time)) \u003c= TimeDeltaInMinutes\\n| extend TimeDelta = Alert_UnfamiliarSignInProps_Time - Alert_AtypicalTravels_Time\\n| project UserAccount, Alert_UnfamiliarSignInProps_Name, Alert_UnfamiliarSignInProps_Severity, Alert_UnfamiliarSignInProps_Time, Alert_AtypicalTravels_Name, Alert_AtypicalTravels_Severity, Alert_AtypicalTravels_Time, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress, UserName\\n| extend UserEmailName = split(UserAccount,\u0027@\u0027)[0], UPNSuffix = split(UserAccount,\u0027@\u0027)[1]\",\"customDetails\":{\"Alert1_Name\":\"Alert_UnfamiliarSignInProps_Name\",\"Alert1_Time\":\"Alert_UnfamiliarSignInProps_Time\",\"Alert1_Severity\":\"Alert_UnfamiliarSignInProps_Severity\",\"Alert2_Name\":\"Alert_AtypicalTravels_Name\",\"Alert2_Time\":\"Alert_AtypicalTravels_Time\",\"Alert2_Severity\":\"Alert_AtypicalTravels_Severity\",\"TimeDelta\":\"TimeDelta\",\"CurrentLocation\":\"CurrentLocation\",\"PreviousLocation\":\"PreviousLocation\",\"CurrentIPAddress\":\"CurrentIPAddress\",\"PreviousIPAddress\":\"PreviousIPAddress\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"},{\"identifier\":\"Name\",\"columnName\":\"UserEmailName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CurrentIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PreviousIPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Correlate Unfamiliar sign-in properties \u0026 atypical travel alerts\",\"description\":\"The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.\",\"lastUpdatedDateUTC\":\"2023-04-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/05eca115-c4b5-48e4-ba6e-07db57695be2\",\"name\":\"05eca115-c4b5-48e4-ba6e-07db57695be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let baseline_time = 7d;\\nlet detection_time = 1d;\\nDynamics365Activity\\n| where TimeGenerated between(ago(baseline_time)..ago(detection_time-1d))\\n| where OriginalObjectId contains \u0027ExportToExcel\u0027\\n| extend numQueryCount = todouble(QueryResults)\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), \u0027,\u0027) + 1), numQueryCount)\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\n| summarize sum(QueryCount) by UserId\\n| extend HistoricalBaseline = sum_QueryCount\\n| join (Dynamics365Activity\\n| where TimeGenerated \u003e ago(detection_time)\\n| where OriginalObjectId contains \u0027ExportToExcel\u0027\\n| extend numQueryCount = todouble(QueryResults)\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), \u0027,\u0027) + 1), numQueryCount)\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\n| summarize sum(QueryCount) by UserId\\n| extend CurrentExportRate = sum_QueryCount) on UserId\\n| where CurrentExportRate \u003e HistoricalBaseline\\n| project UserId, HistoricalBaseline, CurrentExportRate\\n| join kind=inner(Dynamics365Activity\\n| where TimeGenerated \u003e ago(detection_time)\\n| where OriginalObjectId contains \u0027ExportToExcel\u0027\\n| extend numQueryCount = todouble(QueryResults)\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), \u0027,\u0027) + 1), numQueryCount)\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))) on UserId\\n| project TimeGenerated, UserId, QueryCount, UserAgent, OriginalObjectId, ClientIP, HistoricalBaseline, CurrentExportRate, CorrelationId, CrmOrganizationUniqueName\\n| summarize QuerySizes = make_set(QueryCount), MostRecentQuery = max(TimeGenerated), IPs = make_set(ClientIP), UserAgents = make_set(UserAgent) by UserId, CrmOrganizationUniqueName, HistoricalBaseline, CurrentExportRate\\n| extend timestamp = MostRecentQuery, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Mass Export of Dynamics 365 Records to Excel\",\"description\":\"The query detects user exporting a large amount of records from Dynamics 365 to Excel, significantly more records exported than any other recent activity by that user.\",\"lastUpdatedDateUTC\":\"2022-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Dynamics365\",\"dataTypes\":[\"Dynamics365Activity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\"name\":\"327cd4ed-ca42-454b-887c-54e1c91363c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Defender Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Endpoint alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Endpoint\",\"lastUpdatedDateUTC\":\"2019-10-24T00:00:00Z\",\"createdDateUTC\":\"2019-10-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"name\":\"0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated \u003e ago(1d)\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname\\n | extend HostName = tostring(split(DvcHostname, \\\".\\\")[0]), DomainIndex = toint(indexof(DvcHostname, \u0027.\u0027))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(DvcHostname, DomainIndex + 1), DvcHostname)\\n | project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\n A threat actor may use these policies to deploy files or scripts to all hosts in a domain.\\n This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"name\":\"066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\nWindowsEvent\\n| where EventID == 4688 and (EventData has_any (file_path1) or EventData has_any (file_path2) or EventData has_any (file_path3) or EventData has_any (\u0027reg add\u0027) or EventData has_any (reg_key) )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where (CommandLine has_any (file_path1)) or\\n (CommandLine has_any (file_path3)) or\\n (CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or \\n (NewProcessName has_any (file_path1)) or\\n (NewProcessName has_any (file_path3)) or\\n (ParentProcessName has_any (file_path1)) or \\n (ParentProcessName has_any (file_path3)) \\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| extend IPCustomEntity = tostring(EventData.IpAddress)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, IPCustomEntity\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Caramel Tsunami Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as Caramel Tsunami\",\"lastUpdatedDateUTC\":\"2023-07-18T00:00:00Z\",\"createdDateUTC\":\"2022-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"name\":\"1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let PortScanThreshold = 50;\\n_Im_NetworkSession\\n| where ipv4_is_private(SrcIpAddr) == False\\n| where SrcIpAddr !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize AttemptedPortsCount=dcount(DstPortNumber), AttemptedPorts=make_set(DstPortNumber, 100), ReportedBy=make_set(strcat(EventVendor, \\\"/\\\", EventProduct), 20) by SrcIpAddr, bin(TimeGenerated, 5m)\\n| where AttemptedPortsCount \u003e PortScanThreshold\",\"customDetails\":{\"AttemptedPortsCount\":\"AttemptedPortsCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential port scan from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"A port scan has been performed from address {{SrcIpAddr}} over {{AttemptedPortsCount}} ports within 5 minutes. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Discovery\"],\"displayName\":\"Port scan detected (ASIM Network Session schema)\",\"description\":\"This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"AzureNSG\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoAsaAma\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"AIVectraStream\",\"dataTypes\":[\"VectraStream\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoMeraki\",\"dataTypes\":[\"Syslog\",\"CiscoMerakiNativePoller\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"name\":\"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where CommandLine has_all (cmdList)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountEntity = Account, HostEntity = Computer\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where EventData has_all (cmdList)\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_all (cmdList)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountEntity = Account, HostEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessCommandLine has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName, HostEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, AccountEntity = User, HostEntity = Computer\\n)\\n)\\n| extend HostName = tostring(split(HostEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(HostEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(HostEntity, DomainIndex + 1), HostEntity)\\n| extend AccountName = tostring(split(AccountEntity, @\u0027\\\\\u0027)[1]), AccountDomain = tostring(split(AccountEntity, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountEntity\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Email access via active sync\",\"description\":\"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\n- Note that this query can be changed to use the KQL \\\"has_all\\\" operator, which hasn\u0027t yet been documented officially, but will be soon.\\n In short, \\\"has_all\\\" will only match when the referenced field has all strings in the list.\\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps \",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-02-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\"name\":\"f041e01d-840d-43da-95c8-4188f6cef546\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | distinct Country, Actor, TimeGenerated\\n) on Actor \\n| where set_Country !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"GitHub Activites from a New Country\",\"description\":\"Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"name\":\"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| where OldE2ESetting =~ \u0027false\u0027 and NewE2ESetting =~ \u0027true\u0027\\n| extend AccountName = tostring(split(User, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(User, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"tactics\":[\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Zoom E2E Encryption Disabled\",\"description\":\"This alerts when end to end encryption is disabled for Zoom meetings.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"name\":\"b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.3\",\"severity\":\"High\",\"query\":\"let UA_threats = dynamic([\\\"FoxBlade\\\", \\\"WhisperGate\\\", \\\"Lasainraw\\\", \\\"SonicVote\\\", \\\"CaddyWiper\\\", \\\"AprilAxe\\\", \\\"FiberLake\\\", \\\"Industroyer\\\", \\\"DesertBlade\\\"]);\\nSecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatFamilyName in~ (UA_threats)\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Ukraine threats\",\"description\":\"This query looks for Microsoft Defender AV detections for malware observed in relation to the war in Ukraine.\\n Ref: https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/ \",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"name\":\"ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1d;\\nlet TotalEventsThreshold = 25;\\nlet TimeSeriesData = AzureActivity \\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now())) \\n| where OperationNameValue endswith \\\"delete\\\" \\n| project TimeGenerated, Caller \\n| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Caller;\\nTimeSeriesData \\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, \u0027linefit\u0027) \\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long) \\n| where TimeGenerated \u003e= startofday(ago(endtime)) \\n| where anomalies \u003e 0 \\n| project Caller, TimeGenerated, Total, baseline, anomalies, score \\n| where Total \u003e TotalEventsThreshold and baseline \u003e 0 \\n| join (AzureActivity \\n| where TimeGenerated \u003e startofday(ago(endtime)) \\n| where OperationNameValue endswith \\\"delete\\\" \\n| summarize count(), make_set(OperationNameValue,100), make_set(_ResourceId,100) by bin(TimeGenerated, timeframe), Caller ) on TimeGenerated, Caller \\n| extend Name = iif(Caller has \u0027@\u0027,tostring(split(Caller,\u0027@\u0027,0)[0]),\\\"\\\")\\n| extend UPNSuffix = iif(Caller has \u0027@\u0027,tostring(split(Caller,\u0027@\u0027,1)[0]),\\\"\\\")\\n| extend AadUserId = iif(Caller !has \u0027@\u0027,Caller,\\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AadUserId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Mass Cloud resource deletions Time Series Anomaly\",\"description\":\"This query generates the baseline pattern of cloud resource deletions by an individual and generates an anomaly when any unusual spike is detected. These anomalies from unusual or privileged users could be an indication of a cloud infrastructure takedown by an adversary.\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11c3d541-5fa5-49df-8218-d1c98584473b\",\"name\":\"11c3d541-5fa5-49df-8218-d1c98584473b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Retrieve SecurityAlerts generated within the last day\\n SecurityAlert \\n // Filter alerts for Azure Active Directory Identity Protection and High severity\\n | where ProductName has \\\"Azure Active Directory Identity Protection\\\"\\n | where AlertSeverity == \\\"High\\\"\\n // Extract IP address entities from the \u0027Entities\u0027 field\\n | extend ipAddress = extract(@\u0027\\\\b(?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\b\u0027, 0, Entities)\\n // Filter out alerts without IP address entities\\n | where isnotempty(ipAddress)\\n // Summarize entities per unique combination of attributes\\n | summarize make_set(Entities)\\n by\\n AlertTime = TimeGenerated,\\n ipAddress,\\n AlertName,\\n ProductName,\\n AlertSeverity\\n // Perform an inner join with AWS CloudTrail events\\n | join kind=inner (\\n AWSCloudTrail\\n | where isempty(ErrorMessage)\\n | extend UserType = tostring(parse_json(RequestParameters).userType) \\n | where EventName in~ (\\\"CreateRole\\\", \\\"DeleteRole\\\", \\\"CreateUser\\\", \\\"CreateAccessKey\\\", \\\"DeleteAccessKey\\\", \\\"CreateGroup\\\", \\\"AddUserToGroup\\\", \\\"ChangePassword\\\", \\\"DeleteGroup\\\", \\\"DeleteUser\\\", \\\"RemoveUserFromGroup\\\", \\\"CreateVirtualMFADevice\\\", \\\"DeleteLoginProfile\\\") \\n | summarize\\n make_set(RequestParameters),\\n make_set(ResponseElements)\\n by\\n SourceIpAddress,\\n UserIdentityArn,\\n UserIdentityType,\\n EventName,\\n EventTime = TimeGenerated\\n )\\n on $left.ipAddress == $right.SourceIpAddress \\n // Filter results based on temporal correlation\\n | where AlertTime between ((EventTime - 1h) .. (EventTime + 1h))\",\"customDetails\":{\"AWSUser\":\"UserIdentityArn\",\"AlertIp\":\"ipAddress\",\"AlertName\":\"AlertName\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"User impersonation by Identity Protection alerts\",\"description\":\"This detection focuses on identifying user-related events involving IAM roles, groups, user access, and password changes. It examines instances where the user\u0027s IP address matches and alerts generated by Identity Protection share the same IP address. The analysis occurs within a time window of 1 hour, helping to flag potential cases of user impersonation.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2023-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"name\":\"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet AuthorizedBypassers = dynamic([\u0027foo@baz.com\u0027, \u0027test@foo.com\u0027]);\\nlet historicBypassers = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| parse ScopeDisplayName with OrganizationName \u0027(Organization)\u0027\\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name,\\n BypassReason = Data.BypassReason, PRLink = strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_git/\u0027, Data.RepoName, \u0027/pullrequest/\u0027, Data.PullRequestId)\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"PRLink\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Pull Request Policy Bypassing - Historic allow list\",\"description\":\"This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\"name\":\"f2eb15bd-8a88-4b24-9281-e133edfba315\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.8\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet Signins = materialize(union isfuzzy=true\\n (SigninLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)),\\n (AADNonInteractiveUserSignInLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)));\\nlet SigninIPs = Signins | summarize make_list(IPAddress);\\nlet TI = materialize(ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = coalesce(NetworkIP, EmailSourceIpAddress, NetworkDestinationIP, NetworkSourceIP)\\n | where TI_ipEntity in (SigninIPs)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now()\\n | where Description !contains_cs \\\"State: inactive;\\\" and Description !contains_cs \\\"State: falsepos;\\\");\\nTI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (Signins) on $left.TI_ipEntity == $right.IPAddress\\n| project-rename SigninLogs_TimeGenerated = TimeGenerated\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = SigninLogs_TimeGenerated, Name = tostring(split(UserPrincipalName, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(UserPrincipalName, \u0027@\u0027, 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to SigninLogs\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SigninLogs.\",\"lastUpdatedDateUTC\":\"2023-07-18T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"name\":\"8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.4\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Cryptominer\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| summarize N_Events=count() by SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername\\n| extend AccountName = tostring(split(SrcUsername, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(SrcUsername, \\\"@\\\")[1])\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The host {{SrcIpAddr}} is potentially running a crypto miner\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by crypto miners and indicates crypto mining activity on the client.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"A host is potentially running a crypto miner (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.\u003cbr\u003eYou can add custom crypto mining indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5db427b2-f406-4274-b413-e9fcb29412f8\",\"name\":\"5db427b2-f406-4274-b413-e9fcb29412f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~ \u0027Add member to role request denied (PIM activation)\u0027\\n| mv-apply ResourceItem = TargetResources on \\n (\\n where ResourceItem.type =~ \\\"Role\\\"\\n | extend Role = trim(@\u0027\\\"\u0027,tostring(ResourceItem.displayName))\\n )\\n| mv-apply ResourceItem = TargetResources on \\n (\\n where ResourceItem.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = trim(@\u0027\\\"\u0027,tostring(ResourceItem.userPrincipalName))\\n )\\n| where ResultReason != \\\"RoleAssignmentExists\\\"\\n| where isnotempty(InitiatedBy.user)\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend TargetName = tostring(split(TargetUserPrincipalName,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,\u0027@\u0027,1)[0])\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\\n| project-reorder TimeGenerated, TargetUserPrincipalName, Role, OperationName, Result, ResultDescription\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NRT PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2024-08-19T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"name\":\"4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-38647\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend HostName = tostring(split(VirtualMAchine, \\\".\\\")[0]), DomainIndex = toint(indexof(VirtualMAchine, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(VirtualMAchine, DomainIndex + 1), VirtualMAchine)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"VirtualMAchine\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to OMIGOD CVE-2021-38647\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647.\\nOMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"name\":\"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Low\",\"query\":\"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold\\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated \u003e ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction\\n// where destination IPs are public\\n| where ipv4_is_private(DestinationIP) == false\\n// sort into source-\u003edestination \u0027sessions\u0027\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds \u003e TimeDeltaThresholdInSeconds\\n// summarize the deltas by source-\u003edestination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers \u003e 1.5 or outliers \u003c -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev \u003c MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount \u003e TotalBeaconsThreshold and (sum_SentBytes \u003e 0 or sum_ReceivedBytes \u003e 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity \u003e= (10*TimeDeltaThresholdInSeconds)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Fortinet - Beacon pattern detected\",\"description\":\"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"name\":\"3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.5\",\"severity\":\"Medium\",\"query\":\"let riskScoreCutoff = 20; //Adjust this based on volume of results\\nlet starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 50;\\nlet aadFunc = (tableName:string){\\n // Failed Signins attempts with reasoning related to conditional access policies.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultDescription has_any (\\\"conditional access\\\", \\\"CA\\\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\nallSignins\\n| make-series DailyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1d by UserPrincipalName\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(DailyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand DailyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n// Filtering low count events per baselinethreshold\\n| where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n| extend AnomalyHour = TimeGenerated\\n| project UserPrincipalName, AnomalyHour, TimeGenerated, DailyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\\n| extend UserPrincipalName = tolower(UserPrincipalName)\\n| join kind=leftouter (\\n IdentityInfo\\n | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\\n | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled\\n | summarize\\n Tags = make_set(Tags, 1000),\\n GroupMembership = make_set(GroupMembership, 1000),\\n AssignedRoles = make_set(AssignedRoles, 1000),\\n UserType = make_set(UserType, 1000),\\n UserAccountControl = make_set(UserType, 1000)\\n by AccountUPN\\n | extend UserPrincipalName=tolower(AccountUPN)\\n) on UserPrincipalName\\n| join kind=leftouter (\\n BehaviorAnalytics\\n | where ActivityType in (\\\"FailedLogOn\\\", \\\"LogOn\\\")\\n | where isnotempty(SourceIPAddress)\\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress\\n | project-rename IPAddress = SourceIPAddress\\n | summarize\\n UsersInsights = make_set(UsersInsights, 1000),\\n DevicesInsights = make_set(DevicesInsights, 1000),\\n IPInvestigationPriority = sum(InvestigationPriority)\\n by IPAddress)\\non IPAddress\\n| extend UEBARiskScore = IPInvestigationPriority\\n| where UEBARiskScore \u003e riskScoreCutoff\\n| sort by UEBARiskScore desc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Accounts - Sign in Failure due to CA Spikes\",\"description\":\" Identifies spike in failed sign-ins from user accounts due to conditional access policied.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.\",\"lastUpdatedDateUTC\":\"2024-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"name\":\"cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName =~ \\\"Add owner to application\\\"\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend TargetUserPrincipalName = TargetResources[0].userPrincipalName\\n | extend TargetAadUserId = tostring(TargetResources[0].id)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | mv-expand mod_props\\n | where mod_props.displayName =~ \\\"Application.DisplayName\\\"\\n | extend TargetAppName = tostring(parse_json(tostring(mod_props.newValue)))\\n | extend AddedUser = TargetUserPrincipalName\\n | extend UpdatedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | extend TargetAccountName = tostring(split(TargetUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingAadUserId, InitiatingUserPrincipalName, InitiatingIPAddress, TargetAppName, AddedUser, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"TargetAadUserId\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Ownership\",\"description\":\"Detects changes to the ownership of an appplicaiton.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://learn.microsoft.com/en-gb/entra/architecture/security-operations-applications#new-owner\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"name\":\"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Office 365 Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Office 365 alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Office 365\",\"lastUpdatedDateUTC\":\"2020-09-01T00:00:00Z\",\"createdDateUTC\":\"2020-04-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"name\":\"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"CommonSecurityLog\\n| where isempty(CommunicationDirection)\\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - threat detection message fired\",\"description\":\"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd78a122-d377-415a-afe9-f22e08d2112c\",\"name\":\"dd78a122-d377-415a-afe9-f22e08d2112c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"// Add other permissions to this list as needed\\nlet permissions = dynamic([\\\".All\\\", \\\"ReadWrite\\\", \\\"Mail.\\\", \\\"offline_access\\\", \\\"Files.Read\\\", \\\"Notes.Read\\\", \\\"ChannelMessage.Read\\\", \\\"Chat.Read\\\", \\\"TeamsActivity.Read\\\",\\n\\\"Group.Read\\\", \\\"EWS.AccessAsUser.All\\\", \\\"EAS.AccessAsUser.All\\\"]);\\nlet auditList = \\nAuditLogs\\n| where OperationName =~ \\\"Add app role assignment to service principal\\\"\\n| mv-expand TargetResources[0].modifiedProperties\\n| extend TargetResources_0_modifiedProperties = column_ifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n| where isnotempty(TargetResources_0_modifiedProperties)\\n;\\nlet detailsList = auditList\\n| where TargetResources_0_modifiedProperties.displayName =~ \\\"AppRole.Value\\\" or TargetResources_0_modifiedProperties.displayName =~ \\\"DelegatedPermissionGrant.Scope\\\"\\n| extend Permissions = split((parse_json(tostring(TargetResources_0_modifiedProperties.newValue))), \\\" \\\")\\n| where Permissions has_any (permissions)\\n| summarize AddedPermissions=make_set(Permissions,200) by CorrelationId\\n| join kind=inner auditList on CorrelationId\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend InitiatedBy = tostring(iff(isnotempty(InitiatingUserPrincipalName),InitiatingUserPrincipalName, InitiatingAppName))\\n| extend displayName = tostring(TargetResources_0_modifiedProperties.displayName), newValue = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\\n| where displayName == \\\"ServicePrincipal.ObjectID\\\" or displayName == \\\"ServicePrincipal.DisplayName\\\"\\n| extend displayName = case(displayName == \\\"ServicePrincipal.ObjectID\\\", \\\"ServicePrincipalObjectID\\\", displayName == \\\"ServicePrincipal.DisplayName\\\", \\\"ServicePrincipalDisplayName\\\", displayName)\\n| project TimeGenerated, CorrelationId, Id, AddedPermissions = tostring(AddedPermissions), InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIPAddress, InitiatingUserPrincipalName, InitiatedBy, displayName, newValue\\n;\\ndetailsList | project Id, displayName, newValue\\n| evaluate pivot(displayName, make_set(newValue))\\n| join kind=inner detailsList on Id\\n| extend ServicePrincipalObjectID = todynamic(column_ifexists(\\\"ServicePrincipalObjectID\\\", \\\"\\\")), ServicePrincipalDisplayName = todynamic(column_ifexists(\\\"ServicePrincipalDisplayName\\\", \\\"\\\"))\\n| mv-expand ServicePrincipalObjectID, ServicePrincipalDisplayName\\n| project-away Id1, displayName, newValue\\n| extend ServicePrincipalObjectID = tostring(ServicePrincipalObjectID), ServicePrincipalDisplayName = tostring(ServicePrincipalDisplayName)\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), EventIds = make_set(Id,200) by CorrelationId, AddedPermissions, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIPAddress, InitiatingUserPrincipalName, InitiatedBy, ServicePrincipalDisplayName, ServicePrincipalObjectID\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"ServicePrincipalObjectID\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned App Role With Sensitive Access\",\"description\":\"Detects a Service Principal being assigned an app role that has sensitive access such as Mail.Read.\\n A threat actor who compromises a Service Principal may assign it an app role to allow it to access sensitive data, or to perform other actions.\\n Ensure that any assignment to a Service Principal is valid and appropriate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions\",\"lastUpdatedDateUTC\":\"2023-12-30T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/defe4855-0d33-4362-9557-009237623976\",\"name\":\"defe4855-0d33-4362-9557-009237623976\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let query_frequency = 1h;\\nlet query_period = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(query_frequency)\\n| where Category =~ \\\"UserManagement\\\" and OperationName =~ \\\"Delete user\\\"\\n| mv-expand TargetResource = TargetResources\\n| where TargetResource[\\\"type\\\"] == \\\"User\\\" and TargetResource[\\\"userPrincipalName\\\"] has \\\"#EXT#\\\"\\n| extend ParsedDeletedUserPrincipalName = extract(@\\\"^[0-9a-f]{32}([^\\\\#]+)\\\\#EXT\\\\#\\\", 1, tostring(TargetResource[\\\"userPrincipalName\\\"]))\\n| extend\\n Initiator = iif(isnotempty(InitiatedBy[\\\"app\\\"]), tostring(InitiatedBy[\\\"app\\\"][\\\"displayName\\\"]), tostring(InitiatedBy[\\\"user\\\"][\\\"userPrincipalName\\\"])),\\n InitiatorId = iif(isnotempty(InitiatedBy[\\\"app\\\"]), tostring(InitiatedBy[\\\"app\\\"][\\\"servicePrincipalId\\\"]), tostring(InitiatedBy[\\\"user\\\"][\\\"id\\\"])),\\n Delete_IPAddress = tostring(InitiatedBy[tostring(bag_keys(InitiatedBy)[0])][\\\"ipAddress\\\"])\\n| project Delete_TimeGenerated = TimeGenerated, Category, Identity, Initiator, Delete_IPAddress, OperationName, Result, ParsedDeletedUserPrincipalName, InitiatedBy, AdditionalDetails, TargetResources, InitiatorId, CorrelationId\\n| join kind=inner (\\n SigninLogs\\n | where TimeGenerated \u003e ago(query_period)\\n | where ResultType == 0\\n | summarize take_any(*) by UserPrincipalName\\n | extend ParsedUserPrincipalName = translate(\\\"@\\\", \\\"_\\\", UserPrincipalName)\\n | project SigninLogs_TimeGenerated = TimeGenerated, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, IPAddress, LocationDetails, AppDisplayName, ResourceDisplayName, ClientAppUsed, UserAgent, DeviceDetail, UserId, UserType, OriginalRequestId, ParsedUserPrincipalName\\n ) on $left.ParsedDeletedUserPrincipalName == $right.ParsedUserPrincipalName\\n| where SigninLogs_TimeGenerated \u003e Delete_TimeGenerated\\n| project-away ParsedDeletedUserPrincipalName, ParsedUserPrincipalName\\n| extend\\n AccountName = tostring(split(UserPrincipalName, \\\"@\\\")[0]),\\n AccountUPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Suspicious Login from deleted guest account\",\"description\":\" This query will detect logins from guest account which was recently deleted. \\nFor any successful logins from deleted identities should be investigated further if any existing user accounts have been altered or linked to such identity prior deletion\",\"lastUpdatedDateUTC\":\"2024-01-03T00:00:00Z\",\"createdDateUTC\":\"2022-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/017e095a-94d8-430c-a047-e51a11fb737b\",\"name\":\"017e095a-94d8-430c-a047-e51a11fb737b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let domains =\\n SigninLogs\\n | where ResultType == 0\\n | extend domain = split(UserPrincipalName, \\\"@\\\")[1]\\n | extend domain = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tolower(tostring(domain));\\n AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend InitiatedBy = tostring(iff(isnotempty(InitiatingUserPrincipalName),InitiatingUserPrincipalName, InitiatingAppName))\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | where isnotempty(AddedUrls)\\n | mv-expand AddedUrls\\n | extend AddedUrls = trim(@\u0027\\\"\u0027, tostring(AddedUrls))\\n | extend Domain = extract(\\\"^(?:https?:\\\\\\\\/\\\\\\\\/)?(?:[^@\\\\\\\\/\\\\\\\\n]+@)?(?:www\\\\\\\\.)?([^:\\\\\\\\/?\\\\\\\\n]+)/\\\", 1, replace_string(tolower(AddedUrls), \u0027\\\"\u0027, \\\"\\\"))\\n | where isnotempty(Domain)\\n | extend Domain = strcat(split(Domain, \\\".\\\")[-2], \\\".\\\", split(Domain, \\\".\\\")[-1])\\n | where Domain !in (domains)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, InitiatedBy, UserAgent, InitiatingIPAddress\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"URL Added to Application from Unknown Domain\",\"description\":\"Detects a URL being added to an application where the domain is not one that is associated with the tenant.\\n The query uses domains seen in sign in logs to determine if the domain is associated with the tenant.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://learn.microsoft.com/en-gb/entra/architecture/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/16da3a2a-af29-48a0-8606-d467c180fe18\",\"name\":\"16da3a2a-af29-48a0-8606-d467c180fe18\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let Threshold = 1;\\nAzureDiagnostics\\n| where Category =~ \\\"FrontDoorWebApplicationFirewallLog\\\"\\n| where action_s =~ \\\"AnomalyScoring\\\"\\n| where details_msg_s has \\\"SQL Injection\\\"\\n| parse details_data_s with MessageText \\\"Matched Data:\\\" MatchedData \\\"AND \\\" * \\\"table_name FROM \\\" TableName \\\" \\\" *\\n| project trackingReference_s, host_s, requestUri_s, TimeGenerated, clientIP_s, details_matches_s, details_msg_s, details_data_s, TableName, MatchedData\\n| join kind = inner(\\nAzureDiagnostics\\n| where Category =~ \\\"FrontDoorWebApplicationFirewallLog\\\"\\n| where action_s =~ \\\"Block\\\") on trackingReference_s\\n| summarize URI_s = make_set(requestUri_s,100), Table = make_set(TableName,100), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TrackingReference = make_set(trackingReference_s,100), Matched_Data = make_set(MatchedData,100), Detail_Data = make_set(details_data_s,100), Detail_Message = make_set(details_msg_s,100), Total_TrackingReference = dcount(trackingReference_s) by clientIP_s, host_s, action_s\\n| where Total_TrackingReference \u003e= Threshold\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URI_s\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"clientIP_s\"}]}],\"tactics\":[\"DefenseEvasion\",\"Execution\",\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Front Door Premium WAF - SQLi Detection\",\"description\":\"Identifies a match for a SQL Injection attack in the Front Door Premium WAF logs. The threshold value in the query can be changed as per your infrastructure\u0027s requirements.\\nReferences: https://owasp.org/Top10/A03_2021-Injection/\",\"lastUpdatedDateUTC\":\"2023-12-20T00:00:00Z\",\"createdDateUTC\":\"2022-10-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"name\":\"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host, AccountCustomEntity=User\\n),\\n(_Im_WebSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(SigninLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (IPList) \\n| extend DestinationIP = Fqdn \\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWNetworkRule\\n| where isnotempty(DestinationIp)\\n| where DestinationIp has_any (IPList) \\n| extend DestinationIP = DestinationIp \\n| extend IPCustomEntity = SourceIp\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Known Seashell Blizzard IP\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWNetworkRule\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"name\":\"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName: string) {\\n table(tableName)\\n | where ResultType == 500121\\n | where Status has \\\"MFA Denied; user declined the authentication\\\" or Status has \\\"MFA denied; Phone App Reported Fraud\\\"\\n | extend Type = Type, PublicIP = IPAddress\\n | extend\\n Name = tostring(split(UserPrincipalName, \u0027@\u0027, 0)[0]),\\n UPNSuffix = tostring(split(UserPrincipalName, \u0027@\u0027, 1)[0])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet dvcInfo = DeviceInfo\\n | extend SensorHealthState = column_ifexists(\\\"SensorHealthState\\\", \\\"\\\")\\n | where OnboardingStatus == \\\"Onboarded\\\" and SensorHealthState == \\\"Active\\\"\\n | project PublicIP, AadDeviceId;\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| join kind=leftouter dvcInfo on PublicIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AppDisplayName\"},{\"identifier\":\"AppId\",\"columnName\":\"AppId\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"[Deprecated] Explicit MFA Deny\",\"description\":\"User explicitly denies MFA push, indicating that login was not expected and the account\u0027s password may be compromised.\\nThis rule is deprecated as of July-2024. Alternative rule with similar logic and contex from more data source \\nis available at https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/MFARejectedbyUser.yaml\",\"lastUpdatedDateUTC\":\"2024-07-25T00:00:00Z\",\"createdDateUTC\":\"2020-10-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\"name\":\"2391ce61-8c8d-41ac-9723-d945b2e90720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Low\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\\n| join kind=leftouter (\\n SecurityEvent\\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday \u003e= coalesce(CountPrev7day,0)*threshold and CountToday \u003e= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027,\\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027,\\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName)\\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day)\\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\\n| order by sum_CountToday desc nulls last\\n| extend timestamp = StartTime, NTDomain = tostring(split(Account, \u0027\\\\\\\\\u0027, 0)[0]), Name = tostring(split(Account, \u0027\\\\\\\\\u0027, 1)[0]), HostName = tostring(split(WorkstationName, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(WorkstationName, \u0027.\u0027), 1, -1), \u0027.\u0027))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"WorkstationName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Process\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Windows Logon Failures\",\"description\":\"This query identifies user accounts which has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"name\":\"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend HashAlgorithm = \\\"MD5\\\"\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingProcessAccountDomain\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"MD5\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"name\":\"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Low\",\"query\":\"let threshold = 1; // Modify this threshold value to reduce false positives based on your environment\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| mv-apply CAP = parse_json(ConditionalAccessPolicies) on (\\n project ConditionalAccessPoliciesName = CAP.displayName, result = CAP.result\\n | where result =~ \\\"failure\\\"\\n)\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status,10), StatusDetails = make_list(StatusDetails,50), IPAddresses = make_list(IPAddress,100), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId,100), ConditionalAccessPoliciesName = make_list(ConditionalAccessPoliciesName,100)\\nby UserPrincipalName, UserId, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, Type\\n| where IPAddressCount \u003e threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mv-expand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = make_set(IPAddresses,100), Status = make_set(Status,10), CorrelationIds = make_set(CorrelationIds,100), ConditionalAccessPoliciesName = make_set(ConditionalAccessPoliciesName,100)\\nby StartTime, EndTime, UserPrincipalName, UserId, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, IPAddressCount, Type\\n| extend IPAddressFirst = tostring(IPAddresses[0]), Name = tostring(split(UserPrincipalName, \\\"@\\\")[0]), UPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddressFirst\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Attempt to bypass conditional access rule in Microsoft Entra ID\",\"description\":\"Identifies an attempt to Bypass conditional access rule(s) in Microsoft Entra ID.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access or if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences:\\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"name\":\"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| where Data.NewValue == 1 or Data.NewValue \u003c Data.OldValue/2\\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Retention Reduced\",\"description\":\"AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"name\":\"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount \u003e triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated \u003e ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Name\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Possible contact with a domain generated by a DGA\",\"description\":\"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance.\\nThis detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\\nNOTE - The top1M csv zip file used in the query is dynamic and may produce different results over various time periods. It\u0027s important to cross-check the events against the entities involved in the incident.\",\"lastUpdatedDateUTC\":\"2024-10-17T00:00:00Z\",\"createdDateUTC\":\"2020-03-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"name\":\"d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"// Administrative roles to look for, default is all admin roles\\nlet roles = dynamic([\\\"Administrator\\\", \\\"Admin\\\"]);\\n// The maximum distances between and invite and acceptance\\nlet maxTimeBetweenInviteAccept = 30min;\\n// The delta (minutes) between the invite being sent and the account being escalated\\nlet deltaBetweenInviteEscalation = 60;\\n// Collect external user invitations\\nlet invite = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Invite external user\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"userPrincipalName\\\"])\\n| extend InviteInitiator = tostring(InitiatedBy.[\\\"user\\\"].[\\\"userPrincipalName\\\"])\\n| where isnotempty(InviteInitiator);\\n// Collect redeem events\\nlet redeem = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Redeem external user invite\\\"\\n| where Result =~ \\\"success\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"displayName\\\"]) | extend Target = tostring(extract(@\\\"UPN\\\\:\\\\s(.+)\\\\,\\\\sEmail\\\",1,Target))\\n| where isnotempty(Target);\\n// Union the inivtation and redeem data then run the sequence_detect kusto plugin\\ninvite\\n| union redeem\\n| order by TimeGenerated\\n| project TimeGenerated, Target, InviteInitiator, OperationName, TenantId\\n| evaluate sequence_detect(TimeGenerated, maxTimeBetweenInviteAccept, maxTimeBetweenInviteAccept, invite=(OperationName has \\\"Invite external user\\\"), redeem=(OperationName has \\\"Redeem external user invite\\\"), Target)\\n| join kind=innerunique (\\nAuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in~ (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n// Limit to external accounts\\n| where TargetResources.userPrincipalName has \\\"EXT\\\"\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n// Perform check for admin roles\\n| where RoleName has_any(roles)\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by TimeGenerated, OperationName, RoleName, Target, Initiator, Result\\n) on Target\\n// Calculate delta between the invite and the account escalation\\n| extend delta = datetime_diff(\\\"minute\\\", TimeGenerated, invite_TimeGenerated)\\n| where delta \u003c= deltaBetweenInviteEscalation\\n| project InvitationTime=invite_TimeGenerated, RedeemTime=redeem_TimeGenerated, GrantTime=TimeGenerated, ExternalUser=Target, RoleGranted=RoleName, AdminInitiator=Initiator, MinsBetweenInviteAndEscalation=delta\\n| extend ExternalUserName = tostring(split(ExternalUser, \u0027@\u0027, 0)[0]), ExternalUserUPNSuffix = tostring(split(ExternalUser, \u0027@\u0027, 1)[0])\\n| extend AdminInitiatorName = tostring(split(AdminInitiator, \u0027@\u0027, 0)[0]), AdminInitiatorUPNSuffix = tostring(split(AdminInitiator, \u0027@\u0027, 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ExternalUserName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"ExternalUserUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AdminInitiatorName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AdminInitiatorUPNSuffix\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"New External User Granted Admin Role\",\"description\":\"This query will detect instances where a newly invited external user is granted an administrative role.\\nBy default this query will alert on any granted administrative role, however this can be modified using the roles variable if false positives occur in your environment. The maximum delta between invite and escalation to admin is 60 minues, this can be configured using the deltaBetweenInviteEscalation variable.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-06-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"name\":\"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center\",\"severitiesFilter\":[\"Low\",\"Medium\",\"High\"],\"displayName\":\"Create incidents based on Microsoft Defender for Cloud\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud\",\"lastUpdatedDateUTC\":\"2021-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"name\":\"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Active Directory Identity Protection\",\"displayName\":\"Create incidents based on Azure Active Directory Identity Protection alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\"name\":\"a357535e-f722-4afe-b375-cff362b2b376\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation\\n| parse ExtendedProperties with * \u0027User-Agent\\\\\\\\\\\":\\\\\\\\\\\"\u0027 UserAgent2 \u0027\\\\\\\\\u0027 *\\n| parse ExtendedProperties with * \u0027UserAgent\\\", \\\"Value\\\": \\\"\u0027 UserAgent1 \u0027\\\"\u0027 *\\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == \u0027AzureActiveDirectoryStsLogon\u0027, UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\"\\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\"\\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != \u0027-\u0027\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \u0027\\\\\\\"\u0027\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent contains_cs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent contains_cs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend AccountName = split(Account, \\\"@\\\")[0], UPNSuffix = split(Account, \\\"@\\\")[1]\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"Malformed user agent\",\"description\":\"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"name\":\"56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4657\\n | parse ObjectName with \\\"\\\\\\\\REGISTRY\\\\\\\\\\\" KeyPrefix \\\"\\\\\\\\\\\" RegistryKey\\n | project-reorder RegistryKey\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (\\n SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Computer\\n | extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n | extend AccountName = tostring(split(TargetAccount, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(TargetAccount, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1cc0ba27-c5ca-411a-a779-fbc89e26be83\",\"name\":\"1cc0ba27-c5ca-411a-a779-fbc89e26be83\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"// Filter alerts from specific Microsoft security products with medium and high severity\\nSecurityAlert \\n| where ProductName in (\\\"Microsoft 365 Defender\\\", \\\"Azure Active Directory\\\", \\\"Microsoft Defender Advanced Threat Protection\\\", \\\"Microsoft Cloud App Security\\\", \\\"Azure Active Directory Identity Protection\\\", \\\"Microsoft Defender ATP\\\")\\n| where AlertSeverity has_any (\\\"Medium\\\", \\\"High\\\")\\n// Parse JSON entities and extend AlertTimeGenerated\\n| extend Entities = parse_json(Entities), AlertTimeGenerated=TimeGenerated\\n// Extract and process IP entities\\n| mv-apply Entity = Entities on \\n ( \\n where Entity.Type == \u0027ip\u0027 \\n | extend EntityIp = tostring(Entity.Address) \\n ) \\n// Extract and process account entities\\n| mv-apply Entity = Entities on \\n ( \\n where Entity.Type == \u0027account\u0027 \\n | extend AccountObjectId = tostring(Entity.AadUserId)\\n )\\n// Filter out records with empty EntityIp\\n| where isnotempty(EntityIp)\\n// Summarize data and create sets of entities and system alert IDs\\n| summarize Entitys=make_set(Entity), SystemAlertIds=make_set(SystemAlertId)\\n by \\n AlertName,\\n ProductName,\\n AlertSeverity,\\n EntityIp,\\n Tactics,\\n Techniques,\\n ProviderName,\\n AlertTime= bin(AlertTimeGenerated, 1d),\\n AccountObjectId\\n// Join with GCPAuditLogs for VM instance creation\\n| join kind=inner (\\n GCPAuditLogs\\n | where ServiceName == \\\"compute.googleapis.com\\\" and MethodName endswith \\\"instances.insert\\\"\\n | extend\\n GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),\\n GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),\\n GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),\\n VMStatus = tostring(parse_json(Response).status),\\n VMOperation=tostring(parse_json(Response).operationType),\\n VMName= tostring(parse_json(Request).name),\\n VMType = tostring(split(parse_json(Request).machineType, \\\"/\\\")[-1])\\n | where GCPUserUPN !has \\\"gserviceaccount.com\\\"\\n | where VMOperation == \\\"insert\\\" and isnotempty(GCPUserIp) and GCPUserIp != \\\"private\\\"\\n | project\\n GCPOperationTime=TimeGenerated,\\n VMName,\\n VMStatus,\\n MethodName,\\n GCPUserUPN,\\n ProjectId,\\n GCPUserIp,\\n GCPUserUA,\\n VMOperation,\\n VMType\\n )\\n on $left.EntityIp == $right.GCPUserIp \\n// Join with IdentityInfo to enrich user identity details\\n| join kind=inner (IdentityInfo \\n | distinct AccountObjectId, AccountUPN, JobTitle\\n )\\n on AccountObjectId \\n// Calculate the time difference between the alert and VM creation for further analysis\\n| extend TimeDiff= datetime_diff(\u0027day\u0027, AlertTime, GCPOperationTime),Name = split(GCPUserUPN, \\\"@\\\")[0], UPNSuffix = split(GCPUserUPN, \\\"@\\\")[1]\",\"customDetails\":{\"AlertName\":\"AlertName\",\"AlertProDuctName\":\"ProductName\",\"AlertUserName\":\"AccountUPN\",\"AlertUserObjectId\":\"AccountObjectId\",\"AlertIds\":\"SystemAlertIds\",\"AlertIp\":\"EntityIp\",\"GCPUserAgent\":\"GCPUserUA\",\"GCPVMName\":\"VMName\",\"GCPProjectId\":\"ProjectId\",\"GCPVMType\":\"VMType\",\"CorrelationWith\":\"GCPAuditLogs\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"GCPUserIp\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GCPUserUPN\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"IP address {{GCPUserIp}} Assocated with {{AlertName}} found in GCP VM creation event by {{GCPUserUPN}}\",\"alertDescriptionFormat\":\"This detection correlates \u0027{{ProductName}}\u0027 Alert IP addresse Entity found in VM instance creation in GCP {{ProjectId}}. It identifies successful compute instance creation, from suspicious IP addresse. By joining these datasets on network entities and IP addresses, it detects unauthorized Initial access attempts across GCP environments.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":\"AlertSeverity\"},\"tactics\":[\"InitialAccess\",\"Execution\",\"Discovery\"],\"displayName\":\"Suspicious VM Instance Creation Activity Detected\",\"description\":\"This detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2023-10-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"GCPAuditLogsDefinition\",\"dataTypes\":[\"GCPAuditLogs\"]},{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"name\":\"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for AzureActivity logs\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n // Filter out indicators without relevant IP address fields\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n // Select the IP entity based on availability of different IP fields\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and AzureActivity logs to identify potential malicious activity\\nIP_Indicators\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, CallerIpAddress\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, \\nCaller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = AzureActivity_TimeGenerated\\n| extend Name = iif(Caller has \u0027@\u0027, tostring(split(Caller,\u0027@\u0027,0)[0]), \\\"\\\")\\n| extend UPNSuffix = iif(Caller has \u0027@\u0027, tostring(split(Caller,\u0027@\u0027,1)[0]), \\\"\\\")\\n| extend AadUserId = iif(Caller !has \u0027@\u0027, tostring(Caller), \\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to AzureActivity\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in AzureActivity.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"name\":\"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet compressedTypes = dynamic([\u0027zip\u0027, \u0027rar\u0027, \u0027tar\u0027, \u0027x-7z-compressed\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType has_any (compressedTypes)\\n| summarize count(), make_set(attachedMimeType) by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple archived attachments to the same recipient\",\"description\":\"Detects when multiple emails where sent to the same recipient with large archived attachments.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"name\":\"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\\nlet allowed_sources = dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// Look for feeds created or modified at either the organization or project level\\n| where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and locations in the allow list\\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"External Upstream Source Added to Azure DevOps Feed\",\"description\":\"The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \\nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\"name\":\"ab4b6944-a20d-42ab-8b63-238426525801\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated \u003e= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = VMProcess\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n | project-away exePathArr;\\nlet computers = VMComputer\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind = inner (processes) on AgentId, Machine, Process\\n | join kind = inner (computers) on AgentId, Machine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"FirstPid\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Directory\",\"columnName\":\"DirectoryName\"},{\"identifier\":\"Name\",\"columnName\":\"Filename\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Solorigate Domains Found in VM Insights\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMProcess\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMComputer\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9f9c1e51-4fb1-4510-a675-c7c2fb32f47e\",\"name\":\"9f9c1e51-4fb1-4510-a675-c7c2fb32f47e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let knotweed_sigs = dynamic([\\\"JumplumpDropper\\\", \\\"Jumplump\\\", \\\"Corelump\\\", \\\"Medcerc\\\", \\\"SuspModuleLoad\\\", \\\"Mexlib\\\"]);\\n let mde_data = (DeviceInfo\\n | extend DeviceName = tolower(DeviceName)\\n | join kind=rightouter ( SecurityAlert\\n | where ProviderName =~ \\\"MDATP\\\"\\n | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n | where ThreatFamilyName in~ (knotweed_sigs)\\n | extend CompromisedEntity = tolower(CompromisedEntity)\\n ) on $left.DeviceName == $right.CompromisedEntity);\\n let event_data = ( Event\\n | where EventID in (1006, 1009, 1116, 1119)\\n | extend ThreatData = parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_xml(EventData).DataItem)).EventData)).Data))\\n | mv-expand ThreatData\\n | where tostring(ThreatData.[\\\"@Name\\\"]) == \\\"Threat Name\\\"\\n | extend EventData = parse_xml(EventData)\\n | where tostring(ThreatData.[\\\"#text\\\"]) has_any (knotweed_sigs));\\n union mde_data, event_data\\n | extend ThreatName = iif(isnotempty(ThreatName), ThreatName, tostring(ThreatData.[\\\"#text\\\"]))\\n | extend ThreatFamilyName = iif(isnotempty(ThreatFamilyName), ThreatFamilyName, split(tostring(ThreatData.[\\\"#text\\\"]), \\\"/\\\")[-1])\\n | extend TimeGenerated = iif(isnotempty(TimeGenerated), TimeGenerated, TimeGenerated1)\\n | extend DeviceName = iif(isnotempty(DeviceName), DeviceName, Computer)\\n | project-reorder TimeGenerated, CompromisedEntity, ThreatName, ThreatFamilyName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"[Deprecated] - Denim Tsunami AV Detection\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"name\":\"c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let auditList =\\nAuditLogs\\n| where TimeGenerated \u003e= ago(14d)\\n| where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n| where Result =~ \\\"success\\\"\\n| extend TargetUserPrincipalName = tostring(TargetResources[2].userPrincipalName)\\n| extend displayName = tostring(TargetResources[0].displayName)\\n| extend displayName2 = tostring(TargetResources[3].displayName)\\n| extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n;\\nlet lookbackList = auditList\\n| where TimeGenerated between(ago(14d)..ago(1d))\\n;\\nlet recentList = auditList\\n| where TimeGenerated \u003e ago(1d)\\n;\\nlet newlyElevated = recentList\\n| join kind = leftanti lookbackList on ElevatedRole, TargetUserPrincipalName\\n;\\nnewlyElevated | project Id, AdditionalDetails\\n| mv-expand bagexpansion=array AdditionalDetails\\n| evaluate bag_unpack(AdditionalDetails)\\n| extend key = column_ifexists(\\\"key\\\", \u0027\u0027), value = column_ifexists(\\\"value\\\", \u0027\u0027)\\n| evaluate pivot(key, make_set(value))\\n| extend ipaddr = todynamic(column_ifexists(\\\"ipaddr\\\", \\\"\\\"))\\n| mv-expand ipaddr\\n| project Id, InitiatingIPAddress = tostring(ipaddr)\\n| join kind=rightouter newlyElevated on Id\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIPAddress = iff(isnotempty(tostring(InitiatedBy.user.ipAddress)), tostring(InitiatedBy.user.ipAddress), InitiatingIPAddress)\\n| extend ElevatedBy = iff(isnotempty(InitiatingUserPrincipalName), InitiatingUserPrincipalName, InitiatingAppName)\\n| extend ElevatedUser = TargetUserPrincipalName\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n| extend TargetAccountName = tostring(split(TargetUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \\\"@\\\")[1])\\n| project-reorder ElevatedUser, ElevatedRole, ResultReason, ElevatedBy, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, TargetUserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account Elevated to New Role\",\"description\":\"Detects an account that is elevated to a new role where that account has not had that role in the last 14 days.\\n Role elevations are a key mechanism for gaining permissions, monitoring which users have which roles, and for anomalies in those roles is useful for finding suspicious activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"name\":\"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Low\",\"query\":\"let threshold = 15;\\nSyslog\\n| where ProcessName =~ \\\"sshd\\\"\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| parse kind=relaxed SyslogMessage with * \\\"invalid user \\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\" *\\n// using distinct below as it has been seen that Syslog can duplicate entries depending on implementation\\n| distinct TimeGenerated, Computer, user, ip, port, SyslogMessage, _ResourceId\\n| summarize EventTimes = make_list(TimeGenerated), PerHourCount = count() by bin(TimeGenerated,4h), ip, Computer, user, _ResourceId\\n| where PerHourCount \u003e threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes)\\n| summarize StartTime = min(EventTimes), EndTime = max(EventTimes), UserList = make_set(user), ComputerList = make_set(Computer), ResourceIdList = make_set(_ResourceId), sum(PerHourCount) by IPAddress = ip\\n// bringing through single computer and user if array only has 1, otherwise, referencing the column and hashing the ComputerList or UserList so we don\u0027t get accidental entity matches when reviewing alerts\\n| extend HostName = iff(array_length(ComputerList) == 1, tostring(ComputerList[0]), strcat(\\\"SeeComputerListField\\\",\\\"_\\\", tostring(hash(tostring(ComputerList)))))\\n| extend Account = iff(array_length(ComputerList) == 1, tostring(UserList[0]), strcat(\\\"SeeUserListField\\\",\\\"_\\\", tostring(hash(tostring(UserList)))))\\n| extend ResourceId = iff(array_length(ResourceIdList) == 1, tostring(ResourceIdList[0]), strcat(\\\"SeeResourceIdListField\\\",\\\"_\\\", tostring(hash(tostring(ResourceIdList)))))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Account\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SSH - Potential Brute Force\",\"description\":\"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\\n Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur.\\n As an example - ComputerList is an array that we check for a single value and write that into the HostName field for use in the entity mapping within Sentinel.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"SyslogAma\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"name\":\"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Low\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add =\\n(union isfuzzy=true\\n(SecurityEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account\\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n),\\n(WindowsEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend AddingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupAddedTo = TargetUserName\\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n)\\n);\\nlet AC_Remove =\\n( union isfuzzy=true\\n(SecurityEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" *\\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, AccountRemoved = tolower(AccountRemoved),\\nRemovingAccount, RemovingAccountLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n),\\n(WindowsEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" *\\n| where isnotempty(AccountRemoved)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend RemovingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupRemovedFrom = TargetUserName\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| extend RemovedAccountLogonId= tostring(EventData.SubjectLogonId)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, AccountRemoved = tolower(AccountRemoved),\\nRemovingAccount, RemovedAccountLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n));\\nAC_Add\\n| join kind = inner AC_Remove \\non $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend DurationinSecondAfter_Removed = datetime_diff (\u0027second\u0027, AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed \u003e 0\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend RemovedAccountName = tostring(split(AccountRemoved, @\\\"\\\\\\\")[1]), RemovedAccountNTDomain = tostring(split(AccountRemoved, @\\\"\\\\\\\")[0])\\n| extend RemovingAccountName = tostring(split(RemovingAccount, @\\\"\\\\\\\")[1]), RemovingAccountNTDomain = tostring(split(RemovingAccount, @\\\"\\\\\\\")[0])\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountRemoved\"},{\"identifier\":\"Name\",\"columnName\":\"RemovedAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"RemovedAccountNTDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"RemovingAccount\"},{\"identifier\":\"Name\",\"columnName\":\"RemovingAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"RemovingAccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Account added and removed from privileged groups\",\"description\":\"Identifies accounts that are added to a privileged group and then quickly removed, which could be a sign of compromise.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2019-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\"name\":\"79566f41-df67-4e10-a703-c38a6213afd8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"Application\\\"\\n | extend targetDisplayName = tostring(TargetResource.displayName),\\n targetId = tostring(TargetResource.id),\\n targetType = tostring(TargetResource.type),\\n keyEvents = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = keyEvents on \\n (\\n where Property.displayName =~ \\\"KeyDescription\\\"\\n | extend new_value_set = parse_json(tostring(Property.newValue)),\\n old_value_set = parse_json(tostring(Property.oldValue))\\n )\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage =~ \\\"Verify\\\"\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend UserAgent = tostring(AdditionalDetail.value)\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend Name = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\"name\":\"5f0d80db-3415-4265-9d52-8466b7372e3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps PAT used with Browser\",\"description\":\"Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \\nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \\nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"name\":\"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.8\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet URLRegex = \\\"((https?|ftp|ldap|wss?|file):\\\\\\\\/\\\\\\\\/(([\\\\\\\\:\\\\\\\\%\\\\\\\\w\\\\\\\\_\\\\\\\\-]+(\\\\\\\\.|@))*((xn--)?[a-zA-Z0-9\\\\\\\\-]+\\\\\\\\.)+(xn--[a-z0-9]+|[A-Za-z]+)|\\\\\\\\d{1,3}\\\\\\\\.\\\\\\\\d{1,3}\\\\\\\\.\\\\\\\\d{1,3}\\\\\\\\.\\\\\\\\d{0,3})[.,:\\\\\\\\w@?^=%\u0026\\\\\\\\/~+#-]*[\\\\\\\\w@?^=%\u0026\\\\\\\\/~+#-])\\\";\\nlet SecurityEvents = materialize(SecurityAlert\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Extract URL from JSON data\\n | mv-expand parse_json(Entities)\\n | where isnotempty(Entities.Url) or isnotempty(Entities.Urls)\\n | extend Url = coalesce(Entities.Url, Entities.Urls)\\n | mv-expand Url\\n | extend Url = tolower(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated);\\nlet EventUrls = materialize(SecurityEvents | distinct Url | summarize make_list(Url));\\nThreatIntelligenceIndicator\\n| where isnotempty(Url)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| extend Url = tolower(Url)\\n| where tolower(Url) in (EventUrls)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n| where Description !contains_cs \\\"State: inactive;\\\" and Description !contains_cs \\\"State: falsepos;\\\" \\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (SecurityEvents) on Url\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project timestamp = Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Compromised_Host\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map URL Entity to SecurityAlert Data\",\"description\":\"This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in SecurityAlert data.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"name\":\"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action its unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"name\":\"a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Low\",\"query\":\"let error403_count_threshold=200;\\n_Im_WebSession(eventresultdetails_in=dynamic([\\\"403\\\"]))\\n| extend ParsedUrl=parse_url(Url)\\n| extend UrlHost=tostring(ParsedUrl[\\\"Host\\\"]), UrlSchema=tostring(ParsedUrl[\\\"Schema\\\"])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr\\n| where NumberOfErrors \u003e error403_count_threshold\\n| sort by NumberOfErrors desc\\n| extend Url=tostring(Urls[0])\",\"customDetails\":{\"NumberOfErrors\":\"NumberOfErrors\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of HTTP authentication failures from {{SrcIpAddr}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Persistence\",\"CredentialAccess\"],\"displayName\":\"Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)\",\"description\":\"This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\\nThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d714ef62-1a56-4779-804f-91c4158e528d\",\"name\":\"d714ef62-1a56-4779-804f-91c4158e528d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let ImagesList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\"]); \\nlet OriginalFileNameList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\",\\\"SR.exe\\\",\\\"utilman2.exe\\\",\\\"ScreenMagnifier.exe\\\"]); \\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027ProcessId\\\"\u003e\u0027 ProcessId \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where Image has_any (ImagesList) and not (OriginalFileName has_any (OriginalFileNameList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessId, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(User, \\\"\\\\\\\\\\\")[1]), AccountNTDomain = tostring(split(User, \\\"\\\\\\\\\\\")[0])\\n| extend ImageFileName = tostring(split(Image, \\\"\\\\\\\\\\\")[-1])\\n| extend ImageDirectory = replace_string(Image, ImageFileName, \\\"\\\")\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"},{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessId\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ImageFileName\"},{\"identifier\":\"Directory\",\"columnName\":\"ImageDirectory\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Modification of Accessibility Features\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\\nTwo common accessibility programs are C:\\\\Windows\\\\System32\\\\sethc.exe, launched when the shift key is pressed five times and C:\\\\Windows\\\\System32\\\\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as \\\"sticky keys\\\", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1]\\nRef: https://attack.mitre.org/techniques/T1546/008/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"name\":\"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Low\",\"query\":\"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 25;\\nlet TotalEventsThreshold = 30;\\nlet MostFrequentTimeDeltaThreshold = 25;\\nlet PercentBeaconThreshold = 80;\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where ipv4_is_private(DestinationIP)== false\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold\\n| summarize count(), sum(ReceivedBytes), sum(SentBytes)\\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes)\\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents \u003e TotalEventsThreshold and MostFrequentTimeDeltaCount \u003e MostFrequentTimeDeltaThreshold\\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Palo Alto - potential beaconing detected\",\"description\":\"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns.\\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing.\\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586\",\"lastUpdatedDateUTC\":\"2024-11-07T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CefAma\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"name\":\"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Low\",\"query\":\"let match_window = 3m;\\nAzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\")\\n| where ActivityStatusValue =~ \\\"Success\\\"\\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\\n| join kind = inner\\n(AzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/write\\\")\\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\\n) on Caller, TimeKey\\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, \u0027 , \u0027, OperationNameValue1)\\n| extend Name = tostring(split(Caller,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Caller,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UserIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New CloudShell User\",\"description\":\"Identifies when a user creates an Azure CloudShell for the first time.\\nMonitor this activity to ensure only the expected users are using CloudShell.\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50eb4cbd-188f-44f4-b964-bab84dcdec10\",\"name\":\"50eb4cbd-188f-44f4-b964-bab84dcdec10\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let timeframe = 1d;\\nlet time_window = 5m;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4688\\n| where Process has_any (\\\"java.exe\\\", \\\"javaw.exe\\\") and CommandLine has \\\"SysAidServer\\\" \\n| summarize by ParentProcessName,Process, Account, Computer, CommandLine, timekey= bin(TimeGenerated, time_window), TimeGenerated, SubjectLogonId\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4663\\n| where Process has_any (\\\"java.exe\\\", \\\"javaw.exe\\\")\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| where ObjectName endswith \\\".jsp\\\" \\n| summarize by ParentProcessName, Account, Computer, ObjectName, ProcessName, timekey= bin(TimeGenerated, time_window), TimeGenerated, SubjectLogonId)\\n on timekey, Computer, SubjectLogonId\\n),\\n(DeviceFileEvents \\n| where InitiatingProcessFileName has_any (\\\"java.exe\\\", \\\"javaw.exe\\\") \\n| where InitiatingProcessCommandLine has \\\"SysAidServer\\\" \\n| where FileName endswith \\\".jsp\\\" \\n| extend Account = strcat(InitiatingProcessAccountDomain, @\u0027\\\\\u0027, InitiatingProcessAccountName), Computer = DeviceName\\n),\\n(imFileEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"java.exe\\\", \\\"javaw.exe\\\") \\n| where ActingProcessCommandLine has \\\"SysAidServer\\\" \\n| where FilePath endswith \\\".jsp\\\" \\n| extend Account = ActorUsername, Computer = DvcHostname\\n)\\n)\\n| extend AccountName = tostring(split(Account, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(Account, @\u0027\\\\\u0027)[0])\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Identify SysAid Server web shell creation\",\"description\":\"This query looks for potential webshell creation by the threat actor Mercury after the sucessful exploitation of SysAid server. \\nReference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"name\":\"bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where OperationName =~ \\\"Delete user\\\"\\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type == \\\"User\\\"\\n | extend UserPrincipalName = extract(@\u0027([a-f0-9]{32})?(.*)\u0027, 2, tostring(TargetResource.userPrincipalName))\\n )\\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\\n| join kind=inner (\\n AuditLogs\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where OperationName =~ \\\"Add user\\\" \\n | mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type == \\\"User\\\"\\n | extend UserPrincipalName = trim(@\u0027\\\"\u0027,tostring(TargetResource.userPrincipalName))\\n )\\n | project-rename Creation_TimeGenerated = TimeGenerated\\n) on UserPrincipalName\\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\\n| where TimeDelta between (time(0s) .. queryperiod)\\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\\n| extend timestamp = Deletion_TimeGenerated, Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletedByIPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account Created and Deleted in Short Timeframe\",\"description\":\"Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95543d6d-f00d-4193-a63f-4edeefb7ec36\",\"name\":\"95543d6d-f00d-4193-a63f-4edeefb7ec36\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZincOctober2022IOCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet useragents = (iocs | where Type =~ \\\"useragent\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains) or SourceIP has_any (IPList) or DestinationIP has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend timestamp = TimeGenerated, AccountEntity = SourceUserID, UrlEntity = RequestURL , IPEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains) or IPAddresses has_any (IPList)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer\\n| extend timestamp = TimeGenerated, HostEntity = Host, DNSCustomEntity = DNSName, IPEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains) or SourceIp has_any (IPList) or DestinationIp has_any (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIp, HostEntity = Computer, ProcessEntity = ProcessName, DNSCustomEntity = DNSName\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP has_any (IPList) or DestinationIP has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountEntity = UserName, ProcessEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostEntity = Computer , IPEntity = DestinationIP\\n), \\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP has_any (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, HostEntity = DeviceName, UrlEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where Category =~ \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP has_any (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where Category =~ \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationHost has_any (domains) or SourceHost has_any (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostEntity = Computer , AccountEntity = UserName, ProcessEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmEntity = \\\"SHA256\\\", FileHashEntity = SHA256\\n), \\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName , AccountEntity = InitiatingProcessAccountName, ProcessEntity = InitiatingProcessFileName, AlgorithmEntity = \\\"SHA256\\\", FileHashEntity = InitiatingProcessSHA256\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName , AccountEntity = RequestAccountName, ProcessEntity = InitiatingProcessFileName, AlgorithmEntity = \\\"SHA256\\\", FileHashEntity = InitiatingProcessSHA256\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName , AccountEntity = InitiatingProcessAccountName, ProcessEntity = InitiatingProcessFileName, AlgorithmEntity = \\\"SHA256\\\", FileHashEntity = InitiatingProcessSHA256\\n),\\n(OfficeActivity\\n| where ClientIP has_any (IPList) or UserAgent has_any (useragents)\\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, AccountEntity = UserId\\n)\\n)\\n| extend HostName = tostring(split(HostEntity, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(HostEntity, \u0027.\u0027), 1, -1), \u0027.\u0027))\\n| extend Name = tostring(split(AccountEntity, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(AccountEntity, \u0027@\u0027, 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"[Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022\",\"description\":\"Use Microsoft\u0027s up-to-date Threat Intelligence solution from the Content Hub to replace the deprecated query with outdated IoCs. Install it from: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoAsaAma\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CefAma\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsFirewallAma\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\"name\":\"223db5c1-1bf8-47d8-8806-bed401b356a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Low\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet aadFunc = (tableName:string){\\nlet azPortalSignins = materialize(table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70044\\\", \\\"70043\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins\\n) on UserPrincipalName\\n| where TimeGenerated \u003e TimeGenerated1 or isempty(TimeGenerated1)\\n| project-away TimeGenerated1, UserPrincipalName1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup\\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend FullLocation = strcat(Region,\u0027|\u0027, State, \u0027|\u0027, City) \\n| summarize TimeGenerated = make_list(TimeGenerated,100), Status = make_list(Status,100), IPAddresses = make_list(IPAddress,100), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\\n| where (IPAddressCount \u003e= threshold_IPAddressCount and FailedLogonCount \u003e= threshold_Failed) or FailedLogonCount \u003e= threshold_FailedwithSingleIP\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed login attempts to Azure Portal\",\"description\":\"Identifies failed login attempts in the Microsoft Entra ID SigninLogs to the Azure Portal. Many failed logon attempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack.\\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to \u0027Keep me signed in\u0027 interrupt when the user was signing-in.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6b652b4f-9810-4eec-9027-7aa88ce4db23\",\"name\":\"6b652b4f-9810-4eec-9027-7aa88ce4db23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where CommandLine has \\\"wmic computersystem get domain\\\" and ParentProcessName has \\\"dllhost.exe\\\"\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(DeviceProcessEvents \\n| where ProcessCommandLine has \\\"wmic computersystem get domain\\\" and InitiatingProcessFileName =~ \\\"dllhost.exe\\\" and InitiatingProcessCommandLine has \\\"dllhost.exe\\\"\\n| extend Account = strcat(InitiatingProcessAccountDomain, @\u0027\\\\\u0027, InitiatingProcessAccountName), Computer = DeviceName\\n)\\n)\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(Account, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Dev-0270 WMIC Discovery\",\"description\":\"The query below identifies dllhost.exe using WMIC to discover additional hosts and associated domains in the environment.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-09-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\"name\":\"910124df-913c-47e3-a7cd-29e1643fa55e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5;\\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails)\\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountName = tostring(split(UserPrincipalName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AWS Console logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Microsoft Entra ID logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\"name\":\"80733eb7-35b2-45b6-b2b8-3c51df258206\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\",\\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\",\\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\",\\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\",\\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\",\\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage),\\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage),\\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage),\\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend AccountName = tostring(split(User, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(User, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools. This query presumes the default Squid log format is being used.\\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2024-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"SyslogAma\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"name\":\"9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet querystarttime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the cisco umbrella top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n | extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n | extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n | mvexpand Trigram=AllTriGrams to typeof(string)\\n | summarize triCount=count() by Trigram\\n | sort by triCount desc\\n | where triCount \u003e triThreshold\\n | distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = _Im_WebSession\\n| where isnotempty(Url)\\n| extend Name = tolower(tostring(parse_url(Url)[\\\"Host\\\"]))\\n| summarize NameCount=count() by Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n _Im_WebSession\\n | where isnotempty(Url)\\n | extend Url = tolower(Url)\\n | summarize arg_max(TimeGenerated, EventVendor, SrcIpAddr) by Url\\n | extend Name=tostring(parse_url(Url)[\\\"Host\\\"])\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SrcIpAddr, Url\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SrcIpAddr, Url, NameCount\",\"customDetails\":{\"DGAPattern\":\"DGADomain\",\"NameCount\":\"NameCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential communication from {{SrcIpAddr}} with a Domain Generation Algorithm (DGA) based host {{Name}}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} communicated with host {{Name}} that have a domain name that might have been generated by a Domain Generation Algorithm (DGA), identified by the pattern {{DGADomain}}. DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like and uses the model to identify domains that may have been randomly generated by an algorithm.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema)\",\"description\":\"This rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA).\\nDGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like nad uses the model to identify domains that may have been randomly generated by an algorithm. You can modify the triThreshold and dgaLengthThreshold query parameters to change Analytic Rule sensitivity. The higher the numbers, the less noisy the rule is.\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"name\":\"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime \u003e= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime \u003c ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime\\n| extend Name = tostring(split(Account, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(Account, \u0027@\u0027, 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"New UserAgent observed in last 24 hours\",\"description\":\"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments, these new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are usually stable with low numbers of detections.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e95aef3-a1e0-4063-8e74-cd59aa59f245\",\"name\":\"6e95aef3-a1e0-4063-8e74-cd59aa59f245\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\\\"\\n| summarize\\n TimeGenerated = arg_max(TimeGenerated, Properties),\\n ActivityStatusValue = make_set(ActivityStatusValue, 5),\\n take_any(Caller, CallerIpAddress, OperationName, ResourceGroup, Resource)\\n by CorrelationId, _ResourceId, OperationNameValue\\n| extend ResourceHierarchy = split(_ResourceId, \\\"/\\\")\\n| extend MonitoredResourcePath = strcat_array(array_slice(ResourceHierarchy, 0, array_length(ResourceHierarchy)-5), \\\"/\\\")\\n| join kind=leftanti (\\n AzureActivity\\n | where OperationNameValue !~ \\\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\\\" and OperationNameValue endswith \\\"/DELETE\\\" and ActivityStatusValue has_any (\\\"Success\\\", \\\"Succeeded\\\")\\n | project _ResourceId\\n) on $left.MonitoredResourcePath == $right._ResourceId\\n| extend\\n Name = iif(Caller has \\\"@\\\", tostring(split(Caller, \\\"@\\\")[0]), \\\"\\\"),\\n UPNSuffix = iif(Caller has \\\"@\\\", tostring(split(Caller, \\\"@\\\")[1]), \\\"\\\"),\\n AadUserId = iif(Caller has \\\"@\\\", \\\"\\\", Caller)\\n| project TimeGenerated, Caller, CallerIpAddress, OperationNameValue, OperationName, ActivityStatusValue, ResourceGroup, MonitoredResourcePath, Resource, Properties, Name, UPNSuffix, AadUserId, _ResourceId, CorrelationId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Diagnostic settings removed from a resource\",\"description\":\"This query looks for diagnostic settings that are removed from a resource.\\nThis could indicate an attacker or malicious internal trying to evade detection before malicious act is performed.\\nIf the diagnostic settings are being deleted as part of a parent resource deletion, the event is ignores.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-06-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\"name\":\"3ff0fffb-d963-40c0-b235-3404f915add7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"GitHubAuditData\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, Repository\\n| extend Name = iif(Actor contains \\\"@\\\", split(Actor, \\\"@\\\")[0], Actor)\\n| extend UPNSuffix = iif(Actor contains \\\"@\\\", split(Actor, \\\"@\\\")[1], \\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Actor\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/825991eb-ea39-4590-9de2-ee97ef42eb93\",\"name\":\"825991eb-ea39-4590-9de2-ee97ef42eb93\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or (ProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ProcessCommandLine has (\u0027.wav\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\nor (ProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, InitiatingProcessFolderPath, ProcessId, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256, FileName\\n| extend Account = AccountName, Computer = DeviceName, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = FileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\"), AlgorithmCustomEntity = \\\"SHA256\\\"\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, Account = SourceUserID, AlgorithmCustomEntity = \\\"SHA256\\\"\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or (ActingProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ActingProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ActingProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ActingProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027.wav\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\n or (ActingProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = Hash\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash, AlgorithmCustomEntity = \\\"SHA256\\\"\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\\n| where (Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes)) or (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027) or (CommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = tostring(Hashes[1]), AlgorithmCustomEntity = \\\"SHA256\\\"\\n),\\n(DnsEvents\\n| where Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, File = ProcessName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = Fqdn, IPCustomEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = QueryName, IPCustomEntity = SourceIp\\n),\\n(DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) \\n| where RemoteUrl in~ (domains) \\n| project Type, TimeGenerated, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessAccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"[Deprecated] - Aqua Blizzard Actor IOCs - Feb 2022\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"name\":\"d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let threshold = 3;\\nPulseConnectSecure\\n| where Messages contains \\\"Unauthenticated request url /dana-na/\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Source_IP\\n| where count_ \u003e threshold\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"Source_IP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack\",\"description\":\"This query identifies exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893) to the VPN server\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-05-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d99cf5c3-d660-436c-895b-8a8f8448da23\",\"name\":\"d99cf5c3-d660-436c-895b-8a8f8448da23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Medium\",\"query\":\"let riskScoreCutoff = 3; //Adjust this score threshold based on volume of results. Activities identified as the most abnormal receive the highest scores (on a scale of 0-10)\\nSigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| extend UserPrincipalName = tolower(UserPrincipalName)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\" or additionalDetails_ has \\\"fraud\\\"\\n| summarize StartTime = min(TimeGenerated), EndTIme = max(TimeGenerated) by UserPrincipalName, UserId, AADTenantId, FailedIPAddress = IPAddress\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\\n| join kind=leftouter (\\n IdentityInfo\\n | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\\n | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled\\n | summarize\\n Tags = make_set(Tags, 1000),\\n GroupMembership = make_set(GroupMembership, 1000),\\n AssignedRoles = make_set(AssignedRoles, 1000),\\n UserType = make_set(UserType, 1000),\\n UserAccountControl = make_set(UserType, 1000)\\n by AccountUPN\\n | extend UserPrincipalName=tolower(AccountUPN)\\n) on UserPrincipalName\\n//Below it will be joined with BehaviorAnalytics table to the Failed IP Addresses\\n| join kind=leftouter (\\n BehaviorAnalytics\\n | where ActivityType in (\\\"FailedLogOn\\\", \\\"LogOn\\\")\\n | where isnotempty(SourceIPAddress)\\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress, UserName\\n | project-rename FailedIPAddress = SourceIPAddress, Name = UserName\\n | summarize\\n MaxInvestigationScore = max(InvestigationPriority) // Only retrieve maximum Investigation Property score for both FailedIP and User\\n by FailedIPAddress, Name)\\non FailedIPAddress, Name // Joining on both IP and User so as to only return context associated with same user\\n| extend UEBARiskScore = MaxInvestigationScore\\n| project-away *1 // removing duplicate columns post outer join from output\\n| where UEBARiskScore \u003e riskScoreCutoff\\n| sort by UEBARiskScore desc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"MFA Rejected by User\",\"description\":\"Identifies occurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results. \\nPlease note, MFA Failed logons from known IP ranges can be benign depending on the conditional access policies. In case of noisy behavior, consider tuning the source IP ranges or location filter after careful consideration\",\"lastUpdatedDateUTC\":\"2024-12-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"name\":\"caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\\n| where Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = tostring(Hashes[1])\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"[Deprecated] - Tarrask malware IOC - April 2022\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\"name\":\"155e9134-d5ad-4a6f-88f3-99c220040b66\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Medium\",\"query\":\"// Set the lookback to determine if user has created pipelines before\\nlet timeback = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a list of previous Release Pipeline creators to exclude\\nlet releaseusers = AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show results where the user as AADIdP alerts\\n//| where Alerts \u003e 0\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Pipeline modified by a new user\",\"description\":\"There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \\nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Microsoft Entra ID Protection in order to show if the user conducting the action has any associated Microsoft Entra ID Protection alerts. You can also choose to filter this detection to only alert when the user also has Microsoft Entra ID Protection alerts associated with them.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b7643904-5081-4920-917e-a559ddc3448f\",\"name\":\"b7643904-5081-4920-917e-a559ddc3448f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let Threshold = 1;\\nAzureDiagnostics\\n| where Category =~ \\\"FrontDoorWebApplicationFirewallLog\\\"\\n| where action_s =~ \\\"AnomalyScoring\\\"\\n| where details_msg_s has \\\"XSS\\\"\\n| parse details_data_s with MessageText \\\"Matched Data:\\\" MatchedData \\\"AND \\\" * \\\"table_name FROM \\\" TableName \\\" \\\" *\\n| project trackingReference_s, host_s, requestUri_s, TimeGenerated, clientIP_s, details_matches_s, details_msg_s, details_data_s, TableName, MatchedData\\n| join kind = inner(\\nAzureDiagnostics\\n| where Category =~ \\\"FrontDoorWebApplicationFirewallLog\\\"\\n| where action_s =~ \\\"Block\\\") on trackingReference_s\\n| summarize URI_s = make_set(requestUri_s,100), Table = make_set(TableName,100), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TrackingReference = make_set(trackingReference_s,100), Matched_Data = make_set(MatchedData,100), Detail_Data = make_set(details_data_s,100), Detail_Message = make_set(details_msg_s,100), Total_TrackingReference = dcount(trackingReference_s) by clientIP_s, host_s, action_s\\n| where Total_TrackingReference \u003e= Threshold\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URI_s\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"clientIP_s\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Front Door Premium WAF - XSS Detection\",\"description\":\"Identifies a match for an XSS attack in the Front Door Premium WAF logs. The threshold value in the query can be changed as per your infrastructure\u0027s requirements.\\n References: https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)\",\"lastUpdatedDateUTC\":\"2023-12-20T00:00:00Z\",\"createdDateUTC\":\"2022-10-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"name\":\"9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.3\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where NumberOfInfectedFiles \u003e 0\\n| extend timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"AzureID\",\"columnName\":\"_ResourceId\"}]}],\"displayName\":\"AppServices AV Scan with Infected Files\",\"description\":\"Identifies if an AV scan finds infected files in Azure App Services.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/422ca2bf-598b-4872-82bb-5f7e8fa731e7\",\"name\":\"422ca2bf-598b-4872-82bb-5f7e8fa731e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| extend FileName=tostring(split(NewProcessName, @\u0027\\\\\u0027)[(-1)]), ProcessCommandLine = CommandLine, InitiatingProcessFileName=ParentProcessName\\n| where (FileName =~ \\\"powershell.exe\\\" and ProcessCommandLine has_all(\\\"try\\\", \\\"Add-MpPreference\\\", \\\"-ExclusionPath\\\", \\\"ProgramData\\\", \\\"catch\\\")) or (FileName =~ \u0027powershell.exe\u0027 and ProcessCommandLine has_all(\u0027Add-PSSnapin\u0027, \u0027Get-Recipient\u0027, \u0027-ExpandProperty\u0027, \u0027EmailAddresses\u0027, \u0027SmtpAddress\u0027, \u0027-hidetableheaders\u0027) )\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, InitiatingProcessFileName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(DeviceProcessEvents \\n| where (FileName =~ \\\"powershell.exe\\\" and ((ProcessCommandLine has_all(\\\"try\\\", \\\"Add-MpPreference\\\", \\\"-ExclusionPath\\\", \\\"ProgramData\\\", \\\"catch\\\")) or (ProcessCommandLine has_all(\u0027Add-PSSnapin\u0027, \u0027Get-Recipient\u0027, \u0027-ExpandProperty\u0027, \u0027EmailAddresses\u0027, \u0027SmtpAddress\u0027, \u0027-hidetableheaders\u0027))))\\nor ( InitiatingProcessFileName =~ \u0027powershell.exe\u0027 and (((InitiatingProcessCommandLine has_all(\u0027$file=\u0027, \u0027dllhost.exe\u0027, \u0027Invoke-WebRequest\u0027, \u0027-OutFile\u0027)) or ((InitiatingProcessCommandLine has_all(\u0027$admins=\u0027, \u0027System.Security.Principal.SecurityIdentifier\u0027, \u0027Translate\u0027, \u0027-split\u0027, \u0027localgroup\u0027, \u0027/add\u0027, \u0027$rdp=\u0027))))))\\n| extend Account = strcat(InitiatingProcessAccountDomain, @\u0027\\\\\u0027, InitiatingProcessAccountName), Computer = DeviceName\\n)\\n)\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(Account, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Exfiltration\",\"DefenseEvasion\"],\"displayName\":\"Dev-0270 Malicious Powershell usage\",\"description\":\"DEV-0270 heavily uses powershell to achieve their objective at various stages of their attack. To locate powershell related activity tied to the actor, Microsoft Sentinel customers can run the following query.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-09-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb8a9c1c-f532-4630-817c-1ecd8a60ed80\",\"name\":\"eb8a9c1c-f532-4630-817c-1ecd8a60ed80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P2D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has \\\"Delete partner specific cross-tenant access setting\\\"\\n| mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type =~ \\\"Policy\\\"\\n | extend Properties = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = Properties on\\n (\\n where Property.displayName =~ \\\"tenantId\\\"\\n | extend ExtTenantDeleted = trim(\u0027\\\"\u0027,tostring(Property.oldValue))\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Cross-tenant Access Settings Organization Deleted\",\"description\":\"Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is deleted from the Microsoft Entra ID Cross-tenant Access Settings.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"name\":\"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Agent Pool Created Then Deleted\",\"description\":\"As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this detection focuses on the creation of new self-hosted pools.\\nTo further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), as an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"name\":\"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"//Collect the alert events\\nlet alertData = SecurityAlert\\n| where DisplayName has \\\"Potential malware uploaded to\\\"\\n| extend Entities = parse_json(Entities)\\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData\\n| where Entities[\u0027Type\u0027] =~ \\\"ip\\\"\\n| extend AttackerIP = tostring(Entities[\u0027Address\u0027]), AttackerCountry = tostring(Entities[\u0027Location\u0027][\u0027CountryName\u0027]);\\n//Parse the file data\\nlet FileData = alertData\\n| where Entities[\u0027Type\u0027] =~ \\\"file\\\"\\n| extend MaliciousFileDirectory = tostring(Entities[\u0027Directory\u0027]), MaliciousFileName = tostring(Entities[\u0027Name\u0027]), MaliciousFileHashes = tostring(Entities[\u0027FileHashes\u0027]);\\n//Combine the File and IP data together\\nipData\\n| join (FileData) on VendorOriginalId\\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create a type column so we can track if it was a File storage or blobl storage upload\\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\")\\n| join (\\n union\\n StorageFileLogs,\\n StorageBlobLogs\\n //File upload operations\\n | where OperationName =~ \\\"PutBlob\\\" or OperationName =~ \\\"PutRange\\\"\\n //Parse out the uploader IP\\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename from the Uri\\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don\u0027t work\\n //We can work around this by making it an array then converting it to hex from an int\\n | extend base64Char = base64_decode_toarray(ResponseMd5)\\n | mv-expand base64Char\\n | extend hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) \u003c 2, strcat(\\\"0\\\", hexChar), hexChar)\\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\")\\n | summarize make_list(hexChar, 1000) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable\\n | extend Md5Hash = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the summarise into a ClientIP row\\n | extend p = pack(\\\"FileName\\\", FileName, \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable)\\n | summarize UploadedFileInfo=make_list(p, 10000), FilesUploaded=count() by ClientIP\\n | join kind=leftouter (\\n union\\n StorageFileLogs,\\n StorageBlobLogs\\n | where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\"\\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\")\\n | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable)\\n | summarize DeletedFileInfo=make_list(p, 10000), FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP == $right.ClientIP\\n| mvexpand UploadedFileInfo\\n| extend LinkedMaliciousFileName = tostring(UploadedFileInfo.FileName)\\n| extend LinkedMaliciousFileHash = tostring(UploadedFileInfo.Md5Hash)\\n| extend HashAlgorithm = \\\"MD5\\\"\\n| project AlertTimeGenerated = TimeGenerated, LinkedMaliciousFileName, LinkedMaliciousFileHash, HashAlgorithm, AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"AttackerIP\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"LinkedMaliciousFileHash\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Linked Malicious Storage Artifacts\",\"description\":\"This query identifies the additional files uploaded by the same IP address which triggered a malware alert for malicious content upload on Azure Blob or File Storage Container.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"name\":\"94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer\\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = EventDetail.[4].[\\\"#text\\\"]\\n| where Image has_any (file_path1) or Image has_any (file_path3)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = DestinationIP\\n), \\n(DeviceNetworkEvents\\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, UrlCustomEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(AZFWDnsQuery\\n| where QueryName has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = QueryName, IPCustomEntity = SourceIp\\n),\\n(AZFWApplicationRule\\n| where Fqdn has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Fqdn, IPCustomEntity = SourceIp\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\\n),\\n(DeviceRegistryEvents\\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"[Deprecated] - Caramel Tsunami Actor IOC - July 2021\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceRegistryEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"name\":\"f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let query_frequency = 1h;\\nlet query_period = 2h;\\nAuditLogs\\n| where TimeGenerated \u003e ago(query_period)\\n| where Category =~ \\\"ApplicationManagement\\\" and LoggedByService =~ \\\"Core Directory\\\"\\n| where OperationName =~ \\\"Add app role assignment to service principal\\\"\\n| mv-expand TargetResource = TargetResources\\n| mv-expand modifiedProperty = TargetResource[\\\"modifiedProperties\\\"]\\n| where tostring(modifiedProperty[\\\"displayName\\\"]) == \\\"AppRole.Value\\\"\\n| extend PermissionGrant = tostring(modifiedProperty[\\\"newValue\\\"])\\n| where PermissionGrant has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| mv-apply modifiedProperty = TargetResource[\\\"modifiedProperties\\\"] on (\\n summarize modifiedProperties = make_bag(\\n bag_pack(tostring(modifiedProperty[\\\"displayName\\\"]),\\n bag_pack(\\\"oldValue\\\", trim(@\u0027[\\\\\\\"\\\\s]+\u0027, tostring(modifiedProperty[\\\"oldValue\\\"])),\\n \\\"newValue\\\", trim(@\u0027[\\\\\\\"\\\\s]+\u0027, tostring(modifiedProperty[\\\"newValue\\\"])))), 100)\\n)\\n| project\\n PermissionGrant_TimeGenerated = TimeGenerated,\\n PermissionGrant_OperationName = OperationName,\\n PermissionGrant_Result = Result,\\n PermissionGrant,\\n AppDisplayName = tostring(modifiedProperties[\\\"ServicePrincipal.DisplayName\\\"][\\\"newValue\\\"]),\\n AppServicePrincipalId = tostring(modifiedProperties[\\\"ServicePrincipal.ObjectID\\\"][\\\"newValue\\\"]),\\n PermissionGrant_InitiatedBy = InitiatedBy,\\n PermissionGrant_TargetResources = TargetResources,\\n PermissionGrant_AdditionalDetails = AdditionalDetails,\\n PermissionGrant_CorrelationId = CorrelationId\\n| join kind=inner (\\n AuditLogs\\n | where TimeGenerated \u003e ago(query_frequency)\\n | where Category =~ \\\"RoleManagement\\\" and LoggedByService =~ \\\"Core Directory\\\" and AADOperationType =~ \\\"Assign\\\"\\n | where isnotempty(InitiatedBy[\\\"app\\\"])\\n | mv-expand TargetResource = TargetResources\\n | mv-expand modifiedProperty = TargetResource[\\\"modifiedProperties\\\"]\\n | where tostring(modifiedProperty[\\\"displayName\\\"]) in (\\\"Role.DisplayName\\\", \\\"RoleDefinition.DisplayName\\\")\\n | extend RoleAssignment = tostring(modifiedProperty[\\\"newValue\\\"])\\n | where RoleAssignment contains \\\"Admin\\\"\\n | project\\n RoleAssignment_TimeGenerated = TimeGenerated,\\n RoleAssignment_OperationName = OperationName,\\n RoleAssignment_Result = Result,\\n RoleAssignment,\\n TargetType = tostring(TargetResources[0][\\\"type\\\"]),\\n Target = iff(isnotempty(TargetResources[0][\\\"displayName\\\"]), tostring(TargetResources[0][\\\"displayName\\\"]), tolower(TargetResources[0][\\\"userPrincipalName\\\"])),\\n TargetId = tostring(TargetResources[0][\\\"id\\\"]),\\n RoleAssignment_InitiatedBy = InitiatedBy,\\n RoleAssignment_TargetResources = TargetResources,\\n RoleAssignment_AdditionalDetails = AdditionalDetails,\\n RoleAssignment_CorrelationId = CorrelationId,\\n AppServicePrincipalId = tostring(InitiatedBy[\\\"app\\\"][\\\"servicePrincipalId\\\"])\\n ) on AppServicePrincipalId\\n| where PermissionGrant_TimeGenerated \u003c RoleAssignment_TimeGenerated\\n| extend\\n TargetName = tostring(split(Target, \\\"@\\\")[0]),\\n TargetUPNSuffix = tostring(split(Target, \\\"@\\\")[1])\\n| project PermissionGrant_TimeGenerated, PermissionGrant_OperationName, PermissionGrant_Result, PermissionGrant, AppDisplayName, AppServicePrincipalId, PermissionGrant_InitiatedBy, PermissionGrant_TargetResources, PermissionGrant_AdditionalDetails, PermissionGrant_CorrelationId, RoleAssignment_TimeGenerated, RoleAssignment_OperationName, RoleAssignment_Result, RoleAssignment, TargetType, Target, TargetName, TargetUPNSuffix, TargetId, RoleAssignment_InitiatedBy, RoleAssignment_TargetResources, RoleAssignment_AdditionalDetails, RoleAssignment_CorrelationId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AppDisplayName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"Persistence\"],\"displayName\":\"Admin promotion after Role Management Application Permission Grant\",\"description\":\"This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).\\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission allows an app to manage permission grants for application permissions to any API.\\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c37711a4-5f44-4472-8afc-0679bc0ef966\",\"name\":\"c37711a4-5f44-4472-8afc-0679bc0ef966\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"3.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type == \\\"sha256\\\" | project IoC);\\nlet FilePaths = (iocs | where Type =~ \\\"FilePath\\\" | project IoC);\\nlet POST_URI = (iocs | where Type =~ \\\"URI1\\\" | project IoC);\\nlet GET_URI = (iocs | where Type =~ \\\"URI2\\\" | project IoC);\\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\\nlet ADFS_Servers1 = datatable(Computer:string)\\n[ \\\"\u003cADFS01\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\",\\n\\\"\u003cADFS02\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\"\\n];\\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \\\"Microsoft.IdentityServer.ServiceHost.exe\\\".\\nlet ADFS_Servers2 = \\n(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( WindowsEvent\\n| where EventID == 4688 and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"// and not(EventData has \\\"0x3e4\\\")\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName == \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| distinct Computer\\n),\\n(DeviceProcessEvents\\n| where InitiatingProcessFileName == \u0027Microsoft.IdentityServer.ServiceHost.exe\u0027\\n| extend Computer = DeviceName\\n| distinct Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n);\\nlet ADFS_Servers =\\nADFS_Servers1\\n| union (ADFS_Servers2 | distinct Computer);\\n(union isfuzzy=true\\n(DeviceNetworkEvents\\n| where DeviceName in (ADFS_Servers)\\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" and EventID == \u00277\u0027\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ImageLoaded = EventDetail.[5].[\\\"#text\\\"], Hashes = EventDetail.[11].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\\n| extend Type = strcat(Type,\\\":\\\",EventID, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where DeviceName in (ADFS_Servers)\\n| extend FilePath = strcat(FolderPath, \u0027\\\\\\\\\u0027, FileName)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceImageLoadEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where EventDetail has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(W3CIISLog \\n| where ( csMethod == \u0027GET\u0027 and csUriStem has_any (GET_URI)) or (csMethod == \u0027POST\u0027 and csUriStem has_any (POST_URI))\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \\nby cIP, cIP_MethodCountType = \\\"Count of repeated entries, this is to reduce rowsets returned\\\", csMethod, \\ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\\n),\\n(imFileEvent\\n| where DvcHostname in (ADFS_Servers)\\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"[Deprecated] - Midnight Blizzard IOCs related to FoggyWeb backdoor\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-09-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f3e2d35f-1202-4215-995c-4654ef07d1d8\",\"name\":\"f3e2d35f-1202-4215-995c-4654ef07d1d8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let BEC_Keywords = dynamic([ \u0027invoice\u0027,\u0027payment\u0027,\u0027paycheck\u0027,\u0027transfer\u0027,\u0027bank statement\u0027,\u0027bank details\u0027,\u0027closing\u0027,\u0027funds\u0027,\u0027bank account\u0027,\u0027account details\u0027,\u0027remittance\u0027,\u0027purchase\u0027,\u0027deposit\u0027,\\\"PO#\\\",\\\"Zahlung\\\",\\\"Rechnung\\\",\\\"Paiement\\\", \\\"virement bancaire\\\",\\\"Bankuberweisung\\\",\u0027hacked\u0027,\u0027phishing\u0027]);\\n// Adjust this threshold based on your environment\\nlet sensitivity = 2.5;\\nlet Events = materialize(AWSCloudTrail\\n| where TimeGenerated between (ago(14d)..ago(0d))\\n| where UserIdentityAccountId != \\\"anonymous\\\"\\n| where EventSource startswith \\\"s3.\\\"\\n| where EventName =~ \\\"GetObject\\\"\\n| extend FilePath = tostring(parse_json(RequestParameters).key)\\n| where FilePath has_any(BEC_Keywords)\\n);\\nEvents\\n| summarize dcount(FilePath) by UserIdentityPrincipalid, bin(startofday(TimeGenerated), 1d)\\n| summarize CountOfDocs = make_list(dcount_FilePath, 10000), TimeStamp = make_list(TimeGenerated, 10000) by UserIdentityPrincipalid\\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(CountOfDocs, sensitivity, -1, \u0027linefit\u0027)\\n| mv-expand CountOfDocs to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double),Score to typeof(double), Baseline to typeof(long)\\n| where Anomalies \u003e 0\\n| project TimeStamp, CountOfDocs, Baseline, Score, Anomalies, UserIdentityPrincipalid\\n| join kind=inner(Events | extend TimeStamp = startofday(TimeGenerated)) on TimeStamp, UserIdentityPrincipalid\\n| extend Name = iif(UserIdentityUserName contains \\\"@\\\", split(UserIdentityUserName, \\\"@\\\")[0], UserIdentityUserName)\\n| extend UPNSuffix = iif(UserIdentityUserName contains \\\"@\\\", split(UserIdentityUserName, \\\"@\\\")[1], \\\"\\\")\\n| project-reorder TimeGenerated, UserIdentityType, UserIdentityPrincipalid, UserIdentityUserName, FilePath, EventName, UserAgent, SourceIpAddress, CountOfDocs, Baseline, Score\",\"customDetails\":{\"UserType\":\"UserIdentityType\",\"Event\":\"EventName\",\"UserAgent\":\"UserAgent\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserIdentityUserName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FilePath\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Suspicious access of {{CountOfDocs}} BEC related documents in AWS S3 buckets by {{UserIdentityUserName}}\",\"alertDescriptionFormat\":\"This query looks for users (in this case {{UserIdentityUserName}}) with suspicious spikes in the number of files accessed (in this case {{CountOfDocs}})that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks. The query looks for access to files in AWS S3 storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. \\nThis query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities.\\n\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Collection\"],\"displayName\":\"Suspicious access of BEC related documents in AWS S3 buckets\",\"description\":\"This query looks for users with suspicious spikes in the number of files accessed that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks.\\nThe query looks for access to files in AWS S3 storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. \\nThis query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2023-02-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"name\":\"9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"beesweiserdog.com\\\", \\n \\\"bluehostfit.com\\\", \\n \\\"business-toys.com\\\", \\n \\\"cleanskycloud.com\\\", \\n \\\"cumberbat.com\\\", \\n \\\"czreadsecurity.com\\\", \\n \\\"dgtresorgouv.com\\\", \\n \\\"dimediamikedask.com\\\", \\n \\\"diresitioscon.com\\\", \\n \\\"elcolectador.com\\\", \\n \\\"elperuanos.org\\\", \\n \\\"eprotectioneu.com\\\", \\n \\\"fheacor.com\\\", \\n \\\"followthewaterdata.com\\\", \\n \\\"francevrteepress.com\\\", \\n \\\"futtuhy.com\\\", \\n \\\"gardienweb.com\\\", \\n \\\"heimflugaustr.com\\\", \\n \\\"ivpsers.com\\\", \\n \\\"jkeducation.org\\\", \\n \\\"micrlmb.com\\\", \\n \\\"muthesck.com\\\", \\n \\\"netscalertech.com\\\", \\n \\\"newgoldbalmap.com\\\", \\n \\\"news-laestrella.com\\\", \\n \\\"noticialif.com\\\", \\n \\\"opentanzanfoundation.com\\\", \\n \\\"optonlinepress.com\\\", \\n \\\"palazzochigi.com\\\", \\n \\\"pandemicacre.com\\\", \\n \\\"papa-ser.com\\\", \\n \\\"pekematclouds.com\\\", \\n \\\"pipcake.com\\\", \\n \\\"popularservicenter.com\\\", \\n \\\"projectsyndic.com\\\", \\n \\\"qsadtv.com\\\", \\n \\\"sankreal.com\\\", \\n \\\"scielope.com\\\", \\n \\\"seoamdcopywriting.com\\\", \\n \\\"slidenshare.com\\\", \\n \\\"somoswake.com\\\", \\n \\\"squarespacenow.com\\\", \\n \\\"subapostilla.com\\\", \\n \\\"suzukicycles.net\\\", \\n \\\"tatanotakeeps.com\\\", \\n \\\"tijuanazxc.com\\\", \\n \\\"transactioninfo.net\\\", \\n \\\"eurolabspro.com\\\", \\n \\\"adelluminate.com\\\", \\n \\\"headhunterblue.com\\\", \\n \\\"primenuesty.com\\\" \\n ]);\\nlet SHA256Hashes = dynamic ([\\\"02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2\\\", \\n \\\"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c\\\", \\n \\\"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c\\\", \\n \\\"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95\\\", \\n \\\"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21\\\", \\n \\\"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49\\\", \\n \\\"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844\\\", \\n \\\"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef\\\", \\n \\\"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822\\\", \\n \\\"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2\\\", \\n \\\"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838\\\", \\n \\\"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65\\\", \\n \\\"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6\\\", \\n \\\"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1\\\", \\n \\\"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90\\\", \\n \\\"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b\\\", \\n \\\"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce\\\", \\n \\\"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0\\\", \\n \\\"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c\\\", \\n \\\"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a\\\", \\n \\\"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b\\\", \\n \\\"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a\\\", \\n \\\"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124\\\", \\n \\\"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa\\\", \\n \\\"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda\\\", \\n \\\"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94\\\", \\n \\\"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6\\\", \\n \\\"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce\\\", \\n \\\"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6\\\", \\n \\\"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba\\\"\\n ]);\\nlet SigNames = dynamic([\\\"Backdoor:Win32/Leeson\\\", \\\"Trojan:Win32/Kechang\\\", \\\"Backdoor:Win32/Nightimp!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"TrojanSpy:Win32/KeyLogger\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns(domain_has_any = DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(_Im_WebSession(url_has_any = DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hashes) \\n| extend Account = UserName\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hashes)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Known Nylon Typhoon domains and hashes\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"name\":\"c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.4\",\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\n_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n| where isnotempty(DnsResponseCodeName)\\n//| where DnsResponseCodeName =~ \\\"NXDOMAIN\\\"\\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n ) on SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2023-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"name\":\"09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nimAuthentication\\n| where TimeGenerated \u003e timeframe\\n| where EventType == \u0027Logon\u0027\\n and EventResult == \u0027Success\u0027\\n| where isnotempty(SrcGeoCountry)\\n| summarize\\n StartTime = min(TimeGenerated)\\n , EndTime = max(TimeGenerated)\\n , Vendors = make_set(EventVendor, 128)\\n , Products = make_set(EventProduct, 128)\\n , NumOfCountries = dcount(SrcGeoCountry)\\n , Countries = make_set(SrcGeoCountry, 128)\\n by TargetUserId, TargetUsername, TargetUserType\\n| where NumOfCountries \u003e= threshold\\n| where TargetUserType !in (\\\"Application\\\", \\\"Service\\\", \\\"System\\\", \\\"Other\\\", \\\"Machine\\\", \\\"ServicePrincipal\\\")\\n| extend\\n Name = iif(\\n TargetUsername contains \\\"@\\\"\\n , tostring(split(TargetUsername, \u0027@\u0027, 0)[0])\\n , TargetUsername\\n ),\\n UPNSuffix = iif(\\n TargetUsername contains \\\"@\\\"\\n , tostring(split(TargetUsername, \u0027@\u0027, 1)[0])\\n , \\\"\\\"\\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User login from different countries within 3 hours (Uses Authentication Normalization)\",\"description\":\"This query searches for successful user logins from different countries within 3 hours.\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2024-06-28T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed8c9153-6f7a-4602-97b4-48c336b299e1\",\"name\":\"ed8c9153-6f7a-4602-97b4-48c336b299e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let guids = dynamic([\\\"{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\",\\\"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\",\\\"{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\", \\\"{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\", \\\"{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\"]);\\n let mde_data = DeviceRegistryEvents\\n | where ActionType =~ \\\"RegistryValueSet\\\"\\n | where RegistryKey contains \\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Classes\\\\\\\\CLSID\\\"\\n | where RegistryKey has_any (guids)\\n | where RegistryValueData has \\\"System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\";\\n let event_data = SecurityEvent\\n | where EventID == 4657\\n | where ObjectName contains \\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Classes\\\\\\\\CLSID\\\"\\n | where ObjectName has_any (guids)\\n | where NewValue has \\\"System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\"\\n | extend RegistryKey = ObjectName, RegistryValueData = NewValue, DeviceName=Computer, InitiatingProcessFileName = Process, InitiatingProcessAccountName=SubjectUserName, InitiatingProcessAccountDomain = SubjectDomainName;\\n union mde_data, event_data\\n | extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"RegistryKey\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"InitiatingProcessFileName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"InitiatingProcessAccountName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"COM Registry Key Modified to Point to File in Color Profile Folder\",\"description\":\"This query looks for changes to COM registry keys to point to files in C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\.\\n This can be used to enable COM hijacking for persistence.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceRegistryEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"name\":\"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlOriginal\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Crypto Miner User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by crypto miners in proxy logs.\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/677da133-e487-4108-a150-5b926591a92b\",\"name\":\"677da133-e487-4108-a150-5b926591a92b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256s = (iocs | where Type =~ \\\"SHA256\\\"| project IoC);\\nlet ips = (iocs | where Type =~ \\\"IP\\\"| project IoC);\\nlet IPList = dynamic([\\\"192.99.221.77\\\",\\\"83.171.237.173\\\"]);\\nlet ips_list=toscalar(ips | summarize makeset(IoC));\\nlet full_ip_list= array_concat(ips_list, IPList);\\nlet domains = (iocs | where Type =~ \\\"Domain\\\"| project IoC);\\nlet domain_list=toscalar(domains | summarize make_set(IoC));\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = dynamic([\\\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\\\",\\n\\\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\\\",\\n\\\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\\\",\\n\\\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\\\",\\n\\\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\\\",\\n\\\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (domains), \\\"RequestUrl\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=todynamic(domain_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=todynamic(full_ip_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList) or ClientIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(_Im_NetworkSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"SourceIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = SrcIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_NetworkSession(dstipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"DestinationIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = DstIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_WebSession(url_has_any=domains)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(_Im_WebSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (domains)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = Fqdn\\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (domains)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = QueryName\\n| extend IPCustomEntity = SourceIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"[Deprecated] - Midnight Blizzard - Domain, Hash and IP IOCs - May 2021\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d8b5a18-b7db-4c23-84a6-95febaf7e1e4\",\"name\":\"9d8b5a18-b7db-4c23-84a6-95febaf7e1e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Europium_September2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\")\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer \\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress, HostEntity = Computer\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), File = ProcessName, HostEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\"), \\nHostEntity = Computer, AccountName = tostring(split(UserName, @\u0027\\\\\u0027)[1]), AccountDomain = tostring(split(UserName, @\u0027\\\\\u0027)[0])\\n| extend InitiatingProcessAccount = UserName\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountDomain = tostring(split(UserId, \\\"@\\\")[1])\\n| extend InitiatingProcessAccount = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, \\nInitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, HostEntity = Computer, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain\\n| extend InitiatingProcessAccount = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostEntity = Computer, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, IPEntity = IPAddress, HostEntity = Computer, Algorithm = \\\"SHA256\\\", FileHash = tostring(FileHash)\\n| extend AccountName = tostring(split(Account, @\u0027\\\\\u0027)[1]), AccountDomain = tostring(split(Account, @\u0027\\\\\u0027)[0])\\n| extend InitiatingProcessAccount = Account\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, \\nInitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain, \\nAlgorithm = \\\"SHA256\\\", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n| extend InitiatingProcessAccount = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, \\nInitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain, \\nAlgorithm = \\\"SHA256\\\", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n| extend InitiatingProcessAccount = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", dynamic([\\\"\\\", \\\"\\\"])), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| mv-expand Hashes\\n| where Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostEntity = Computer, AccountName = tostring(split(UserName, @\u0027\\\\\u0027)[1]), AccountUPNSuffix = tostring(split(UserName, @\u0027\\\\\u0027)[0]), FileHash = tostring(Hashes[1])\\n| extend InitiatingProcessAccount = UserName\\n)\\n)\\n| extend HostName = tostring(split(HostEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(HostEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(HostEntity, DomainIndex + 1), HostEntity)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"Algorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHash\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Europium - Hash and IP IOCs - September 2022\",\"description\":\"Identifies a match across various data feeds for hashes and IP IOC related to Europium\\n Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"name\":\"f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let known_locations = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | summarize by LocationDetail);\\nlet known_asn = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\nSigninLogs\\n| where TimeGenerated \u003e ago(1d)\\n| where ResultType == 0\\n| where isempty(DeviceDetail.deviceId)\\n| where AuthenticationRequirement == \\\"singleFactorAuthentication\\\"\\n| extend LocationParsed = parse_json(LocationDetails), DeviceParsed = parse_json(DeviceDetail)\\n| extend City = tostring(LocationParsed.city), State = tostring(LocationParsed.state)\\n| extend LocationDetail = strcat(Location, \\\"-\\\", State)\\n| extend DeviceId = tostring(DeviceParsed.deviceId), DeviceName=tostring(DeviceParsed.displayName), OS=tostring(DeviceParsed.operatingSystem), Browser=tostring(DeviceParsed.browser)\\n| where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)\\n| project TimeGenerated, Type, UserId, UserDisplayName, UserPrincipalName, IPAddress, Location, State, City, ResultType, ResultDescription, AppId, AppDisplayName, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, ClientAppUsed, Identity, HomeTenantId, ResourceTenantId, Status, UserAgent, DeviceId, DeviceName, OS, Browser, MfaDetail\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"AppId\",\"columnName\":\"AppId\"},{\"identifier\":\"Name\",\"columnName\":\"AppDisplayName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous Single Factor Signin\",\"description\":\"Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.\\n Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2024-06-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cfc1ae62-db63-4a3e-b88b-dc04030c2257\",\"name\":\"cfc1ae62-db63-4a3e-b88b-dc04030c2257\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"// change the starttime value for a longer period of known OIDs\\nlet starttime = 1d;\\n// change the lookback value for a longer period of lookback for suspicious/abnormal\\nlet lookback = 1h;\\nlet OIDList = SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventSourceName == \u0027AD FS Auditing\u0027\\n| where EventID == 501\\n| where EventData has \u0027/eku\u0027\\n| extend OIDs = extract_all(@\\\"\u003cData\u003e([\\\\d+\\\\.]+)\u003c/Data\u003e\\\", EventData)\\n| mv-expand OIDs\\n| extend OID = tostring(OIDs)\\n| extend OID_Length = strlen(OID)\\n| project TimeGenerated, Computer, EventSourceName, EventID, OID, OID_Length, EventData\\n;\\nOIDList\\n| where TimeGenerated \u003e= ago(lookback)\\n| join kind=leftanti (\\nOIDList\\n| where TimeGenerated between (ago(starttime) .. ago(lookback))\\n| summarize by OID\\n) on OID\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"AD FS Abnormal EKU object identifier attribute\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious object identifiers (OIDs) as part EventID 501 and specifically part of the Enhanced Key Usage attributes.\\nThis query checks to see if you have any new OIDs in the last hour that have not been seen in the previous day. New OIDs should be validated and OIDs that are very long, as indicated\\nby the OID_Length field, could also be an indicator of malicious activity.\\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReferences:\\nhttps://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/\\nhttps://docs.microsoft.com/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging\\n\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\"name\":\"19e01883-15d8-4eb6-a7a5-3276cd668388\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus)\\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status))\\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\",\\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\",\\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\",\\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\",\\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\",\\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\",\\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\",\\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\",\\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\",\\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"cIP\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed attempts from same client IP\",\"description\":\"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, potentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device that is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"name\":\"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details of operations conducted by user soon after elevation of permissions\\n| join (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\\n| extend AddingUserAccountName = tostring(split(AddingUser, \\\"@\\\")[0]), AddingUserAccountUPNSuffix = tostring(split(AddingUser, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddingUser\"},{\"identifier\":\"Name\",\"columnName\":\"AddingUserAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AddingUserAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New PA, PCA, or PCAS added to Azure DevOps\",\"description\":\"In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \\nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of users granted these permissions should be small. Note that permissions can also be granted via Microsoft Entra ID Protection groups and monitoring of these should also be conducted.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"name\":\"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\")\\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\"\\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535))\\n| where Computer != \\\"\\\"\\n| where ipv4_is_private(DestinationIP) == false\\n| extend Reason = coalesce(\\n column_ifexists(\\\"Reason\\\", \\\"\\\"),\\n extract(\\\"reason=(.+?)(;|$)\\\", 1, AdditionalExtensions),\\n \\\"\\\"\\n )\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out.\\n| where Reason !has \\\"aged-out\\\"\\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where Reason !has \\\"tcp-fin\\\"\\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\"\\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\"\\n// Already performed\\n//| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ \u003e= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Palo Alto - possible internal to external port scanning\",\"description\":\"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which results in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication of internal to external port scanning or probing attack.\\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\"lastUpdatedDateUTC\":\"2024-11-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CefAma\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/af435ca1-fb70-4de1-92c1-7435c48482a9\",\"name\":\"af435ca1-fb70-4de1-92c1-7435c48482a9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let admin_asn = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by AutonomousSystemNumber);\\n let admin_locations = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by Location);\\n let admin_devices = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where isnotempty(deviceId)\\n | summarize by deviceId);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where AutonomousSystemNumber !in (admin_asn) and deviceId !in (admin_devices) and Location !in (admin_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentications of Privileged Accounts Outside of Expected Controls\",\"description\":\"Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days.\\n Privileged accounts are a key target for threat actors, monitoring for logins from these accounts that deviate from normal activity can help identify compromised accounts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"name\":\"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nlet ReasontoSubStatus = datatable(SubStatus: string, Reason: string) [\\n \\\"0xc000005e\\\", \\\"There are currently no logon servers available to service the logon request.\\\",\\n \\\"0xc0000064\\\", \\\"User logon with misspelled or bad user account\\\",\\n \\\"0xc000006a\\\", \\\"User logon with misspelled or bad password\\\",\\n \\\"0xc000006d\\\", \\\"Bad user name or password\\\",\\n \\\"0xc000006e\\\", \\\"Unknown user name or bad password\\\",\\n \\\"0xc000006f\\\", \\\"User logon outside authorized hours\\\",\\n \\\"0xc0000070\\\", \\\"User logon from unauthorized workstation\\\",\\n \\\"0xc0000071\\\", \\\"User logon with expired password\\\",\\n \\\"0xc0000072\\\", \\\"User logon to account disabled by administrator\\\",\\n \\\"0xc00000dc\\\", \\\"Indicates the Sam Server was in the wrong state to perform the desired operation\\\",\\n \\\"0xc0000133\\\", \\\"Clocks between DC and other computer too far out of sync\\\",\\n \\\"0xc000015b\\\", \\\"The user has not been granted the requested logon type (aka logon right) at this machine\\\",\\n \\\"0xc000018c\\\", \\\"The logon request failed because the trust relationship between the primary domain and the trusted domain failed\\\",\\n \\\"0xc0000192\\\", \\\"An attempt was made to logon, but the Netlogon service was not started\\\",\\n \\\"0xc0000193\\\", \\\"User logon with expired account\\\",\\n \\\"0xc0000224\\\", \\\"User is required to change password at next logon\\\",\\n \\\"0xc0000225\\\", \\\"Evidently a bug in Windows and not a risk\\\",\\n \\\"0xc0000234\\\", \\\"User logon with account locked\\\",\\n \\\"0xc00002ee\\\", \\\"Failure Reason: An Error occurred during Logon\\\",\\n \\\"0xc0000413\\\", \\\"Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\\\"\\n];\\n(union isfuzzy=true\\n (SecurityEvent\\n | where EventID == 4625\\n | where AccountType =~ \\\"User\\\"\\n | where SubStatus !~ \u00270xc0000064\u0027 and Account !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n // SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n | extend\\n ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId),\\n SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId),\\n SubStatus = tolower(SubStatus)\\n | lookup ReasontoSubStatus on SubStatus\\n | extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by bin(TimeGenerated,10m), EventID,\\n Activity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName,\\n LogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n | where FailedLogonCount \u003e= threshold\\n ),\\n (\\n (WindowsEvent\\n | where EventID == 4625 and not(EventData has \u00270xc0000064\u0027)\\n | extend TargetAccount = strcat(tostring(EventData.TargetDomainName), \\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n | extend TargetUserSid = tostring(EventData.TargetUserSid)\\n | extend AccountType=case(EventData.TargetUserName endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n | where AccountType =~ \\\"User\\\"\\n | extend SubStatus = tostring(EventData.SubStatus)\\n | where SubStatus !~ \u00270xc0000064\u0027 and TargetAccount !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n // SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n | extend\\n ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId),\\n SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"\\\"),\\n SubStatus = tolower(SubStatus)\\n | lookup ReasontoSubStatus on SubStatus\\n | extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n | extend Activity=\\\"4625 - An account failed to log on.\\\"\\n | extend TargetUserName = tostring(EventData.TargetUserName)\\n | extend TargetDomainName = tostring(EventData.TargetDomainName)\\n | extend LogonType = tostring(EventData.LogonType)\\n | extend Status= tostring(EventData.Status)\\n | extend LogonProcessName = tostring(EventData.LogonProcessName)\\n | extend WorkstationName = tostring(EventData.WorkstationName)\\n | extend IpAddress = tostring(EventData.IpAddress)\\n | extend LogonTypeName=case(\\n LogonType == 2, \\\"2 - Interactive\\\",\\n LogonType == 3, \\\"3 - Network\\\",\\n LogonType == 4, \\\"4 - Batch\\\",\\n LogonType == 5, \\\"5 - Service\\\",\\n LogonType == 7, \\\"7 - Unlock\\\",\\n LogonType == 8, \\\"8 - NetworkCleartext\\\",\\n LogonType == 9, \\\"9 - NewCredentials\\\",\\n LogonType == 10, \\\"10 - RemoteInteractive\\\",\\n LogonType == 11, \\\"11 - CachedInteractive\\\",\\n tostring(LogonType)\\n )\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by bin(TimeGenerated,10m), EventID,\\n Activity, Computer, TargetAccount, TargetUserName, TargetDomainName,\\n LogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n | where FailedLogonCount \u003e= threshold\\n )))\\n| summarize arg_max(TimeGenerated, *) by Computer, TargetAccount, TargetUserName, TargetDomainName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"TargetDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts by valid accounts within 10 mins\",\"description\":\"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2de8abd6-a613-450e-95ed-08e503369fb3\",\"name\":\"2de8abd6-a613-450e-95ed-08e503369fb3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let log4jioc = dynamic([\\\"jndi\\\",\\\"ldap\\\",\\\"${::\\\"]);\\nAzureDiagnostics\\n| where ResourceProvider == \\\"MICROSOFT.NETWORK\\\" and Category in (\\\"ApplicationGatewayFirewallLog\\\", \\\"FrontdoorWebApplicationFirewallLog\\\")\\n| extend details_data_s = column_ifexists(\\\"details_data_s\\\", tostring(AdditionalFields.details_data))\\n|where requestUri_s has_any (log4jioc) or details_message_s has_any (log4jioc) or details_data_s has_any (log4jioc)\\n| extend Malicious = iff(isnotempty( details_data_s),details_data_s,iff(isnotempty( requestUri_s),requestUri_s,\\\"\\\"))\\n|parse Malicious with * \u0027${\u0027 MaliciousCommand \u0027}\u0027 * \\n| extend EncodeCmd = iff(MaliciousCommand has \u0027Base64/\u0027, split(split(MaliciousCommand, \\\"Base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend EncodeCmd1 = iff(MaliciousCommand has \u0027base64/\u0027, split(split(MaliciousCommand, \\\"base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend CmdLine = iff( isnotempty(EncodeCmd), EncodeCmd, EncodeCmd1)\\n| extend DecodedCmdLine = base64_decode_tostring(tostring(CmdLine))\\n| extend DecodedCmdLine = iff( isnotempty(DecodedCmdLine), DecodedCmdLine, \\\"Unable to decode/Doesn\u0027t need decoding\\\")\\n| project TimeGenerated, Target=column_ifexists(\\\"hostname_s\\\", tostring(AdditionalFields.hostname)), MaliciousHost = column_ifexists(\\\"clientIp_s\\\", tostring(AdditionalFields.clientIp)) , MaliciousCommand, details_data_s = column_ifexists(\\\"details_data_s\\\", tostring(AdditionalFields.details_data)), DecodedCmdLine, Message,\\nruleSetType_s = column_ifexists(\\\"ruleSetType_s\\\", tostring(AdditionalFields.ruleSetType)), OperationName, SubscriptionId, details_message_s = column_ifexists(\\\"details_message_s\\\", tostring(AdditionalFields.details_message)), \\ndetails_file_s = column_ifexists(\\\"details_message_s\\\", tostring(AdditionalFields.details_file))\\n| extend timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"MaliciousHost\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure WAF matching for Log4j vuln(CVE-2021-44228)\",\"description\":\"This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis.\\n Reference: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"name\":\"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.2\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet BinTime = 1h;\\nlet RunTime = 1h;\\nlet StartTime = 1h; \\nlet sensitivity = 2.5;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet aadFunc = (tableName:string){\\ntable(tableName) \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(EndRunTime))\\n| where AppDisplayName =~ \\\"GitHub.com\\\"\\n| where ResultType != 0\\n| make-series FailedLogins = count() on TimeGenerated from ago(LearningPeriod) to ago(EndRunTime) step BinTime by UserPrincipalName, Type\\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(FailedLogins, sensitivity, -1, \u0027linefit\u0027)\\n| mv-expand FailedLogins to typeof(double), TimeGenerated to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long) \\n| where TimeGenerated \u003e= ago(RunTime)\\n| where Anomalies \u003e 0 and Baseline \u003e 0\\n| join kind=inner (\\n table(tableName) \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | where AppDisplayName =~ \\\"GitHub.com\\\"\\n | where ResultType != 0\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddresses = make_set(IPAddress,100), Locations = make_set(LocationDetails,20), Devices = make_set(DeviceDetail,20) by UserPrincipalName, UserId, AppDisplayName\\n ) on UserPrincipalName\\n| project-away UserPrincipalName1\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\\n| extend IPAddressFirst = tostring(IPAddresses[0])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddressFirst\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute Force Attack against GitHub Account\",\"description\":\"Attackers who are trying to guess your users\u0027 passwords or use brute-force methods to get in. If your organization is using SSO with Microsoft Entra ID, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\"lastUpdatedDateUTC\":\"2024-04-05T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"name\":\"05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated \u003e ago(1d)\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n // This will likely apply to multiple hosts so summarize these data\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, NewProcessName, CommandLine, Computer\\n | extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\nA threat actor may use these policies to deploy files or scripts to all hosts in a domain.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"name\":\"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = dynamic([\\\"CreatePolicy\\\", \\\"CreatePolicyVersion\\\"]);\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName in (EventNameList) or EventName in (createPolicy)\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\");\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName in (createPolicy)\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName, RecipientAccountId, AccountName, AccountUPNSuffix\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, RecipientAccountId, AccountName, AccountUPNSuffix, PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"AccountName\\\", AccountName, \\\"AccountUPNSuffix\\\", AccountUPNSuffix, \\\"RecipientAccountId\\\", RecipientAccountId, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress)\\n| project EventSource, PolicyName, AttachEvent, RecipientAccountId, AccountName, AccountUPNSuffix, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"DefenseEvasion\"],\"displayName\":\"Full Admin policy created and then attached to Roles, Users or Groups\",\"description\":\"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html \\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2020-04-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"name\":\"1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let Tarrask_threats = dynamic([\\\"HackTool:Win64/Tarrask!MS\\\", \\\"HackTool:Win64/Ligolo!MSR\\\", \\\"Behavior:Win32/ScheduledTaskHide.A\\\", \\\"Tarrask\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=rightouter ( SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Tarrask_threats) or ThreatFamilyName in~ (Tarrask_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AV detections related to Tarrask malware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel, the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged-on users etc. \\n This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2559891-383c-4caf-ae67-55a008b9f89e\",\"name\":\"e2559891-383c-4caf-ae67-55a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n // As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n // Taking the first non-empty value based on potential IOC match availability\\n | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, \\\"NO_IP\\\")\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where TI_ipEntity != \\\"NO_IP\\\"\\n // Exclude local addresses, using the ipv4_is_private operator\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\nlet IP_TI_list = toscalar(IP_TI\\n | summarize NIoCs = dcount(TI_ipEntity), IoCs = make_set(TI_ipEntity)\\n | project IoCs = iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs));\\nIP_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind = innerunique (\\n _Im_WebSession (starttime = ago(dt_lookBack), srcipaddr_has_any_prefix = IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated\\n )\\n on $left.TI_ipEntity == $right.SrcIpAddr\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated, *) by IndicatorId, DstIpAddr\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, Url, Type\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The IP {{SrcIpAddr}} of the web request matches an IP IoC\",\"alertDescriptionFormat\":\"The source address {{SrcIpAddr}} of the web request for the URL {{Url}} matches a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence feed for more information about the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the source IP address is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"name\":\"99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let core_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where ResultType == 0\\n | extend domain = tolower(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n let alternative_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where isnotempty(AlternateSignInName)\\n | where ResultType == 0\\n | extend domain = tolower(split(AlternateSignInName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add User\\\"\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n | extend UserAdded = tostring(TargetResources[0].userPrincipalName)\\n | extend UserAddedDomain = case(\\n UserAdded has \\\"#EXT#\\\", tostring(split(tostring(split(UserAdded, \\\"#EXT#\\\")[0]), \\\"_\\\")[1]),\\n UserAdded !has \\\"#EXT#\\\", tostring(split(UserAdded, \\\"@\\\")[1]),\\n UserAdded)\\n | where UserAddedDomain !in (core_domains) and UserAddedDomain !in (alternative_domains)\\n | extend AddedByName = case(\\n InitiatingUserPrincipalName has \\\"#EXT#\\\", tostring(split(tostring(split(InitiatingUserPrincipalName, \\\"#EXT#\\\")[0]), \\\"_\\\")[0]),\\n InitiatingUserPrincipalName !has \\\"#EXT#\\\", tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]),\\n InitiatingUserPrincipalName)\\n | extend AddedByUPNSuffix = case(\\n InitiatingUserPrincipalName has \\\"#EXT#\\\", tostring(split(tostring(split(InitiatingUserPrincipalName, \\\"#EXT#\\\")[0]), \\\"_\\\")[1]),\\n InitiatingUserPrincipalName !has \\\"#EXT#\\\", tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1]),\\n InitiatingUserPrincipalName)\\n | extend UserAddedName = case(\\n UserAdded has \\\"#EXT#\\\", tostring(split(tostring(split(UserAdded, \\\"#EXT#\\\")[0]), \\\"_\\\")[0]),\\n UserAdded !has \\\"#EXT#\\\", tostring(split(UserAdded, \\\"@\\\")[0]),\\n UserAdded)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AddedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AddedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserAdded\"},{\"identifier\":\"Name\",\"columnName\":\"UserAddedName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UserAddedDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account created from non-approved sources\",\"description\":\"This query looks for an account being created from a domain that is not regularly seen in a tenant.\\n Attackers may attempt to add accounts from these sources as a means of establishing persistant access to an environment.\\n Created accounts should be investigated to confirm expected creation.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts\",\"lastUpdatedDateUTC\":\"2024-01-25T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"name\":\"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Define the time range to look back for syslog data (1 hour)\\nlet ioc_lookBack = 14d; // Define the time range to look back for threat intelligence indicators (14 days)\\n// Create a list of top-level domains (TLDs) from the threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where isnotempty(DomainName)\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now()\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n// Fetch the latest active domain indicators from the threat intelligence data within the specified time range\\nlet Domain_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(DomainName)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now()\\n | extend TI_DomainEntity = DomainName;\\n// Join the threat intelligence indicators with syslog data on matching domain entities\\nDomain_Indicators\\n | join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n // Extract domain patterns from syslog messages\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n // Split out the top-level domain (TLD)\\n | extend tld = parts[(array_length(parts)-1)]\\n // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n ) on $left.TI_DomainEntity==$right.domain\\n | where Syslog_TimeGenerated \u003c ExpirationDateTime\\n // Retrieve the latest syslog timestamp for each indicator and domain combination\\n | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated, *) by IndicatorId, domain\\n // Select the desired columns for the final result set\\n | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url, Type, TI_DomainEntity\\n // Extract the hostname from the Computer field\\n | extend HostName = tostring(split(Computer, \u0027.\u0027, 0)[0])\\n // Extract the DNS domain from the Computer field\\n | extend DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\\n // Assign the Syslog_TimeGenerated value to the timestamp field\\n | extend timestamp = Syslog_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"HostIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map Domain entity to Syslog\",\"description\":\"Identifies a match in Syslog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"name\":\"01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.4\",\"severity\":\"Medium\",\"query\":\"let discord=dynamic([\\\"cdn.discordapp.com\\\", \\\"media.discordapp.com\\\"]);\\n _Im_WebSession(url_has_any=discord, eventresult=\u0027Success\u0027)\\n | where Url has \\\"attachments\\\"\\n | extend DiscordServerId = extract(@\\\"\\\\/attachments\\\\/([0-9]+)\\\\/\\\", 1, Url)\\n | summarize dcount(Url), make_set(SrcUsername), make_set(SrcIpAddr), make_set(Url), min(TimeGenerated), max(TimeGenerated), make_set(EventResult) by DiscordServerId\\n | mv-expand set_SrcUsername to typeof(string), set_Url to typeof(string), set_EventResult to typeof(string), set_SrcIpAddr to typeof(string)\\n | summarize by DiscordServerId, dcount_Url, set_SrcUsername, min_TimeGenerated, max_TimeGenerated, set_EventResult, set_SrcIpAddr, set_Url\\n | project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, Result=set_EventResult, SourceUser=set_SrcUsername, SourceIP=set_SrcIpAddr, RequestURL=set_Url\\n | where RequestURL has_any (\\\".bin\\\",\\\".exe\\\",\\\".dll\\\",\\\".bin\\\",\\\".msi\\\")\\n | extend AccountName = tostring(split(SourceUser, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(SourceUser, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUser\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Discord CDN Risky File Download (ASIM Web Session Schema)\",\"description\":\"Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment. \\n Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads.\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/508cef41-2cd8-4d40-a519-b04826a9085f\",\"name\":\"508cef41-2cd8-4d40-a519-b04826a9085f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(Account, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared.\\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"name\":\"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Cloud App Security\",\"displayName\":\"Create incidents based on Microsoft Cloud App Security alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud Apps\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert (MCAS)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9367dff0-941d-44e2-8875-cb48570c7add\",\"name\":\"9367dff0-941d-44e2-8875-cb48570c7add\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog =~ \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has \\\"\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_DLLs\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppInit DLLs Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows or HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library.\\nRef: https://attack.mitre.org/techniques/T1546/010/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89a86f70-615f-4a79-9621-6f68c50f365f\",\"name\":\"89a86f70-615f-4a79-9621-6f68c50f365f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let starttime = 7d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet HistThreshold = 25; \\nlet CurrThreshold = 10; \\nlet HistoricalThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceVendor;\\nlet CurrentHourThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(timeframe)\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceProduct, DeviceVendor;\\nCurrentHourThreats \\n| where TotalEvents \u003c CurrThreshold\\n| join kind = leftanti (HistoricalThreats \\n| where TotalEvents \u003e HistThreshold) on SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"Discovery\",\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Palo Alto Threat signatures from Unusual IP addresses\",\"description\":\"Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. \\nThis detection is also leveraged and required for MDE and PAN Fusion scenario\\nhttps://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall\",\"lastUpdatedDateUTC\":\"2024-11-07T00:00:00Z\",\"createdDateUTC\":\"2022-03-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CefAma\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\"name\":\"aac495a9-feb1-446d-b08e-a1164a539452\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for VMConnection events\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\nThreatIntelligenceIndicator\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| where Action == true\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n| join (\\n GitHubAudit\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to GitHub_CL\",\"description\":\"Identifies a match in GitHub_CL table from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"name\":\"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet last1h = CommonSecurityLog\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where isempty(CommunicationDirection)\\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog\\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection)\\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec)\\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h\\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal \u003e 2*prev6hAvgCumTotal or last1hAvgRatePerSec \u003e 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec \u003e 2*prev6hAvgBurstRatePerSec\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - average attack detection rate increase\",\"description\":\"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\"name\":\"26a3b261-b997-4374-94ea-6c37f67f4f39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n( _Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA1=\u0027 SHA1 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames)\\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (DomainNames) \\n| extend DNSName = Fqdn \\n| extend IPAddress = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (DomainNames)\\n| extend DNSName = QueryName\\n| extend IPAddress = SourceIp\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"[Deprecated] - Known Granite Typhoon domains and hashes\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2019-12-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a356c8bd-c81d-428b-aa36-83be706be034\",\"name\":\"a356c8bd-c81d-428b-aa36-83be706be034\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"// AADJoined or Register Device Registry Keys\\nlet aadJoinRoot = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\CloudDomainJoin\\\\\\\\JoinInfo\\\\\\\\\\\";\\nlet aadRegisteredRoot = \\\"\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\WorkplaceJoin\\\";\\n// Transport Key Registry Key\\nlet keyTransportKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\Cryptography\\\\\\\\Ngc\\\\\\\\KeyTransportKey\\\\\\\\\\\";\\n(union isfuzzy=true\\n(\\n// Access to Object Requested\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadJoinRoot or EventData has aadRegisteredRoot\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadJoinRoot and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274656\u0027\\n | where EventData has keyTransportKey\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName startswith keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, tostring(Process), ProcessName, ProcessId, EventID\\n),\\n// Accessing Object\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where (ObjectName startswith aadJoinRoot or ObjectName contains aadRegisteredRoot) and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend Account = SubjectAccount\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274663\u0027\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName has keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend Account = SubjectAccount\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, Process, ProcessName, ProcessId, EventID\\n| extend HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Microsoft Entra ID Local Device Join Information and Transport Key Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts by the same process to registry keys that provide information about an Microsoft Entra ID joined or registered devices and Transport keys (tkpub / tkpriv).\\n This information can be used to export the Device Certificate (dkpub / dkpriv) and Transport key (tkpub/tkpriv).\\n These set of keys can be used to impersonate existing Microsoft Entra ID joined devices.\\n This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable objects:\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\CloudDomainJoin (Microsoft Entra ID joined devices)\\n HKCU:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\WorkplaceJoin (Microsoft Entra ID registered devices)\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Cryptography\\\\Ngc\\\\KeyTransportKey (Transport Key)\\n Make sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n Reference: https://o365blog.com/post/deviceidentity/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e42e889a-caaf-4dbb-aec6-371b37d64298\",\"name\":\"e42e889a-caaf-4dbb-aec6-371b37d64298\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"Application\\\"\\n | extend targetDisplayName = tostring(TargetResource.displayName),\\n targetId = tostring(TargetResource.id),\\n targetType = tostring(TargetResource.type),\\n keyEvents = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = keyEvents on \\n (\\n where Property.displayName =~ \\\"KeyDescription\\\"\\n | extend new_value_set = parse_json(tostring(Property.newValue)),\\n old_value_set = parse_json(tostring(Property.oldValue))\\n )\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where diff != \\\"[]\\\"\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage =~ \\\"Verify\\\"\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend UserAgent = tostring(AdditionalDetail.value)\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-03-06T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ae10c588-7ff7-486c-9920-ab8b0bdb6ede\",\"name\":\"ae10c588-7ff7-486c-9920-ab8b0bdb6ede\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Mercury_August2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\")\\n| extend IPAddress = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\")\\n| extend AccountName = tostring(split(SourceUserID, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(SourceUserID, \\\"@\\\")[1])\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend IPAddress = IPAddresses, DNSName = Name, Computer\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend IPAddress = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), File = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend AccountNT = UserName, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), IPAddress = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend IPAddress = ClientIP, AccountUPN = UserId, AccountUPNName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessSHA256, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend IPAddress = RemoteIP, FileHash = InitiatingProcessSHA256\\n| extend AccountUPN = InitiatingProcessAccountName, AccountUPNName = tostring(split(InitiatingProcessAccountName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(InitiatingProcessAccountName, \\\"@\\\")[1])\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend IPAddress = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) or DestinationHost has_any (domains) \\n| extend DNSName = DestinationHost, IPAddress = SourceHost\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| where msg_s has_any (IPList)\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" to \\\" TargetIP \\\":\\\" TargetPortInt:int *\\n| parse kind=regex flags=U msg_s with * \\\". Action\\\\\\\\: \\\" Action1a \\\"\\\\\\\\.\\\"\\n| parse msg_s with * \\\". Policy: \\\" Policy \\\". Rule Collection Group: \\\" RuleCollectionGroup \\\".\\\" *\\n| parse msg_s with * \\\" Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule \\n| extend IPAddress = SourceIP\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| where msg_s has_any (domains)\\n| parse msg_s with \\\"DNS Request: \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" - \\\" QueryID:int \\\" \\\" RequestType \\\" \\\" RequestClass \\\" \\\" hostname \\\". \\\" protocol \\\" \\\" details\\n| extend\\n ResponseDuration = extract(\\\"[0-9]*.?[0-9]+s$\\\", 0, msg_s),\\n SourcePort = tostring(SourcePortInt),\\n QueryID = tostring(QueryID)\\n| project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\\n| extend IPAddress = SourceIP\\n),\\n(AZFWApplicationRule\\n| where Fqdn has_any (domains) or Fqdn has_any (IPList)\\n| extend IPAddress = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (domains)\\n| extend DNSName = QueryName, IPAddress = SourceIp\\n),\\n(AZFWNetworkRule\\n| where DestinationIp has_any (IPList)\\n| extend IPAddress = SourceIp\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend Algorithm = \\\"SHA256\\\", FileHash = tostring(FileHash), AccountUPN = SourceUserID, AccountUPNName = tostring(split(SourceUserID, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(SourceUserID, \\\"@\\\")[1])\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend AccountNT = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, AccountNT, IPAddress, CommandLine, FileHash, Algorithm = \\\"SHA256\\\"\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Algorithm = \\\"SHA256\\\", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n| extend AccountUPN = InitiatingProcessAccountName, AccountUPNName = tostring(split(InitiatingProcessAccountName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(InitiatingProcessAccountName, \\\"@\\\")[1])\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Algorithm = \\\"SHA256\\\", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n| extend AccountUPN = InitiatingProcessAccountName, AccountUPNName = tostring(split(InitiatingProcessAccountName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(InitiatingProcessAccountName, \\\"@\\\")[1])\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", dynamic([\\\"\\\", \\\"\\\"])), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| mv-expand Hashes\\n| where Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, AccountNT = UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source), FileHash = tostring(Hashes[1]), Algorithm = tostring(Hashes[0])\\n)\\n)\\n| extend AccountNTName = tostring(split(AccountNT, \\\"\\\\\\\\\\\")[1]), AccountNTDomain = tostring(split(AccountNT, \\\"\\\\\\\\\\\")[0])\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountUPNName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountNT\"},{\"identifier\":\"Name\",\"columnName\":\"AccountNTName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"Algorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHash\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Mercury - Domain, Hash and IP IOCs - August 2022\",\"description\":\"Identifies a match across various data feeds for domains, hashes and IP IOC related to Mercury\\n Reference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/\",\"lastUpdatedDateUTC\":\"2023-12-28T00:00:00Z\",\"createdDateUTC\":\"2022-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7808c05a-3afd-4d13-998a-a59e2297693f\",\"name\":\"7808c05a-3afd-4d13-998a-a59e2297693f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Creating a list of successful sign-in by users in the last 7 days.\\nlet KnownUserCountry = (\\nSigninLogs\\n| where TimeGenerated between (ago(7d) .. ago(1d) ) \\n| where ResultType == 0\\n| summarize KnownCountry = make_set(Location,1048576) by UserPrincipalName\\n);\\n// Identify sign-ins that are no successful but have the auth details indicating a correct password.\\nSigninLogs\\n| where TimeGenerated \u003e= ago(1d)\\n| where ResultType != 0\\n| extend ParseAuth = parse_json(AuthenticationDetails)\\n| extend AuthMethod = tostring(ParseAuth.[0].authenticationMethod),\\n PasswordResult = tostring(ParseAuth.[0].authenticationStepResultDetail),\\n AuthSucceeded = tostring(ParseAuth.[0].succeeded)\\n| where PasswordResult == \\\"Correct Password\\\" or AuthSucceeded == \\\"true\\\"\\n| where AuthMethod == \\\"Password\\\"\\n| extend failureReason = tostring(Status.failureReason)\\n| summarize NewCountry = make_set(Location,1048576), LastObservedTime = max(TimeGenerated), AppName = make_set(AppDisplayName,1048576) by UserPrincipalName, PasswordResult, AuthSucceeded, failureReason\\n// Combining both tables by user\\n| join kind=inner KnownUserCountry on UserPrincipalName\\n// Compare both arrays and identify if the country has been observed in the past.\\n| extend CountryDiff = set_difference(NewCountry,KnownCountry)\\n| extend CountryDiffCount = array_length(CountryDiff)\\n// Count the new column to only alert if there is a difference between both arrays\\n| where CountryDiffCount != 0\\n| extend NewCountryEvent = CountryDiff\\n// Getting UserName and Domain\\n| extend Name = split(UserPrincipalName,\\\"@\\\",0),\\n Domain = split(UserPrincipalName,\\\"@\\\",1)\\n| mv-expand Name,Domain\",\"customDetails\":{\"LastObservedTime\":\"LastObservedTime\",\"AppName\":\"AppName\",\"NewCountryEvent\":\"NewCountryEvent\",\"PasswordResult\":\"PasswordResult\",\"AuthSucceeded\":\"AuthSucceeded\",\"failureReason\":\"failureReason\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"Domain\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"New country signIn with correct password\",\"description\":\"Identifies an interrupted sign-in session from a country the user has not sign-in before in the last 7 days, where the password was correct. Although the session is interrupted by other controls such as multi factor authentication or conditional access policies, the user credentials should be reset due to logs indicating a correct password was observed during sign-in.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2023-05-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\"name\":\"0bd65651-1404-438b-8f63-eecddcec87b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.3\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = ( union isfuzzy=true\\n( Event\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and EventData has \\\"0x3e4\\\" and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, \\\"\\\\\\\\\\\")[0]), AccountNTDomain = tostring(split(Account, \\\"\\\\\\\\\\\")[1])\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 and LogonType == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nWindowsEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where EventData has \u0027wmiprvse.exe\u0027 and EventData has_any (\u0027rundll32\u0027) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, \\\"\\\\\\\\\\\")[0]), AccountNTDomain = tostring(split(Account, \\\"\\\\\\\\\\\")[1])\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 3\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where Account !endswith \\\"$\\\"\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, Image, Computer, UserName\\n| extend timestamp = TimeGenerated\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(UserName, \\\"\\\\\\\\\\\")[0]), AccountNTDomain = tostring(split(UserName, \\\"\\\\\\\\\\\")[1])\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via Remote WMI Execution\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\n Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/22a320c2-e1e5-4c74-a35b-39fc9cdcf859\",\"name\":\"22a320c2-e1e5-4c74-a35b-39fc9cdcf859\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName=~ \\\"Update user\\\" \\n| where Result =~ \\\"success\\\" \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName = tostring(TargetResources_modifiedProperties.displayName), \\nTargetUPN_oldValue = tostring(parse_json(tostring(TargetResources_modifiedProperties.oldValue))[0]), \\nTargetUPN_newValue = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue))[0])\\n| where displayName == \\\"UserPrincipalName\\\" and TargetUPN_oldValue !has \\\"#EXT\\\" and TargetUPN_newValue has \\\"#EXT\\\"\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend InitiatedBy = tostring(iff(isnotempty(InitiatingUserPrincipalName),InitiatingUserPrincipalName, InitiatingAppName))\\n| summarize arg_max(TimeGenerated, *) by CorrelationId\\n| project-reorder TimeGenerated, InitiatedBy, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, TargetUPN_oldValue, TargetUPN_newValue\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n| extend TargetAccountName = tostring(split(TargetUPN_oldValue, \\\"@\\\")[0]), TargetUPNSuffix = tostring(split(TargetUPN_oldValue, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUPN_oldValue\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Suspicious linking of existing user to external User\",\"description\":\" This query will detect when an attempt is made to update an existing user and link it to an guest or external identity. These activities are unusual and such linking of external \\nidentities should be investigated. In some cases you may see internal Entra ID sync accounts (Sync_) do this which may be benign\",\"lastUpdatedDateUTC\":\"2023-12-30T00:00:00Z\",\"createdDateUTC\":\"2022-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"name\":\"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^\u0027]*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Silk Typhoon Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95407904-0131-4918-bc49-ebf282ce149a\",\"name\":\"95407904-0131-4918-bc49-ebf282ce149a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"135.125.147.170:80\\\",\\\"185.244.129.79:63047\\\",\\\"185.244.129.79:80\\\",\\\"45.80.149.108:63047\\\",\\\"45.80.149.108:80\\\",\\\"45.80.149.57:63047\\\",\\\"45.80.149.68:63047\\\",\\\"45.80.149.71:80\\\",\\\"185.244.129.109\\\",\\\"172.96.188.51\\\",\\\"51.83.246.73\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(AZFWNetworkRule\\n| where isnotempty(DestinationIp)\\n| where DestinationIp has_any (IPList) \\n| extend DestinationIP = DestinationIp \\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (IPList) \\n| extend DestinationIP = Fqdn \\n| extend IPCustomEntity = SourceIp\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Known Plaid Rain IP\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWNetworkRule\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acc4c247-aaf7-494b-b5da-17f18863878a\",\"name\":\"acc4c247-aaf7-494b-b5da-17f18863878a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OperationName in (\\\"Invite external user\\\", \\\"Bulk invite users - started (bulk)\\\", \\\"Invite external user with reset invitation status\\\")\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatedBy = iff(isnotempty(InitiatingUserPrincipalName), InitiatingUserPrincipalName, InitiatingAppName)\\n// Uncomment the following line to filter events where the inviting user was a guest user\\n//| where InitiatedBy has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend InvitedUser = tostring(TargetResource.userPrincipalName)\\n )\\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\\n| where UserToCompare has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend\\n parsedUser = replace_string(tolower(iff(UserToCompare startswith \\\"live.com#\\\", tostring(split(UserToCompare, \\\"#\\\")[1]), tostring(split(UserToCompare, \\\"#EXT#\\\")[0]))), \\\"@\\\", \\\"_\\\"),\\n InvitationTime = TimeGenerated\\n| join (\\n (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where UserType != \\\"Member\\\"\\n | where AppId has_any // This web may contain a list of these apps: https://msshells.net/\\n (\\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\",// Azure Active Directory PowerShell\\n \\\"04b07795-8ddb-461a-bbee-02f9e1bf7b46\\\",// Microsoft Azure CLI\\n \\\"1950a258-227b-4e31-a9cf-717495945fc2\\\",// Microsoft Azure PowerShell\\n \\\"a0c73c16-a7e3-4564-9a95-2bdf47383716\\\",// Microsoft Exchange Online Remote PowerShell\\n \\\"fb78d390-0c51-40cd-8e17-fdbfab77341b\\\",// Microsoft Exchange REST API Based Powershell\\n \\\"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\\\",// Microsoft Intune PowerShell\\n \\\"9bc3ab49-b65d-410a-85ad-de819febfddc\\\",// Microsoft SharePoint Online Management Shell\\n \\\"12128f48-ec9e-42f0-b203-ea49fb6af367\\\",// MS Teams Powershell Cmdlets\\n \\\"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\\\",// Power BI PowerShell\\n \\\"31359c7f-bd7e-475c-86db-fdb8c937548e\\\",// PnP Management Shell\\n \\\"90f610bf-206d-4950-b61d-37fa6fd1b224\\\",// Aadrm Admin Powershell\\n \\\"14d82eec-204b-4c2f-b7e8-296a70dab67e\\\",// Microsoft Graph PowerShell\\n \\\"9cee029c-6210-4654-90bb-17e6e9d36617\\\" // Power Platform CLI - pac\\\"\\n )\\n | summarize arg_min(TimeGenerated, *) by UserPrincipalName\\n | extend\\n parsedUser = replace_string(UserPrincipalName, \\\"@\\\", \\\"_\\\"),\\n SigninTime = TimeGenerated\\n )\\n on parsedUser\\n| project InvitationTime, InitiatedBy, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\\n| extend InvitedUserName = tostring(split(InvitedUser,\u0027@\u0027,0)[0]), InvitedUserUPNSuffix = tostring(split(InvitedUser,\u0027@\u0027,1)[0]), \\n InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InvitedUser\"},{\"identifier\":\"Name\",\"columnName\":\"InvitedUserName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InvitedUserUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"External guest invitation followed by Microsoft Entra ID PowerShell signin\",\"description\":\"By default guests have capability to invite more external guest users, guests also can do suspicious Microsoft Entra ID enumeration. This detection look at guest users, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\\nRef : \u0027https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c094384d-7ea7-4091-83be-18706ecca981\",\"name\":\"c094384d-7ea7-4091-83be-18706ecca981\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.5\",\"severity\":\"Low\",\"query\":\"let minersDomains=dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\"]);\\n_Im_Dns(domain_has_any=minersDomains)\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2024-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25a7f951-54b7-4cf5-9862-ebc04306c590\",\"name\":\"25a7f951-54b7-4cf5-9862-ebc04306c590\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let known_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | summarize by InitiatingUserPrincipalName);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppId = tostring(InitiatedBy.app.appId)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend CAPolicyName = tostring(TargetResources[0].displayName)\\n | where InitiatingUserPrincipalName !in (known_users)\\n | extend NewPolicyValues = TargetResources[0].modifiedProperties[0].newValue\\n | extend OldPolicyValues = TargetResources[0].modifiedProperties[0].oldValue\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, OperationName, CAPolicyName, InitiatingAppId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, NewPolicyValues, OldPolicyValues\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"AppId\",\"columnName\":\"InitiatingAppId\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Conditional Access Policy Modified by New User\",\"description\":\"Detects a Conditional Access Policy being modified by a user who has not modified a policy in the last 14 days.\\n A threat actor may try to modify policies to weaken the security controls in place.\\n Investigate any change to ensure they are approved.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"name\":\"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n// Look for specific Directory Service Changes and parse data\\n| where EventID == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where changes relate to Exchange OAB\\n| extend ObjectClass = column_ifexists(\\\"ObjectClass\\\", \\\"\\\")\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// Look for InternalHostName or ExternalHostName properties being changed\\n| extend AttributeLDAPDisplayName = column_ifexists(\\\"AttributeLDAPDisplayName\\\", \\\"\\\")\\n| where AttributeLDAPDisplayName in~ (\\\"msExchExternalHostName\\\", \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| extend AttributeValue = column_ifexists(\\\"AttributeValue\\\", \\\"\\\")\\n| where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| extend ObjectDN = column_ifexists(\\\"ObjectDN\\\", \\\"\\\")\\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| extend timestamp = LastSeen\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(Account, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange OAB Virtual Directory Attribute Containing Potential Webshell\",\"description\":\"This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services where the new objects contain potential webshell objects.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"name\":\"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P3D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some columns to make output clearer\\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some things to make the output clearer\\n| project-rename TimeDeleted = TimeGenerated,DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\\n| extend timestamp = TimeCreated\\n| extend CreatingUserAccountName = tostring(split(CreatingUser, \\\"@\\\")[0]), CreatingUserAccountUPNSuffix = tostring(split(CreatingUser, \\\"@\\\")[1])\\n| extend DeletingUserAccountName = tostring(split(DeletingUser, \\\"@\\\")[0]), DeletingUserAccountUPNSuffix = tostring(split(DeletingUser, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatingUser\"},{\"identifier\":\"Name\",\"columnName\":\"CreatingUserAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"CreatingUserAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeletingUser\"},{\"identifier\":\"Name\",\"columnName\":\"DeletingUserAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"DeletingUserAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CreatingIP\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletingIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Azure DevOps Pipeline Created and Deleted on the Same Day\",\"description\":\"An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, or to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \\nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines created and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"name\":\"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend EnforceLogin = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\")\\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\")\\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", \\\"\\\")\\n| where EnforceLogin == \u0027false\u0027 or EnforceLoginDomain == \u0027false\u0027 or GuestAlerts == \u0027false\u0027\\n| extend SettingChanged = case(EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"All settings changed\\\",\\n EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027, \\\"Enforced Logons and Restricted Domains Changed\\\",\\n EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"Enforced Domains Changed\\\",\\n EnforceLoginDomain == \u0027false\u0027, \\\"Enfored Domains Changed\\\",\\n GuestAlerts == \u0027false\u0027, \\\"Guest Join Alerts Changed\\\",\\n EnforceLogin == \u0027false\u0027, \\\"Enforced Logins Changed\\\",\\n \\\"No Changes\\\")\\n| extend AccountName = tostring(split(User, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(User, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"External User Access Enabled\",\"description\":\"This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"name\":\"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.6\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\" \\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\"\\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend AccountName = iff(UserId contains \u0027@\u0027, tostring(split(UserId, \u0027@\u0027)[0]), UserId)\\n| extend AccountUPNSuffix = iff(UserId contains \u0027@\u0027, tostring(split(UserId, \u0027@\u0027)[1]), \u0027\u0027)\\n| extend AccountName = iff(UserId contains \u0027\\\\\\\\\u0027, tostring(split(UserId, \u0027\\\\\\\\\u0027)[1]), AccountName)\\n| extend AccountNTDomain = iff(UserId contains \u0027\\\\\\\\\u0027, tostring(split(UserId, \u0027\\\\\\\\\u0027)[0]), \u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Exchange AuditLog Disabled\",\"description\":\"Identifies when the exchange audit logging has been disabled which may be an adversary attempt to evade detection or avoid other defenses.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"name\":\"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet binaryTypes = dynamic([\u0027zip\u0027, \u0027octet-stream\u0027, \u0027java-archive\u0027, \u0027rar\u0027, \u0027tar\u0027, \u0027x-7z-compressed\u0027, \u0027x-msdownload\u0027, \u0027portable-executable\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedMimeType = tostring(todynamic(MsgParts)[0][\u0027detectedMime\u0027])\\n| where attachedMimeType has_any (binaryTypes)\\n| project SrcUserUpn, AccountCustomEntity = tostring(parse_json(DstUserUpn)[0]), attachedMimeType, MsgHeaderSubject\\n| extend Name = tostring(split(AccountCustomEntity, \\\"@\\\")[0]), UPNSuffix = tostring(split(AccountCustomEntity, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Binary file in attachment\",\"description\":\"Detects when email received with binary file as attachment.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"name\":\"ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"// Add the environments expected username format regex below before deploying\\nlet user_regex = \\\"\\\";\\nAuditLogs\\n| where OperationName =~ \\\"Add user\\\"\\n| where Result =~ \\\"success\\\"\\n| extend userAgent = tostring(AdditionalDetails[0].value)\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend InitiatedBy = tostring(iff(isnotempty(InitiatingUserPrincipalName),InitiatingUserPrincipalName, InitiatingAppName))\\n| extend AddedUser = tostring(TargetResources[0].userPrincipalName)\\n| where AddedUser matches regex user_regex\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n| extend TargetAccountName = tostring(split(AddedUser, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(AddedUser, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Account Created Using Incorrect Naming Format\",\"description\":\"This query looks for accounts being created where the name does not match a defined pattern.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n The user_regex field in the query needs to be populated with the expected pattern for the environment before deployment.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2023-12-30T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"name\":\"34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\n IdentityInfo\\n | where TimeGenerated \u003e ago(starttime)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | mv-expand AssignedRoles\\n | where AssignedRoles contains \u0027Admin\u0027 or GroupMembership has \\\"Admin\\\"\\n | summarize Roles = make_list(AssignedRoles) by AccountUPN = tolower(AccountUPN)\\n | join kind=inner (\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultType != 0\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n ) on $left.AccountUPN == $right.UserPrincipalName\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, Roles = tostring(Roles)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\n allSignins\\n | make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1h by UserPrincipalName, Roles\\n | extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n | mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n // Filtering low count events per baselinethreshold\\n | where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n | extend AnomalyHour = TimeGenerated\\n | project UserPrincipalName, Roles, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, Roles, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Privileged Accounts - Sign in Failure Spikes\",\"description\":\" Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1399664f-9434-497c-9cde-42e4d74ae20e\",\"name\":\"1399664f-9434-497c-9cde-42e4d74ae20e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Impossible travel activity\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| project TimeGenerated,Account,IpAddress,CompromisedEntity,Description,ProviderName,ResourceId\\n| join kind=inner\\n(\\nOfficeActivity\\n| where Operation =~ \\\"Add-MailboxPermission\\\"\\n| extend value = tostring(parse_json(Parameters)[3].Value)\\n| where value contains \\\"FullAccess\\\"\\n| where ResultStatus == \\\"True\\\"\\n| project Parameters,TimeGenerated,value,RecordType,Operation,OrganizationId,UserType,UserKey,OfficeWorkload,ResultStatus,OfficeObjectId,UserId,ClientIP,ExternalAccess,OriginatingServer,OrganizationName,TenantId,ElevationTime,SourceSystem,OfficeId,OfficeTenantId,Type,SourceRecordId\\n) on $left.Account == $right.UserId\\n| join kind=inner\\n(\\nAuditLogs\\n| where ActivityDisplayName =~ \\\"Add eligible member to role in PIM requested (timebound)\\\"\\n| where AADOperationType =~ \\\"CreateRequestEligibleRole\\\"\\n| where TargetResources has_any (\\\"-PRIV\\\", \\\"Administrator\\\", \\\"Security\\\")\\n| extend BuiltinRole = tostring(parse_json(TargetResources[0].displayName))\\n| extend CustomGroup = tostring(parse_json(TargetResources[3].displayName))\\n| extend TargetAccount = tostring(parse_json(TargetResources[2].displayName))\\n| extend Initiatedby = Identity\\n| project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResourceId, Id\\n| sort by TimeGenerated desc\\n) on $left.UserId == $right.Initiatedby\\n| extend AccountName = tostring(split(Initiatedby, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(Initiatedby, \\\"@\\\")[1])\\n| project AADOperationType, ActivityDisplayName,AccountName, AccountUPNSuffix, Id,ResourceId,IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Detecting Impossible travel with mailbox permission tampering \u0026 Privilege Escalation attempt\",\"description\":\"This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group.\\nEnsure this impossible travel incident with increase of privileges is legitimate in your environment.\",\"lastUpdatedDateUTC\":\"2024-11-20T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\"name\":\"12dcea64-bec2-41c9-9df2-9f28461b1295\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where NewProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service Control Services and Schedule Control Services\\n| union (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| extend timestamp = TimeGenerated\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(Account, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"name\":\"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.4\",\"severity\":\"Medium\",\"query\":\"// Set threshold value for deviation\\nlet threshold = 25;\\n// Set the time range for the query\\nlet timeRange = 24h;\\n// Set the authentication window duration\\nlet authenticationWindow = 20m;\\n// Define a reusable function \u0027aadFunc\u0027 that takes a table name as input\\nlet aadFunc = (tableName: string) {\\n // Query the specified table\\n table(tableName)\\n // Filter data within the last 24 hours\\n | where TimeGenerated \u003e ago(1d)\\n // Filter records related to \\\"Azure Portal\\\" applications\\n | where AppDisplayName has \\\"Azure Portal\\\"\\n // Extract and transform some fields\\n | extend\\n DeviceDetail = todynamic(DeviceDetail),\\n LocationDetails = todynamic(LocationDetails)\\n | extend\\n OS = tostring(DeviceDetail.operatingSystem),\\n Browser = tostring(DeviceDetail.browser),\\n State = tostring(LocationDetails.state),\\n City = tostring(LocationDetails.city),\\n Region = tostring(LocationDetails.countryOrRegion)\\n // Categorize records as Success or Failure based on ResultType\\n | extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n // Sort and identify sessions\\n | sort by UserPrincipalName asc, TimeGenerated asc\\n | extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName != prev(UserPrincipalName) or prev(FailureOrSuccess) == \\\"Success\\\")\\n // Summarize data\\n | summarize FailureOrSuccessCount = count() by FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, authenticationWindow), ResultType, UserPrincipalName, SessionStartedUtc\\n | summarize FailureCountBeforeSuccess = sumif(FailureOrSuccessCount, FailureOrSuccess == \\\"Failure\\\"), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), makelist(FailureOrSuccess), IPAddress = make_set(IPAddress, 15), make_set(Browser, 15), make_set(City, 15), make_set(State, 15), make_set(Region, 15), make_set(ResultType, 15) by SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, Type\\n // Filter records where \\\"Success\\\" occurs in the middle of a session\\n | where array_index_of(list_FailureOrSuccess, \\\"Success\\\") != 0\\n | where array_index_of(list_FailureOrSuccess, \\\"Success\\\") == array_length(list_FailureOrSuccess) - 1\\n // Remove unnecessary columns from the output\\n | project-away SessionStartedUtc, list_FailureOrSuccess\\n // Join with another table and calculate deviation\\n | join kind=inner (\\n table(tableName)\\n | where TimeGenerated \u003e ago(7d)\\n | where AppDisplayName has \\\"Azure Portal\\\"\\n | extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n | summarize avgFailures = avg(todouble(FailureOrSuccess == \\\"Failure\\\")) by UserPrincipalName\\n ) on UserPrincipalName\\n | extend Deviation = abs(FailureCountBeforeSuccess - avgFailures) / avgFailures\\n // Filter records based on deviation and failure count criteria\\n | where Deviation \u003e threshold and FailureCountBeforeSuccess \u003e= 10\\n // Expand the IPAddress array\\n | mv-expand IPAddress\\n | extend IPAddress = tostring(IPAddress)\\n | extend timestamp = StartTime\\n};\\n// Call \u0027aadFunc\u0027 with different table names and union the results\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n// Additional transformation - Split UserPrincipalName\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against Azure Portal\",\"description\":\"Detects Azure Portal brute force attacks by monitoring for multiple authentication failures and a successful login within a 20-minute window. Default settings: 10 failures, 25 deviations.\\nRef: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2019-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"name\":\"2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\\n//let adfsuser = \u0027adfsadmin\u0027;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe+lookback)\\n | where EventSourceName == \u0027AD FS Auditing\u0027\\n | distinct Computer\\n);\\nSecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // A token of type \u0027http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation\u0027\\n // for relying party \u0027-\u0027 was successfully authenticated.\\n | where EventID == 412\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | extend InstanceId = tostring(EventData[0])\\n| join kind=inner\\n(\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // Events to identify caller identity from event 412\\n | where EventID == 501\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | where tostring(EventData[1]) contains \u0027identity/claims/name\u0027\\n | extend InstanceId = tostring(EventData[0])\\n | extend ClaimsName = tostring(EventData[2])\\n // Filter on the use of a specific AD FS user account\\n //| where ClaimsName contains adfsuser\\n)\\non $left.InstanceId == $right.InstanceId\\n| join kind=inner\\n(\\n SecurityEvent\\n | where EventID == 5156\\n | where Computer in~ (ADFS_Servers)\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend DestPort = column_ifexists(\\\"DestPort\\\", \\\"\\\"),\\n Direction = column_ifexists(\\\"Direction\\\", \\\"\\\"),\\n Application = column_ifexists(\\\"Application\\\", \\\"\\\"),\\n DestAddress = column_ifexists(\\\"DestAddress\\\", \\\"\\\"),\\n SourceAddress = column_ifexists(\\\"SourceAddress\\\", \\\"\\\"),\\n SourcePort = column_ifexists(\\\"SourcePort\\\", \\\"\\\")\\n // Look for inbound connections from endpoints on port 80\\n | where DestPort == 80 and Direction == \u0027%%14592\u0027 and Application == \u0027System\u0027\\n | where DestAddress !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027)\\n)\\non $left.Computer == $right.Computer\\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(ClaimsName, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(ClaimsName, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ClaimsName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceAddress\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote Auth Sync Connection\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious authentication events on an AD FS server. The results then get correlated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates. In order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReferences:\\nhttps://docs.microsoft.com/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging\\nhttps://twitter.com/OTR_Community/status/1387038995016732672\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\"name\":\"957cb240-f45d-4491-9ba5-93430a3c08be\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.5\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\", \\\"Set-TransportRule\\\")\\nand not(UserId has_any (\u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\u0027, \u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)\u0027, \u0027NT AUTHORITY\\\\\\\\SYSTEM (w3wp)\u0027, \u0027devilfish-applicationaccount\u0027) and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend ClientIPOnly = tostring(extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?\u0027, dynamic([\\\"IPAddress\\\"]), ClientIP)[0])\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"AppId\",\"columnName\":\"AppId\"}]}],\"tactics\":[\"Persistence\",\"Collection\"],\"displayName\":\"Rare and potentially high-risk Office operations\",\"description\":\"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\"lastUpdatedDateUTC\":\"2024-03-18T00:00:00Z\",\"createdDateUTC\":\"2019-02-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"name\":\"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName has (\\\"Certificates and secrets management\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"Application\\\"\\n | extend targetDisplayName = tostring(TargetResource.displayName),\\n targetId = tostring(TargetResource.id),\\n targetType = tostring(TargetResource.type),\\n keyEvents = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = keyEvents on \\n (\\n where Property.displayName =~ \\\"KeyDescription\\\"\\n | extend new_value_set = parse_json(tostring(Property.newValue)),\\n old_value_set = parse_json(tostring(Property.oldValue))\\n )\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage =~ \\\"Verify\\\"\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend InitiatingUserAgent = tostring(AdditionalDetail.value)\\n )\\n| project-away new_value_set, old_value_set, TargetResource, Property, AdditionalDetail\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, InitiatingUserAgent, \\ntargetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend Name = split(InitiatingUserPrincipalName, \\\"@\\\")[0], UPNSuffix = split(InitiatingUserPrincipalName, \\\"@\\\")[1]\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"targetDisplayName\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-01-06T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\"name\":\"62085097-d113-459f-9ea7-30216f2ee6af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let starttime = 3d;\\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated \u003e= ago(starttime)\\n| where EventID in (4722,4723) | where TargetUserName !endswith \\\"$\\\"\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\\nlet userEnable = SecEvents\\n| extend EventID4722Time = TimeGenerated\\n// 4722: User Account Enabled\\n| where EventID == 4722\\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\\nlet userPwdSet = SecEvents\\n// 4723: Attempt made by user to set password\\n| where EventID == 4723\\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\\n| extend PasswordSetAttemptDelta_Min = datetime_diff(\u0027minute\u0027, Time_Event4723, Time_Event4722)\\n| where PasswordSetAttemptDelta_Min \u003e 2880 or isempty(PasswordSetAttemptDelta_Min)\\n| project-away TargetAccount1, TargetSid1\\n| extend Reason = @\\\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\\\"\\n| order by Time_Event4722 asc\\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\\n| extend Computer = coalesce(Computer_4723, Computer_4722)\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(TargetAccount, \\\"\\\\\\\\\\\")[1]), AccountNTDomain = tostring(split(TargetAccount, \\\"\\\\\\\\\\\")[0])\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD user enabled and password not set within 48 hours\",\"description\":\"Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which\\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur\\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\\nIt is recommended that this time period is adjusted per your internal company policy.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce02935c-cc67-4b77-9b96-93d9947e119a\",\"name\":\"ce02935c-cc67-4b77-9b96-93d9947e119a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"acrobatrelay.com\\\", \\\"finconsult.cc\\\", \\\"realmetaldns.com\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where DNSName in~ (DomainNames) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n), \\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession (url_has_any=DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n| where isnotempty(DNSName) \\n| where DNSName in~ (DomainNames) \\n| extend IPAddress = RemoteIp \\n), \\n( \\n DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) \\n| where RemoteUrl has_any (DomainNames) \\n| extend IPAddress = RemoteIP \\n| extend Computer = DeviceName \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n) \\n) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Denim Tsunami C2 Domains July 2022\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\"name\":\"5436f471-b03d-41cb-b333-65891f887c43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Informational\",\"query\":\"GitHubRepo\\n| where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Link\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\",\"PrivilegeEscalation\",\"DefenseEvasion\",\"CredentialAccess\",\"LateralMovement\"],\"displayName\":\"GitHub Security Vulnerability in Repository\",\"description\":\"This alerts when there is a new security vulnerability in a GitHub repository.\",\"lastUpdatedDateUTC\":\"2024-07-24T00:00:00Z\",\"createdDateUTC\":\"2020-06-10T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"name\":\"2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| where ObjectClass == \\\"computer\\\" and AttributeLDAPDisplayName == \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserName, SubjectDomainName, SubjectUserSid, SubjectLogonId, ObjectDN, AttributeLDAPDisplayName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"SubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Possible Resource-Based Constrained Delegation Abuse\",\"description\":\"This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. \\nThis query checks for event id 5136 that the Object Class field is \\\"computer\\\" and the LDAP Display Name is \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\" which is an indicator of Resource-based constrained delegation.\\nRef: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"name\":\"8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\" or OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-apply Property = modifiedProperties on \\n (\\n where Property.displayName =~ \\\"LiveType\\\"\\n | extend targetDisplayName = tostring(Property.displayName),\\n NewDomainValue = tostring(Property.newValue)\\n )\\n| extend Federated = iif(OperationName =~ \\\"Set domain authentication\\\", iif(NewDomainValue has \\\"Federated\\\", True, False), True)\\n| where Federated == True\\n| mv-expand AdditionalDetails\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend UserAgent = tostring(AdditionalDetail.value)\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, AADOperationType, targetDisplayName, Result, UserAgent, CorrelationId, TenantId, AADTenantId\\n| extend Name = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"NRT Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"name\":\"dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\",\\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\",\\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\",\\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\",\\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\",\\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage),\\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage),\\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage),\\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NRT Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used.\\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"SyslogAma\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b904747-1336-4363-8d84-df2710bfe5e7\",\"name\":\"0b904747-1336-4363-8d84-df2710bfe5e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n // Filter out indicators without relevant IP address fields\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n // Select the IP entity based on availability of different IP fields\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and AzureDiagnostics logs to identify potential malicious activity\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\", \\\"AzureFirewallNetworkRuleLog\\\")\\n | parse kind=regex flags=U msg_s with Protocol \u0027request from \u0027 SourceHost \u0027to \u0027 DestinationHost @\u0027\\\\.? Action: \u0027 Firewall_Action @\u0027\\\\.\u0027 Rest_msg\\n | extend SourceAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, SourceHost)\\n | extend DestinationAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, DestinationHost)\\n | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, \\\"\\\")\\n | where isnotempty(RemoteIP) // Filter out traffic involving public addresses only\\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\\n )\\n on $left.TI_ipEntity == $right.RemoteIP\\n // Filter out logs that occurred after the expiration of the corresponding indicator\\n | where AzureFirewall_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and RemoteIP, and keep the log entry with the latest timestamp\\n | summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP\\n // Select the desired output fields\\n | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\\n AzureFirewall_TimeGenerated, TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol,\\n NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n // Rename the timestamp field\\n | extend timestamp = AzureFirewall_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"TI_ipEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to AzureFirewall\",\"description\":\"Identifies a match in AzureFirewall (NetworkRule \u0026 ApplicationRule Logs) from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2199398-8942-4b8c-91a9-b0a707c5d147\",\"name\":\"b2199398-8942-4b8c-91a9-b0a707c5d147\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/HiveRansomwareJuly2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\\n| where Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes)\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = tostring(Hashes[1])\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"[Deprecated] - Hive Ransomware IOC - July 2022\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\"name\":\"173f8699-6af5-484a-8b06-8c47ba89b380\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Low\",\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName, 1000) by UserId\\n| where array_length(DeletedTeams) \u003e max_delete_count\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple Teams deleted by a single user\",\"description\":\"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Microsoft Sentinel.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68c0b6bb-6bd9-4ef4-9011-08998c8ef90f\",\"name\":\"68c0b6bb-6bd9-4ef4-9011-08998c8ef90f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Threshold = 3;\\nAzureDiagnostics\\n| where Category == \\\"ApplicationGatewayFirewallLog\\\"\\n| where action_s == \\\"Matched\\\"\\n| project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s\\n| join kind = inner(\\nAzureDiagnostics\\n| where Category == \\\"ApplicationGatewayFirewallLog\\\"\\n| where action_s == \\\"Blocked\\\"\\n| parse Message with MessageText \u0027Total Inbound Score: \u0027 TotalInboundScore \u0027 - SQLI=\u0027 SQLI_Score \u0027,XSS=\u0027 XSS_Score \u0027,RFI=\u0027 RFI_Score \u0027,LFI=\u0027 LFI_Score \u0027,RCE=\u0027 RCE_Score \u0027,PHPI=\u0027 PHPI_Score \u0027,HTTP=\u0027 HTTP_Score \u0027,SESS=\u0027 SESS_Score \u0027): \u0027 Blocked_Reason \u0027; individual paranoia level scores:\u0027 Paranoia_Score\\n| where Blocked_Reason contains \\\"SQL Injection Attack\\\" and toint(SQLI_Score) \u003e=10 and toint(TotalInboundScore) \u003e= 15) on transactionId_g\\n| extend Uri = strcat(hostname_s,requestUri_s)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g), Message = make_set(Message), Detail_Message = make_set(details_message_s), Detail_Data = make_set(details_data_s), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s, SQLI_Score, TotalInboundScore\\n| where Total_TransactionId \u003e= Threshold\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Uri\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"clientIp_s\"}]}],\"tactics\":[\"DefenseEvasion\",\"Execution\",\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Application Gateway WAF - SQLi Detection\",\"description\":\"Identifies a match for SQL Injection attack in the Application gateway WAF logs. The Threshold value in the query can be changed as per your infrastructure\u0027s requirement.\\n References: https://owasp.org/Top10/A03_2021-Injection/\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/52aec824-96c1-4a03-8e44-bb70532e6cea\",\"name\":\"52aec824-96c1-4a03-8e44-bb70532e6cea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 5136 and EventData contains \\\"\u003cData Name=\\\\\\\"ObjectDN\\\\\\\"\u003eCN=AdminSDHolder,CN=System\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend Name = tostring(split(SubjectAccount, \\\"\\\\\\\\\\\")[1]), NTDomain = tostring(split(SubjectAccount, \\\"\\\\\\\\\\\")[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AdminSDHolder Modifications\",\"description\":\"This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence. \\nAdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory.\\nThis query searches for the event id 5136 where the Object DN is AdminSDHolder.\\nRef: https://attack.stealthbits.com/adminsdholder-modification-ad-persistence\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-12-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"name\":\"b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet DOMAIN_TI=ThreatIntelligenceIndicator\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now();\\nlet DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName) \\n | project Domains=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), Domains) ));\\nDOMAIN_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession(starttime=ago(dt_lookBack), url_has_any= DOMAIN_TI_list )\\n //Extract domain patterns from syslog message\\n | extend domain = tostring(parse_url(Url)[\\\"Host\\\"])\\n | where isnotempty(domain)\\n | extend tld = tostring(split(domain, \u0027.\u0027)[-1])\\n | extend Event_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Event_TimeGenerated \u003c ExpirationDateTime\\n| summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain\\n| project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url\",\"customDetails\":{\"EventTime\":\"Event_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map Domain entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the target URL hostname is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https:/aka.ms/AboutASIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"name\":\"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where isnotempty(FileHashValue)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now();\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHashValue, FileHashType\\n| extend HostName = tostring(split(DeviceName, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(DeviceName, \u0027.\u0027), 1, -1), \u0027.\u0027))\\n| extend Name = tostring(split(SourceUserName, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(SourceUserName, \u0027@\u0027, 1)[0])\\n| extend timestamp = CommonSecurityLog_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUserName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map File Hash to CommonSecurityLog Event\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\"name\":\"2fc5d810-c9cc-491a-b564-841427ae0e50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| where isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n))\\n)\\non $left.EmailSenderAddress == $right.TargetUserName\\n| where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, TargetUserName\\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\\n| extend timestamp = SecurityEvent_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"TI map Email entity to SecurityEvent\",\"description\":\"Identifies a match in SecurityEvent table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3edb7215-250b-40c0-8b46-79093949242d\",\"name\":\"3edb7215-250b-40c0-8b46-79093949242d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| where Severity_s == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2022-12-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"name\":\"6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.3\",\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nimAuthentication\\n| where EventType== \u0027Logon\u0027 and EventResult== \u0027Failure\u0027\\n// reason: creds \\n| where EventResultDetails in (\u0027No such user or password\u0027, \u0027Incorrect password\u0027)\\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\\n , Users = make_set(TargetUserId,100) \\n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\\n| where UserCount \u003e FailureThreshold\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcDvcIpAddr\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack (Uses Authentication Normalization)\",\"description\":\"This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2023-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6988c32-4f3b-4a45-8313-b46b33061a74\",\"name\":\"b6988c32-4f3b-4a45-8313-b46b33061a74\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"Application\\\"\\n | extend targetDisplayName = tostring(TargetResource.displayName),\\n targetId = tostring(TargetResource.id),\\n targetType = tostring(TargetResource.type),\\n keyEvents = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = keyEvents on \\n (\\n where Property.displayName =~ \\\"KeyDescription\\\"\\n | extend new_value_set = parse_json(tostring(Property.newValue)),\\n old_value_set = parse_json(tostring(Property.oldValue))\\n )\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\"\\n | mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend UserAgent = tostring(AdditionalDetail.value)\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-03-06T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/55073036-bb86-47d3-a85a-b113ac3d9396\",\"name\":\"55073036-bb86-47d3-a85a-b113ac3d9396\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let admins=(IdentityInfo\\n | where AssignedRoles contains \\\"admin\\\" or GroupMembership has \\\"Admin\\\"\\n | summarize by tolower(AccountUPN));\\n let known_asns = (\\n SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admins)\\n | where AutonomousSystemNumber !in (known_asns)\\n | project-reorder TimeGenerated, UserPrincipalName, UserAgent, IPAddress, AutonomousSystemNumber\\n | extend AccountName = tostring(split(UserPrincipalName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Privileged User Logon from new ASN\",\"description\":\"Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days.\\n Monitor these logons to ensure they are legitimate and identify if there are any similar sign ins.\",\"lastUpdatedDateUTC\":\"2023-12-28T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\"name\":\"23005e87-2d3a-482b-b03d-edbebd1ae151\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated \u003e ago(14d)\\n| where sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| where TimeGenerated \u003e ago(1d)\\n| where Computer in (exchange_servers)\\n| where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(csUserName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(csUserName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"csUserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"cIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Silk Typhoon Suspicious Exchange Request\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by Silk Typhoon actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2023-12-28T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"name\":\"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.8\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet AuditEvents = materialize(AuditLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated);\\nlet AuditUrls = AuditEvents | distinct Url = tolower(Url) | summarize make_list(Url);\\nThreatIntelligenceIndicator\\n| where isnotempty(Url)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| where tolower(Url) in (AuditUrls)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n| where Description !contains_cs \\\"State: inactive;\\\" and Description !contains_cs \\\"State: falsepos;\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (AuditEvents) on Url\\n| where Audit_TimeGenerated \u003c ExpirationDateTime\\n| summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url\\n| project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nOperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend AccountName = tostring(split(userPrincipalName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(userPrincipalName, \\\"@\\\")[1])\\n| extend HostName = tostring(split(TargetResourceDisplayName, \\\".\\\")[0]), DomainIndex = toint(indexof(TargetResourceDisplayName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(TargetResourceDisplayName, DomainIndex + 1), TargetResourceDisplayName)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetResourceDisplayName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map URL Entity to AuditLogs\",\"description\":\"This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in AuditLogs.\",\"lastUpdatedDateUTC\":\"2024-09-12T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2e8fd50-8d66-11ec-b909-0242ac120002\",\"name\":\"d2e8fd50-8d66-11ec-b909-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID in (4624,4625) and LogonType in (10) and IpAddress in (\\\"::1\\\",\\\"127.0.0.1\\\")\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, TargetUserName, TargetLogonId, LogonType, IpAddress\\n | extend Name=tostring(split(TargetUserName, \\\"@\\\")[0]), UPNSuffix=tostring(split(TargetUserName, \\\"@\\\")[1])\\n | extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential Remote Desktop Tunneling\",\"description\":\"This query detects remote desktop authentication attempts with a localhost source address, which can indicate a tunneled login.\\nRef: https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\"name\":\"707494a5-8e44-486b-90f8-155d1797a8eb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend targetResourceName = tostring(TargetResource.displayName),\\n targetResourceID = tostring(TargetResource.id),\\n targetResourceType = tostring(TargetResource.type),\\n targetModifiedProp = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = targetModifiedProp on \\n (\\n where Property.displayName =~ \\\"ConsentContext.IsAdminConsent\\\"\\n | extend isAdminConsent = trim(@\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| mv-apply Property = targetModifiedProp on \\n (\\n where Property.displayName =~ \\\"ConsentAction.Permissions\\\"\\n | extend Consent_Permissions = trim(@\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| mv-apply Property = targetModifiedProp on \\n (\\n where Property.displayName =~ \\\"TargetId.ServicePrincipalNames\\\"\\n | extend Consent_ServicePrincipalNames = tostring(extract_all(@\\\"([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\\\",trim(@\u0027\\\"\u0027,tostring(Property.newValue)))[0])\\n )\\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend targetResourceName = tostring(TargetResource.displayName),\\n targetResourceID = tostring(TargetResource.id),\\n targetModifiedProp = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = targetModifiedProp on \\n (\\n where Property.displayName =~ \\\"KeyDescription\\\"\\n | extend Credential_KeyDescription = trim(@\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| mv-apply Property = targetModifiedProp on \\n (\\n where Property.displayName =~ \\\"Included Updated Properties\\\"\\n | extend UpdatedProperties = trim(@\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| mv-apply Property = targetModifiedProp on \\n (\\n where Property.displayName =~ \\\"TargetId.ServicePrincipalNames\\\"\\n | extend Credential_ServicePrincipalNames = tostring(extract_all(@\\\"([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\\\",trim(@\u0027\\\"\u0027,tostring(Property.newValue)))[0])\\n )\\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent \u003c TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| extend timestamp = TimeConsent, Name = tostring(split(Credential_InitiatingUserOrApp,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Credential_InitiatingUserOrApp,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"Consent_InitiatingIpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential added after admin consented to Application\",\"description\":\"This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-02-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f68a5046-b7eb-4f69-9519-1e99708bb9e0\",\"name\":\"f68a5046-b7eb-4f69-9519-1e99708bb9e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"DeviceFileEvents\\n | where ActionType =~ \\\"FileCreated\\\"\\n | where FolderPath has \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\\\\\\\\\" \\n | where FileName endswith \\\".exe\\\" or FileName endswith \\\".dll\\\"\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"PE file dropped in Color Profile Folder\",\"description\":\"This query looks for writes of PE files to C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\.\\n This is a common directory used by malware, as well as some legitimate programs, and writes of PE files to the folder should be monitored.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/983a6922-894d-413c-9f04-d7add0ecc307\",\"name\":\"983a6922-894d-413c-9f04-d7add0ecc307\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.4\",\"severity\":\"Medium\",\"query\":\"let referencestarttime = 10d;\\nlet referenceendtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \\n {_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027, starttime=stime, endtime=etime)\\n | where DnsQueryTypeName in (\\\"A\\\", \\\"AAAA\\\")\\n | where ipv4_is_match(\\\"127.0.0.1\\\", SrcIpAddr) == False\\n | where DnsQuery !contains \\\"/\\\" and DnsQuery contains \\\".\\\"};\\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold\\n // Filter out previously seen IPs\\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold ) on SrcIpAddr\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected (ASIM DNS Schema)\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"name\":\"84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has_all (\\\"member to role\\\", \\\"add\\\")\\n | where Result =~ \\\"Success\\\"\\n | extend type_ = tostring(TargetResources[0].type)\\n | where type_ =~ \\\"ServicePrincipal\\\"\\n | where isnotempty(TargetResources)\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend InitiatedBy = tostring(iff(isnotempty(InitiatingUserPrincipalName),InitiatingUserPrincipalName, InitiatingAppName))\\n | extend ServicePrincipalName = tostring(TargetResources[0].displayName)\\n | extend ServicePrincipalId = tostring(TargetResources[0].id)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | extend displayName = tostring(TargetResources_0_modifiedProperties.displayName), newValue = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\\n | where displayName == \\\"Role.DisplayName\\\" and newValue contains \\\"admin\\\"\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | extend TargetRole = newValue\\n | project-reorder TimeGenerated, ServicePrincipalName, ServicePrincipalId, InitiatedBy, TargetRole, InitiatingIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipalName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"ServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned Privileged Role\",\"description\":\"Detects a privileged role being added to a Service Principal.\\n Ensure that any assignment to a Service Principal is valid and appropriate - Service Principals should not be assigned to very highly privileged roles such as Global Admin.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b443f22-9be9-4c35-ac70-a94757748439\",\"name\":\"3b443f22-9be9-4c35-ac70-a94757748439\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nDeviceProcessEvents\\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\\n| extend DvcId = DeviceId\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend InitiatingProcessAccount = strcat(InitiatingProcessAccountDomain, \\\"\\\\\\\\\\\", InitiatingProcessAccountName)\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\\n| extend timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccount\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"InitiatingProcessAccountDomain\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\"name\":\"50574fac-f8d1-4395-81c7-78a463ff0c52\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\\n| extend Status = todynamic(Status)\\n| where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\\n| order by TimeGenerated desc\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Microsoft Entra ID PowerShell accessing non-Entra ID resources\",\"description\":\"This will alert when a user or application signs in using Microsoft Entra ID PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\\nFor capabilities and expected behavior of the Microsoft Entra ID PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor further information on Microsoft Entra ID Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\"lastUpdatedDateUTC\":\"2024-04-05T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c1e9381-79dd-4ddf-9570-b73a1dc59fe0\",\"name\":\"9c1e9381-79dd-4ddf-9570-b73a1dc59fe0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let LookBack = 1h;\\nlet Data = (\\nSigninLogs\\n| where TimeGenerated \u003e= ago(LookBack)\\n| where parse_json(NetworkLocationDetails)[0].networkType != \\\"trustedNamedLocation\\\" // Excludes known tagged networks\\n// Counts the number of sign in events in the last hour every 15 minutes by IP\\n| make-series EventCounts = count() on TimeGenerated from ago(LookBack) to now() step 15m by IPAddress \\n);\\nlet AnomalyAlert = (\\nData\\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(EventCounts,1.5,-1,\u0027linefit\u0027)\\n| mv-expand EventCounts,TimeGenerated,Anomalies to typeof(double),Baseline to typeof(long),Score to typeof(double)\\n| where Anomalies \u003e 0\\n);\\nAnomalyAlert\\n| join kind = inner (SigninLogs\\n| where TimeGenerated between (ago(LookBack) .. now())\\n| where parse_json(NetworkLocationDetails)[0].networkType != \\\"trustedNamedLocation\\\"\\n| extend PasswordResult = tostring(parse_json(AuthenticationDetails).authenticationStepResultDetail)\\n| summarize UserCount = dcount(UserPrincipalName), UserList = make_set(UserPrincipalName), AppName = make_set(AppDisplayName), PasswordResult = make_list(PasswordResult) by IPAddress) on IPAddress\\n| where PasswordResult has \\\"Correct Password\\\"\\n| where UserCount \u003e 1 // looks for events targeting more than one user.\",\"customDetails\":{\"Score\":\"Score\",\"Baseline\":\"Baseline\",\"UserCount\":\"UserCount\",\"AppName\":\"AppName\",\"PasswordResult\":\"PasswordResult\",\"UserList\":\"UserList\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomaly Sign In Event from an IP\",\"description\":\"Identifies sign-in anomalies from an IP in the last hour, targeting multiple users where the password is correct after multiple attempts\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2023-05-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"name\":\"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.7\",\"severity\":\"Medium\",\"query\":\"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent = (union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * \u0027TicketEncryptionType\\\"\u003e\u0027 TicketEncryptionType \\\"\u003c\\\" *\\n| where TicketEncryptionType == \u00270x17\u0027\\n| parse EventData with * \u0027TicketOptions\\\"\u003e\u0027 TicketOptions \\\"\u003c\\\" *\\n| where TicketOptions == \u00270x40810000\u0027\\n| parse EventData with * \u0027Status\\\"\u003e\u0027 Status \\\"\u003c\\\" *\\n| where Status == \u00270x0\u0027\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\"\\n| parse EventData with * \u0027TargetUserName\\\"\u003e\u0027 TargetUserName \\\"\u003c\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * \u0027IpAddress\\\"\u003e::ffff:\u0027 ClientIPAddress \\\"\u003c\\\" *\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769 and EventData has \u00270x17\u0027 and EventData has \u00270x40810000\u0027 and EventData has \u0027krbtgt\u0027\\n| extend TicketEncryptionType = tostring(EventData.TicketEncryptionType)\\n| where TicketEncryptionType == \u00270x17\u0027\\n| extend TicketOptions = tostring(EventData.TicketOptions)\\n| where TicketOptions == \u00270x40810000\u0027\\n| extend Status = tostring(EventData.Status)\\n| where Status == \u00270x0\u0027\\n| extend ServiceName = tostring(EventData.ServiceName)\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| extend ClientIPAddress = tostring(EventData.IpAddress)\\n));\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName)\\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h \u003c prev23hThreshold;\\nlet Kerbevent1h =\\nKerbevent\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName)\\nby Computer, TargetUserName, TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h\\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, TargetDomainName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h \u003e prev1hThreshold\\n| project StartTime = min_TimeGenerated, EndTime = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions,\\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend TargetAccount = strcat(TargetDomainName, \\\"\\\\\\\\\\\", TargetUserName)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"TargetDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Kerberoasting\",\"description\":\"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment.\\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment.\\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains a hash of the Service account. This can then be used for offline cracking.\\nThis hunting query looks for accounts that are generating excessive requests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number of request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\"name\":\"ac891683-53c3-4f86-86b4-c361708e2b2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"// Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)[\u0027foo@bar.com\u0027, \u0027test@foo.com\u0027];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist = datatable(OperationNamePart:string)[\u0027Security.\u0027,\u0027Project.\u0027,\u0027AuditLog.\u0027,\u0027Extension.\u0027];\\n// Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)[\u0027Group.UpdateGroupMembership.Add\u0027,\u0027Library.ServiceConnectionExecuted\u0027,\u0027Pipelines.PipelineModified\u0027,\\n\u0027Release.ReleasePipelineModified\u0027, \u0027Git.RefUpdatePoliciesBypassed\u0027];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"Execution\",\"Impact\"],\"displayName\":\"Azure DevOps Personal Access Token (PAT) misuse\",\"description\":\"This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=preview-page\\nUse this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"name\":\"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.11\",\"severity\":\"Medium\",\"query\":\"let riskScoreCutoff = 3; //Adjust this score threshold based on volume of results. Activities identified as the most abnormal receive the highest scores (on a scale of 0-10)\\nlet logonDiff = 10m; \\nlet aadFunc = (tableName:string)\\n{ \\ntable(tableName)\\n| where ResultType == \\\"0\\\"\\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\") // To remove false-positives, add more Apps to this array\\n// ---------- Fix for SuccessBlock to also consider IPv6\\n| extend SuccessIPv6Block = strcat(split(IPAddress, \\\":\\\")[0], \\\":\\\", split(IPAddress, \\\":\\\")[1], \\\":\\\", split(IPAddress, \\\":\\\")[2], \\\":\\\", split(IPAddress, \\\":\\\")[3])\\n| extend SuccessIPv4Block = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1])\\n// ------------------\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, SuccessLocation = Location, AppDisplayName, SuccessIPBlock = iff(IPAddress contains \\\":\\\", strcat(split(IPAddress, \\\":\\\")[0], \\\":\\\", split(IPAddress, \\\":\\\")[1]), strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1])), Type\\n| join kind= inner (\\n table(tableName)\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\")\\n | where ResultDescription !~ \\\"Other\\\"\\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, FailedLocation = Location, AppDisplayName, ResultType, ResultDescription, Type \\n) on UserPrincipalName, AppDisplayName\\n| where SuccessLogonTime \u003c FailedLogonTime and FailedLogonTime - SuccessLogonTime \u003c= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, SuccessLocation, AppDisplayName, FailedIPAddress, FailedLocation, ResultType, ResultDescription, Type\\n| extend timestamp = SuccessLogonTime\\n| extend UserPrincipalName = tolower(UserPrincipalName)};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\\n// UEBA context below - make sure you have these 2 datatypes, otherwise the query will not work. If so, comment all that is below.\\n| join kind=leftouter (\\n IdentityInfo\\n | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\\n | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled\\n | summarize\\n Tags = make_set(Tags, 1000),\\n GroupMembership = make_set(GroupMembership, 1000),\\n AssignedRoles = make_set(AssignedRoles, 1000),\\n UserType = make_set(UserType, 1000),\\n UserAccountControl = make_set(UserType, 1000)\\n by AccountUPN\\n | extend UserPrincipalName=tolower(AccountUPN)\\n) on UserPrincipalName\\n//Below it will be joined with BehaviorAnalytics table to the Failed IP Addresses\\n| join kind=leftouter (\\n BehaviorAnalytics\\n | where ActivityType in (\\\"FailedLogOn\\\", \\\"LogOn\\\")\\n | where isnotempty(SourceIPAddress)\\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress, UserName\\n | project-rename FailedIPAddress = SourceIPAddress, Name = UserName\\n | summarize\\n MaxInvestigationScore = max(InvestigationPriority) // Only retrieve maximum Investigation Property score for both FailedIP and User\\n by FailedIPAddress, Name)\\non FailedIPAddress, Name // Joining on both IP and User so as to only return context associated with same user\\n| extend UEBARiskScore = MaxInvestigationScore\\n| project-away *1 // removing duplicate columns post outer join from output\\n| where UEBARiskScore \u003e riskScoreCutoff\\n| sort by UEBARiskScore desc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuccessIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Successful logon from IP and failure from a different IP\",\"description\":\"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP (may indicate a malicious attempt at password guessing with known account). \\nUEBA added for context to gather all asoociated information assocaited with IP addressed initiating Faile Logon and affected user. \\nPlease note, Failed logons from known IP ranges can be benign depending on the conditional access policies. In case of noisy behavior, consider tuning the source IP ranges after careful consideration\",\"lastUpdatedDateUTC\":\"2024-08-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"name\":\"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous SSH Login Detection\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/188db479-d50a-4a9c-a041-644bae347d1f\",\"name\":\"188db479-d50a-4a9c-a041-644bae347d1f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n// Filtering alerts based on Microsoft product names and Relevent alert names\\n | where ProductName in ( \\\"Microsoft Cloud App Security\\\",\\\"Azure Active Directory Identity Protection\\\")\\n |where AlertName in (\\\"Multiple failed user log on attempts to an app\\\",\\\"Password Spray\\\")\\n// Parsing and extending the \u0027Entities\u0027 column as JSON objects\\n | extend Entities = parse_json(Entities) \\n// Exploring IP entities within the alert entities\\n | mv-apply Entity = Entities on \\n ( \\n where Entity.Type == \u0027ip\u0027 \\n | extend EntityIp = tostring(Entity.Address) \\n ) \\n// Exploring account entities within the alert entities\\n | mv-apply Entity = Entities on \\n ( \\n where Entity.Type == \u0027account\u0027 \\n | extend AccountObjectId = tostring(Entity.AadUserId)\\n )\\n// Filtering out alerts with missing IP or account information\\n | where isnotempty(EntityIp) and isnotempty(AccountObjectId)\\n// Summarizing relevant fields for further analysis\\n | summarize \\n by \\n AlertName,\\n ProductName,\\n ProviderName,\\n AlertSeverity,\\n EntityIp,\\n Tactics,\\n Techniques,\\n AlertTime= bin(TimeGenerated, 1min),\\n AccountObjectId,\\n AlertTimeGenerated=TimeGenerated\\n// Joining with IdentityInfo to obtain additional account details\\n | join kind=inner (\\n IdentityInfo\\n | where TimeGenerated \u003e= ago(1d)\\n | distinct AccountObjectId, AccountUPN=tolower(AccountUPN)\\n )\\n on AccountObjectId \\n |extend Name = tostring(split(AccountUPN,\u0027@\u0027)[0]), UPNSuffix =tostring(split(AccountUPN,\u0027@\u0027)[1])\\n// Joining with AWSCloudTrail data to correlate AWS console logins\\n | join kind=inner (\\n AWSCloudTrail\\n | where EventName == \\\"ConsoleLogin\\\"\\n | extend CTUPN= tolower(tostring(tolower(split(UserIdentityArn, \\\"/\\\", 2)[0])))\\n | extend ActionType= tostring(parse_json(ResponseElements).ConsoleLogin) \\n | where ActionType == \\\"Success\\\"\\n | extend AWSTime= bin(TimeGenerated, 1min)\\n | project\\n EventName,\\n EventSource,\\n EventTypeName,\\n RecipientAccountId,\\n ResponseElements,\\n SessionMfaAuthenticated,\\n SourceIpAddress,\\n TimeGenerated,\\n UserAgent,\\n UserIdentityArn,\\n UserIdentityType,\\n CTUPN,\\n AWSTime,\\n UserIdentityUserName\\n )\\n on $left.EntityIp == $right.SourceIpAddress \\n// Filtering login event after the Alert generation time\\n | where AlertTimeGenerated between ((AWSTime - 1h)..(AWSTime + 1h))\\n// Calculating the time difference between alert generation and AWS login\\n | extend timediff = datetime_diff(\u0027minute\u0027, AlertTimeGenerated, TimeGenerated) \\n// Filtering alerts with a time difference of up to 60 minutes\\n | where timediff \u003c= 60\",\"customDetails\":{\"AWSUser\":\"UserIdentityArn\",\"UserAgent\":\"UserAgent\",\"AWSUserUPN\":\"CTUPN\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Successful AWS Console Login from IP Address Observed Conducting Password Spray\",\"description\":\"This query aims to detect instances of successful AWS console login events followed by multiple failed app logons alerts generated by Microsoft Cloud App Security or password spray alerts generated by Defender Products.\\n Specifically, it focuses on scenarios where the successful login takes place within a 60-minute timeframe of the high-severity alert. \\n The login is considered relevant if it originates from an IP address associated with potential attackers.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2023-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b51fe620-62ad-4ed2-9d40-5c97c0a8231f\",\"name\":\"b51fe620-62ad-4ed2-9d40-5c97c0a8231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n// Filtering alerts based on Microsoft product names\\n | where ProductName in (\\\"Microsoft 365 Defender\\\", \\\"Azure Active Directory\\\", \\\"Microsoft Defender Advanced Threat Protection\\\", \\\"Microsoft Cloud App Security\\\",\\\"Azure Active Directory Identity Protection\\\", \\\"Microsoft Defender ATP\\\")\\n// Narrowing down alerts to specific tactics\\n | where Tactics in(\\\"CredentialAccess\\\", \\\"InitialAccess\\\")\\n// Focusing on high-severity alerts\\n | where AlertSeverity == \\\"High\\\"\\n// Parsing and extending the \u0027Entities\u0027 column as JSON objects\\n | extend Entities = parse_json(Entities) \\n// Exploring IP entities within the alert entities\\n | mv-apply Entity = Entities on \\n ( \\n where Entity.Type == \u0027ip\u0027 \\n | extend EntityIp = tostring(Entity.Address) \\n ) \\n// Exploring account entities within the alert entities\\n | mv-apply Entity = Entities on \\n ( \\n where Entity.Type == \u0027account\u0027 \\n | extend AccountObjectId = tostring(Entity.AadUserId)\\n )\\n// Filtering out alerts with missing IP or account information\\n | where isnotempty(EntityIp) and isnotempty(AccountObjectId)\\n// Summarizing relevant fields for further analysis\\n | summarize \\n by \\n AlertName,\\n ProductName,\\n ProviderName,\\n AlertSeverity,\\n EntityIp,\\n Tactics,\\n Techniques,\\n AlertTime= bin(TimeGenerated, 1min),\\n AccountObjectId,\\n AlertTimeGenerated=TimeGenerated\\n// Joining with IdentityInfo to obtain additional account details\\n | join kind=inner (\\n IdentityInfo\\n | where TimeGenerated \u003e= ago(1d)\\n | distinct AccountObjectId, AccountUPN=tolower(AccountUPN)\\n )\\n on AccountObjectId \\n |extend Name = tostring(split(AccountUPN,\u0027@\u0027)[0]), UPNSuffix =tostring(split(AccountUPN,\u0027@\u0027)[1])\\n// Joining with AWSCloudTrail data to correlate AWS console logins\\n | join kind=inner (\\n AWSCloudTrail\\n | where EventName == \\\"ConsoleLogin\\\"\\n | extend CTUPN= tolower(tostring(tolower(split(UserIdentityArn, \\\"/\\\", 2)[0])))\\n | extend ActionType= tostring(parse_json(ResponseElements).ConsoleLogin) \\n | where ActionType == \\\"Success\\\"\\n | extend AWSTime= bin(TimeGenerated, 1min)\\n | project\\n EventName,\\n EventSource,\\n EventTypeName,\\n RecipientAccountId,\\n ResponseElements,\\n SessionMfaAuthenticated,\\n SourceIpAddress,\\n TimeGenerated,\\n UserAgent,\\n UserIdentityArn,\\n UserIdentityType,\\n CTUPN,\\n AWSTime,\\n UserIdentityUserName\\n )\\n on $left.EntityIp == $right.SourceIpAddress \\n// Filtering login event after the Alert generation time\\n | where AlertTimeGenerated \u003e= AWSTime\\n// Calculating the time difference between alert generation and AWS login\\n | extend timediff = datetime_diff(\u0027minute\u0027, AlertTimeGenerated, TimeGenerated) \\n// Filtering alerts with a time difference of up to 60 minutes\\n | where timediff between ((-60)..(60))\",\"customDetails\":{\"AWSUSerUPN\":\"CTUPN\",\"AzureUserUPN\":\"AccountUPN\",\"ComonIp\":\"SourceIpAddress\",\"UserAgent\":\"UserAgent\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Suspicious AWS console logins by credential access alerts\",\"description\":\"This query aims to detect instances of successful AWS console logins that align with high-severity credential access or Initial Access alerts generated by Defender Products.\\n Specifically, it focuses on scenarios where the successful login takes place within a 60-minute timeframe of the high-severity alert. The login is considered relevant if it originates from an IP address associated with potential attackers.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2023-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\"name\":\"cf3ede88-a429-493b-9108-3e46d3c741f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Low\",\"query\":\"let timeRange = 2h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeRange)\\n| where EventID in (4624, 4625)\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 10 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by bin(TimeGenerated, 10m), Account, IpAddress, Computer, Outcome\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by TimeGenerated asc, Account, IpAddress, Computer, Outcome, OutcomeCount\\n| serialize\\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), make_list(Outcome, 128), make_set(Computer, 128), make_set(IpAddress, 128) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome\\n// where the number of failures before the success is above the threshold\\n| where FailureCountBeforeSuccess \u003e= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mv-expand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, NTDomain = split(Account, \u0027\\\\\\\\\u0027, 0)[0], Name = split(Account, \u0027\\\\\\\\\u0027, 1)[0], HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SecurityEvent - Multiple authentication failures followed by a success\",\"description\":\"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication within a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or possible mis-configuration of a service account within an environment.\\nThe lookback is set to 2h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum of 5 failures followed by a success for an account within 1 hour to surface an alert.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"name\":\"bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"// https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html \\nAWSGuardDuty \\n// Parse the finding\\n// https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-format.html \\n// Example: \\\"ThreatPurpose:ResourceTypeAffected/ThreatFamilyName.DetectionMechanism!Artifact\\\"\\n| extend findingTokens = split(ActivityType, \\\":\\\")\\n| extend ThreatPurpose=findingTokens[0], findingTokens=split(findingTokens[1], \\\"/\\\")\\n| extend ResourceTypeAffected=findingTokens[0], findingTokens= split(findingTokens[1], \\\".\\\")\\n| extend ThreatFamilyName=findingTokens[0], findingTokens=split(findingTokens[1], \\\"!\\\")\\n| extend DetectionMechanism=findingTokens[0], Artifact=findingTokens[1]\\n// Assign severity level\\n// https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html#guardduty_findings-severity\\n| extend Severity = \\n case (\\n Severity \u003e= 7.0, \\\"High\\\",\\n Severity between (4.0 .. 6.9), \\\"Medium\\\",\\n Severity between (1.0 .. 3.9), \\\"Low\\\",\\n \\\"Unknown\\\"\\n )\\n// Pull out any available resource details we can extract entities from. These may not exist in the alert.\\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_Resource.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_AccessKeyDetails.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_RdsDbUserDetails.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_KubernetesDetails.html \\n| extend AccessKeyDetails=ResourceDetails.accessKeyDetails\\n| extend RdsDbUserDetails=ResourceDetails.rdsDbUserDetails\\n| extend KubernetesDetails=ResourceDetails.kubernetesDetails\\n// Pull out any available action details we can extract entities from. These may not exist in the alert.\\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_Action.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_AwsApiCallAction.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_KubernetesApiCallAction.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_NetworkConnectionAction.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_RdsLoginAttemptAction.html \\n| extend ServiceAction = \\n case(\\n isnotempty(ServiceDetails.action.awsApiCallAction), ServiceDetails.action.awsApiCallAction,\\n isnotempty(ServiceDetails.action.kubernetesApiCallAction), ServiceDetails.action.kubernetesApiCallAction,\\n isnotempty(ServiceDetails.action.networkConnectionAction), ServiceDetails.action.networkConnectionAction,\\n isnotempty(ServiceDetails.action.rdsLoginAttemptAction), ServiceDetails.action.rdsLoginAttemptAction,\\n dynamic(null)\\n )\\n// The IPv4 remote address of the connection\\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_RemoteIpDetails.html \\n// or\\n// The IP of the Kubernetes API caller and the IPs of any proxies or load balancers between the caller and the API endpoint \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_KubernetesApiCallAction.html \\n| extend RemoteIpAddress = \\n coalesce(\\n tostring(ServiceAction.remoteIpDetails.ipAddressV4),\\n tostring(parse_json(ServiceAction.sourceIPs)[0])\\n )\\n// The IPv4 local address of the connection\\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_LocalIpDetails.html \\n| extend LocalIpAddress = ServiceAction.localIpDetails.ipAddressV4\\n// The AWS account ID of the remote API caller.\\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_AwsApiCallAction.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_RemoteAccountDetails.html \\n| extend RemoteAWSAccountId = ServiceAction.remoteAccountDetails.accountId\\n// The IAM access key details (user information) of a user that engaged in the activity that prompted GuardDuty to generate a finding\\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_AccessKeyDetails.html \\n| extend AccountUpn = \\n case(\\n AccessKeyDetails.userType == \\\"IAMUser\\\", AccessKeyDetails.userName,\\n AccessKeyDetails.userType == \\\"AssumedRole\\\", split(AccessKeyDetails.principalId, \\\":\\\", 1)[0],\\n isnotempty(RdsDbUserDetails.user), RdsDbUserDetails.user,\\n isnotempty(KubernetesDetails.kubernetesUserDetails.username), KubernetesDetails.kubernetesUserDetails.username,\\n \\\"\\\"\\n )\\n| extend AccountName = split(AccountUpn, \\\"@\\\", 0)[0]\\n| extend UPNSuffix = split(AccountUpn, \\\"@\\\", 1)[0]\\n// Clean up the output\\n| extend GuardDutyDetails =\\n bag_pack( \\n \\\"DetectorId\\\", ServiceDetails.detectorId,\\n \\\"Partition\\\", Partition,\\n \\\"Region\\\", Region\\n )\\n| extend FindingLink = \\n iff(\\n isnotempty(Region) and isnotempty(Id),\\n strcat(\\\"https://\\\", Region, \\\".console.aws.amazon.com/guardduty/home?region=\\\", Region, \\\"#/findings?fId=\\\", Id),\\n \\\"\\\"\\n )\\n| extend FindingLinkDescription = \\n iff(\\n isnotempty(FindingLink),\\n strcat(\\\"Link to GuardDuty finding (AWS): \\\", FindingLink),\\n \\\"\\\"\\n )\\n| project-rename \\n FindingArn=Arn,\\n FindingId=Id,\\n AWSAccountId=AccountId\\n| project-away \\n ActivityType, \\n findingTokens,\\n Partition,\\n Region, \\n SchemaVersion,\\n TimeGenerated,\\n Type\",\"customDetails\":{\"ThreatPurpose\":\"ThreatPurpose\",\"ResourceTypeAffected\":\"ResourceTypeAffected\",\"ThreatFamilyName\":\"ThreatFamilyName\",\"DetectionMechanism\":\"DetectionMechanism\",\"Artifact\":\"Artifact\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"RemoteAWSAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"RemoteIpAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"LocalIpAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"FindingLink\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"{{Title}}\",\"alertDescriptionFormat\":\"{{Description}}\",\"alertTacticsColumnName\":\"ThreatPurpose\",\"alertSeverityColumnName\":\"Severity\"},\"displayName\":\"AWS Guard Duty Alert\",\"description\":\"Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.\",\"lastUpdatedDateUTC\":\"2024-03-27T00:00:00Z\",\"createdDateUTC\":\"2021-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\"name\":\"de58ee9e-b229-4252-8537-41a4c2f4045e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| extend file_ext = extract(@\u0027.*(\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| extend Filename = extract(@\u0027.*\\\\/*\\\\/(.*\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, SrcIpAddr, Identities, Filename\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Identities\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request to blocklisted file type\",\"description\":\"Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"name\":\"88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue =~ \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId has \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid), AccountName = tostring(claimsJson.name), Name = tostring(split(Caller,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Caller,\u0027@\u0027,1)[0])\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Microsoft Entra ID Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Microsoft Entra ID Hybrid Health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-premises AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"name\":\"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet SecurityAlerts = SecurityAlert\\n| where TimeGenerated \u003e ago(dt_lookBack)\\n| extend domain = todynamic(dynamic_to_json(extract_all(@\\\"(((xn--)?[a-z0-9\\\\-]+\\\\.)+([a-z]+|(xn--[a-z0-9]+)))\\\", dynamic([1]), tolower(Entities))))\\n| where isnotempty(domain)\\n| mv-expand domain\\n| extend domain = tostring(domain)\\n| extend EntitiesDynamicArray = parse_json(Entities)\\n| mv-apply EntitiesDynamicArray on\\n (summarize\\n HostName = take_anyif(tostring(EntitiesDynamicArray.HostName), EntitiesDynamicArray.Type == \\\"host\\\"),\\n IP_addr = take_anyif(tostring(EntitiesDynamicArray.Address), EntitiesDynamicArray.Type == \\\"ip\\\")\\n )\\n| extend Alert_TimeGenerated = TimeGenerated\\n| extend Alert_Description = Description;\\nlet AlertDomains = SecurityAlerts\\n| distinct domain\\n| summarize make_list(domain);\\nlet Domain_Indicators = materialize(ThreatIntelligenceIndicator\\n| where isnotempty(DomainName)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| extend TI_DomainEntity = tolower(DomainName)\\n| where TI_DomainEntity in (AlertDomains)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n| where Description !contains_cs \\\"State: inactive;\\\" and Description !contains_cs \\\"State: falsepos;\\\");\\nDomain_Indicators\\n// Using innerunique to keep performance fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (SecurityAlerts) on $left.TI_DomainEntity == $right.domain\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities, Type, TI_DomainEntity\\n| extend timestamp = Alert_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IP_addr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map Domain entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"name\":\"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.4\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has \\\"TVqQAAMAAAAEAAA\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName));\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64-encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"name\":\"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Medium\",\"query\":\"// Define a threshold for significant deviations\\nlet threshold = 25;\\n// Define the name for the SharePoint File Operation record type\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\n// Define an array of SharePoint operations of interest\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\n// Define the start and end time for the analysis period\\nlet starttime = 14d;\\nlet endtime = 1d;\\n// Define a baseline of normal user behavior\\nlet userBaseline = OfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize Count = count() by UserId, Operation, Site_Url, ClientIP\\n| summarize AvgCount = avg(Count) by UserId, Operation, Site_Url, ClientIP;\\n// Get recent user activity\\nlet recentUserActivity = OfficeActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), RecentCount = count() by UserId, UserType, Operation, Site_Url, ClientIP, OfficeObjectId, OfficeWorkload, UserAgent;\\n// Join the baseline and recent activity, and calculate the deviation\\nlet UserBehaviorAnalysis = userBaseline | join kind=inner (recentUserActivity) on UserId, Operation, Site_Url, ClientIP\\n| extend Deviation = abs(RecentCount - AvgCount) / AvgCount;\\n// Filter for significant deviations\\nUserBehaviorAnalysis\\n| where Deviation \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, UserId, UserType, Operation, ClientIP, Site_Url, OfficeObjectId, OfficeWorkload, UserAgent, Deviation, Count=RecentCount\\n| order by Count desc, ClientIP asc, Operation asc, UserId asc\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Site_Url\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via previously unseen IPs\",\"description\":\"Identifies anomalies using user behavior by setting a threshold for significant changes in file upload/download activities from new IP addresses. It establishes a baseline of typical behavior, compares it to recent activity, and flags deviations exceeding a default threshold of 25.\",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\"name\":\"23de46ea-c425-4a77-b456-511ae4855d69\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations above which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\n// Add or remove operation names below as per your requirements. For operations lists, please refer to https://learn.microsoft.com/en-us/Azure/role-based-access-control/resource-provider-operations#all\\nlet SensitiveOperationList = dynamic([\\\"microsoft.compute/snapshots/write\\\", \\\"microsoft.network/networksecuritygroups/write\\\", \\\"microsoft.storage/storageaccounts/listkeys/action\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \\\"listkeys/action\\\"\\n| where ActivityStatusValue =~ \\\"Success\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue, bin(TimeGenerated,1d)\\n| where count_ \u003e= alertOperationThreshold\\n// Returns all the records from the right side that don\u0027t have matches from the left\\n| join kind = rightanti (\\nSensitiveActivity\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_list(TimeGenerated), ActivityStatusValue = make_list(ActivityStatusValue), CorrelationIds = make_list(CorrelationId), ResourceGroups = make_list(ResourceGroup), ResourceIds = make_list(_ResourceId), ActivityCountByCallerIPAddress = count()\\nby CallerIpAddress, Caller, OperationNameValue\\n| where ActivityCountByCallerIPAddress \u003e= alertOperationThreshold\\n) on CallerIpAddress, Caller, OperationNameValue\\n| extend Name = tostring(split(Caller,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Caller,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Rare subscription-level operations in Azure\",\"description\":\"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. For example, this monitors for the operation name \u0027Create or Update Snapshot\u0027, which is used for creating backups but could be misused by attackers to dump hashes or extract sensitive information from the disk.\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\"name\":\"1218175f-c534-421c-8070-5dcaabf28067\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let threshold = 3;\\nZoomLogs\\n| where Event =~ \\\"chat_message.sent\\\"\\n| extend Channel = tostring(parse_json(ChatEvents).Channel)\\n| extend Message = tostring(parse_json(ChatEvents).Message)\\n| where Message matches regex \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\"\\n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\\n| extend ChannelCount = arraylength(Channels)\\n| where ChannelCount \u003e threshold\\n| extend AccountName = tostring(split(User, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(User, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"tactics\":[\"Reconnaissance\"],\"displayName\":\"Suspicious link sharing pattern\",\"description\":\"Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time.\\nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"name\":\"0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName =~ \\\"Update role setting in PIM\\\"\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, OperationName, ResultReason, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, InitiatingAccountName, InitiatingAccountUPNSuffix\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Changes to PIM Settings\",\"description\":\"PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.\\n Monitor these changes to ensure they are being made legitimately and don\u0027t confer more privileges than expected or reduce the security of a PIM elevation.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"name\":\"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where NetworkBytes \u003e msgszthreshold\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple large emails to the same recipient\",\"description\":\"Detects when multiple emails with large size where sent to the same recipient.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"name\":\"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"Event\\n| where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription startswith \\\"An unhandled exception occurred in a UM worker process\\\" or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Silk Typhoon Suspicious UM Service Error\",\"description\":\"This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eda260eb-f4a1-4379-ad98-452604da9b3e\",\"name\":\"eda260eb-f4a1-4379-ad98-452604da9b3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let eventsThreshold = 20;\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName\\n| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has \\\"login.microsoftonline.com/consumers/oauth2/v2.0/token\\\"), graph=(RequestURL has \\\"graph.microsoft.com/v1.0/me/drive/\\\"), SourceIP, SourceHostName)\\n| summarize Events=count() by SourceIP, SourceHostName\\n| where Events \u003e= eventsThreshold\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive request URL sequence\",\"description\":\"CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths.\\nThis detecton will alert when over 20 sequences are observed in a single day.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"name\":\"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.5\",\"severity\":\"Low\",\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = \u0027FileUploaded\u0027;\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic([\u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027]);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated \u003e= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl, 100000), UserId = make_set(UserId, 100000) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount \u003e threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId\\n| extend SiteUrlUserFolder = tolower(split(Site_Url, \u0027/\u0027)[-2])\\n| extend UserIdUserFolderFormat = tolower(replace_regex(UserId, \u0027@|\\\\\\\\.\u0027, \u0027_\u0027))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has \u0027/personal/\u0027 and SiteUrlUserFolder != UserIdUserFolderFormat, true , false )\\n| summarize TimeGenerated = make_list(TimeGenerated, 100000), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated),\\nUserAgents = make_list(UserAgent, 100000), OfficeIds = make_list(OfficeId, 100000), SourceRelativeUrls = make_list(SourceRelativeUrl, 100000), FileNames = make_list(SourceFileName, 100000)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Site_Url\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileNames\"}]}],\"tactics\":[\"CommandAndControl\",\"LateralMovement\"],\"displayName\":\"New executable via Office FileUploaded Operation\",\"description\":\"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes \u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027 file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (SharePoint)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\"name\":\"643c2025-9604-47c5-833f-7b4b9378a1f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5;\\n//Make a list of IPs with AAD signin failures above our threshold\\nlet aadFunc = (tableName:string){\\nlet Suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\nSuspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet Suspicious_signins =\\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, RecipientAccountId, AccountName, AccountUPNSuffix, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to AWS Console\",\"description\":\"Identifies a list of IP addresses with a minimum number (defualt of 5) of failed logon attempts to Microsoft Entra ID.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2023-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"name\":\"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName),\\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\\n| where applicationCount \u003e= threshold\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Attempts to sign in to disabled accounts\",\"description\":\"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2024-01-06T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\"name\":\"09551db0-e147-4a0c-9e7b-918f88847605\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic([\u0027codevexillium.org\u0027, \u0027angeldonationblog.com\u0027, \u0027investbooking.de\u0027, \u0027krakenfolio.com\u0027]);\\nlet SHA256Hash = dynamic([\u002758a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495\u0027,\u0027e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e\u0027,\u00273d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9\u0027, \u00270a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4\u0027, \u002796d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe\u0027,\u0027dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c\u0027, \u002746efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a\u0027, \u002795e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008\u0027, \u00279d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5\u0027, \u00279fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3\u0027, \u0027ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720\u0027, \u0027edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee\u0027, \u002733665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998\u0027, \u00273ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c\u0027, \u0027b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c\u0027, \u002753f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5\u0027, \u002799c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777\u0027, \u0027f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef\u0027, \u00272cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da\u0027, \u0027079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447\u0027]);\\nlet SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(_Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend Type = \\\"imDns\\\", IPAddress = SrcIpAddr, Computer=Dvc\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hash)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| where EventID == 4688\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n( WindowsEvent\\n| where EventID == 4688\\n| where EventData has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\") and EventData has_any (tokens, \\\"Debug\\\\\\\\Browse\\\",\\\"is64bitoperatingsystem\\\" ) \\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames)\\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (DomainNames)\\n| extend DNSName = Fqdn \\n| extend IPAddress = SourceIp\\n),\\n(AZFWDnsQuery\\n| where QueryName has_any (DomainNames)\\n| extend DNSName = QueryName\\n| extend IPAddress = SourceIp\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"[Deprecated] - Known Diamond Sleet Comebacker and Klackring malware hashes\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2149d9bb-8298-444c-8f99-f7bf0274dd05\",\"name\":\"2149d9bb-8298-444c-8f99-f7bf0274dd05\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SEABORGIUMIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet DomainNames = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n),\\n(_Im_WebSession (url_has_any=DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames)\\n| extend IPAddress = RemoteIP\\n| extend Computer = DeviceName\\n),\\n(EmailUrlInfo\\n| where Url has_any (DomainNames)\\n| join (EmailEvents\\n| where EmailDirection == \\\"Inbound\\\" ) on NetworkMessageId\\n| extend IPAddress = SenderIPv4\\n| extend Account = RecipientEmailAddress\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames)\\n| extend DNSName = DestinationHost\\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend AccountName = tostring(split(Account, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(Account, \\\"@\\\")[1])\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(Account, \\\"@\\\")[1])\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Star Blizzard C2 Domains August 2022\",\"description\":\"Identifies a match across various data feeds for domains related to an actor tracked by Microsoft as Star Blizzard.\",\"lastUpdatedDateUTC\":\"2024-06-25T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"EmailUrlInfo\",\"EmailEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82eb796-d1eb-43c8-a813-325ce3417cef\",\"name\":\"d82eb796-d1eb-43c8-a813-325ce3417cef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"union isfuzzy=true\\n (DeviceFileEvents\\n | where ActionType == \\\"FileCreated\\\"\\n | where FileName endswith \\\".h0lyenc\\\" or FolderPath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\"\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)\\n by\\n AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain,\\n DeviceName,\\n Type,\\n InitiatingProcessId,\\n FileName,\\n FolderPath,\\n EventType = ActionType,\\n Commandline = InitiatingProcessCommandLine,\\n InitiatingProcessFileName,\\n InitiatingProcessSHA256,\\n FileHashCustomEntity = SHA256,\\n AlgorithmCustomEntity = \\\"SHA256\\\"\\n | extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\\n ),\\n (imFileEvent\\n | where EventType == \\\"FileCreated\\\"\\n | where TargetFilePath endswith \\\".h0lyenc\\\" or TargetFilePath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\"\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)\\n by\\n ActorUsername,\\n DvcHostname,\\n DvcDomain,\\n DvcId,\\n Type,\\n EventType,\\n FileHashCustomEntity = TargetFileSHA256,\\n Hash,\\n TargetFilePath,\\n Commandline = ActingProcessCommandLine,\\n AlgorithmCustomEntity = \\\"SHA256\\\"\\n | extend AccountName = tostring(split(ActorUsername, @\u0027\\\\\u0027)[1]), AccountDomain = tostring(split(ActorUsername, @\u0027\\\\\u0027)[0])\\n | extend HostName = DvcHostname, HostNameDomain = DvcDomain\\n | extend DeviceName = strcat(DvcHostname, \\\".\\\", DvcDomain )\\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 File Extension Rename\",\"description\":\"Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"name\":\"cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let lookback = 7d; \\nlet timeframe = 1h; \\nlet GlobalAdminsRemoved = AuditLogs \\n| where TimeGenerated \u003e ago(timeframe) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Unassign\\\", \\\"RemoveEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Remove member from role\\\", \\\"Remove eligible member from role\\\") \\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend Target = tostring(TargetResource.userPrincipalName),\\n props = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = props on \\n (\\n where Property.displayName =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = trim(\u0027\\\"\u0027,tostring(Property.oldValue))\\n )\\n| where RoleName =~ \\\"Global Administrator\\\" // Add other Privileged role if applicable\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend Initiator = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| summarize RemovedGlobalAdminTime = max(TimeGenerated), TargetAdmins = make_set(Target,100) by OperationName, RoleName, Initiator, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIpAddress, Result; \\nlet GlobalAdminsAdded = AuditLogs \\n| where TimeGenerated \u003e ago(lookback) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\") and Result == \\\"success\\\" \\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend Target = tostring(TargetResource.userPrincipalName),\\n props = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = props on \\n (\\n where Property.displayName =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where RoleName =~ \\\"Global Administrator\\\" // Add other Privileged role if applicable\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend Initiator = iif(isnotempty(InitiatingAppName), InitiatingAppName, tostring(InitiatedBy.user.userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| summarize AddedGlobalAdminTime = max(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result;\\nGlobalAdminsAdded \\n| join kind= inner GlobalAdminsRemoved on $left.Target == $right.Initiator \\n| where AddedGlobalAdminTime \u003c RemovedGlobalAdminTime \\n| extend NoofAdminsRemoved = array_length(TargetAdmins) \\n| where NoofAdminsRemoved \u003e 1\\n| project AddedGlobalAdminTime, Initiator, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIpAddress, Target, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved\\n| extend TargetName = tostring(split(Target,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(Target,\u0027@\u0027,1)[0])\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Target\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple admin membership removals from newly created admin.\",\"description\":\"This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \\n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/011c84d8-85f0-4370-b864-24c13455aa94\",\"name\":\"011c84d8-85f0-4370-b864-24c13455aa94\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| extend Extprop = parse_json(ExtendedProperties)\\n| mv-expand todynamic(Entities)\\n| extend HostName = iff(isnotempty(tostring(Extprop[\\\"Compromised Host\\\"])), tolower(tostring(Extprop[\\\"Compromised Host\\\"])), tolower(tostring(parse_json(Entities).HostName)))\\n| where isnotempty(HostName)\\n| mv-expand todynamic(split(HostName, \u0027,\u0027))\\n| extend DnsDomain = iff(isnotempty(tostring(Extprop[\\\"Machine Domain\\\"])), tostring(Extprop[\\\"Machine Domain\\\"]), tostring(parse_json(Entities).DnsDomain))\\n| extend UserName = iff(isnotempty(tostring(Extprop[\\\"User Name\\\"])), tostring(Extprop[\\\"User Name\\\"]), iff(tostring(parse_json(Entities).Type) == \u0027account\u0027, tostring(parse_json(Entities).Name), \u0027\u0027))\\n| extend NTDomain = iff(isnotempty(tostring(Extprop[\\\"User Domain\\\"])), tostring(Extprop[\\\"User Domain\\\"]), tostring(parse_json(Entities).NTDomain))\\n| extend IpAddress = iff(tostring(parse_json(Entities).Type) == \u0027ip\u0027, tostring(parse_json(Entities).Address), tostring(parse_json(Extprop).[\\\"IpAddress\\\"]))\\n| summarize timestamp = arg_max(TimeGenerated, *) by AlertName, tostring(HostName)\\n| project timestamp, AlertName, UserName, NTDomain, tostring(HostName), DnsDomain, IpAddress\\n| join kind=inner\\n(\\nCoreAzureBackup\\n| where State =~ \\\"Deleted\\\"\\n| where OperationName =~ \\\"BackupItem\\\"\\n| extend data = split(BackupItemUniqueId, \\\";\\\")\\n| extend AzureLocation = data[0], VaultId=data[1], HostName=tolower(tostring(data[2])), DrivesBackedUp=data[3]\\n| project timestamp = TimeGenerated, AzureLocation, VaultId, HostName, DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\\n)\\non HostName\\n| project timestamp, AlertName, HostName, DnsDomain, UserName, NTDomain, _ResourceId, IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Detect CoreBackUp Deletion Activity from related Security Alerts\",\"description\":\"The query identifies any efforts by an attacker to delete backup containers, while also searching for any security alerts that may be linked to the same activity, in order to uncover additional information about the attacker\u0027s actions.\u0027 \\nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.\",\"lastUpdatedDateUTC\":\"2023-11-23T00:00:00Z\",\"createdDateUTC\":\"2021-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftDefenderForCloudTenantBased\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"name\":\"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let s_threshold = 30;\\nlet l_threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString,100),\\nIPAddress = make_set(IPAddress,100), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName,100), ResultDescription = make_set(ResultDescription,50),\\nBrowser = make_set(Browser,20), OS = make_set(OS,20), SigninCount = count() by UserPrincipalName, Type\\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount \u003e s_threshold and LocationCount \u003e= l_threshold\\n| extend Location = tostring(Location), IPAddress = tostring(IPAddress), AppDisplayName = tostring(AppDisplayName), ResultDescription = tostring(ResultDescription), Browser = tostring(Browser), OS = tostring(OS)\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Distributed Password cracking attempts in Microsoft Entra ID\",\"description\":\"Identifies distributed password cracking attempts from the Microsoft Entra ID SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\"lastUpdatedDateUTC\":\"2024-01-06T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\"name\":\"f2dd4a3a-ebac-4994-9499-1a859938c947\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false\\n| extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where ipv4_is_private(DestinationIP) == false\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where ipv4_is_private(DestinationIP) == false\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false | extend DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIPMax\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly for data size transferred to public internet\",\"description\":\"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2024-04-11T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"name\":\"e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"Event\\n | where EventLog =~ \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n | parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" *\\n | where ParentImage has \\\"svchost.exe\\\" and Image has \\\"rundll32.exe\\\" and CommandLine has \\\"{c08afd90-f2a1-11d1-8455-00a0c91f3880}\\\"\\n | parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\\n | extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Detecting Macro Invoking ShellBrowserWindow COM Objects\",\"description\":\"This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.\",\"lastUpdatedDateUTC\":\"2024-11-18T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\"name\":\"69a45b05-71f5-45ca-8944-2e038747fb39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.8\",\"severity\":\"Medium\",\"query\":\"let endtime = 1d;\\n// Function to resolve hostname to IP address using DNS logs or a lookup table (example syntax)\\nlet rdpConnections =\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend\\nFirstHop = bin(TimeGenerated, 1m),\\nFirstComputer = toupper(Computer),\\nFirstRemoteIPAddress = IpAddress,\\nAccount = tolower(Account)\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 // Labeling the first RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName), \\\"\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend\\nFirstHop = bin(TimeGenerated, 1m),\\nFirstComputer = toupper(Computer),\\nFirstRemoteIPAddress = IpAddress,\\nAccount = tolower(Account)\\n))\\n| join kind=inner (\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend\\nSecondHop = bin(TimeGenerated, 1m),\\nSecondComputer = toupper(Computer),\\nSecondRemoteIPAddress = IpAddress,\\nAccount = tolower(Account)\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10 // Labeling the second RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName), \\\"\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend\\nSecondHop = bin(TimeGenerated, 1m),\\nSecondComputer = toupper(Computer),\\nSecondRemoteIPAddress = IpAddress,\\nAccount = tolower(Account)\\n))\\n)\\non Account\\n| distinct\\nAccount,\\nFirstHop,\\nFirstComputer,\\nFirstRemoteIPAddress,\\nSecondHop,\\nSecondComputer,\\nSecondRemoteIPAddress,\\nAccountType,\\nActivity,\\nLogonTypeName,\\nProcessName;\\n// Resolve hostnames to IP addresses device network Ip\u0027s\\nlet listOfFirstComputer = rdpConnections | distinct FirstComputer;\\nlet listOfSecondComputer = rdpConnections | distinct SecondComputer;\\nlet resolvedIPs =\\nDeviceNetworkInfo\\n| where TimeGenerated \u003e= ago(endtime)\\n| where isnotempty(ConnectedNetworks) and NetworkAdapterStatus == \\\"Up\\\"\\n| extend ClientIP = tostring(parse_json(IPAddresses[0]).IPAddress)\\n| where isnotempty(ClientIP)\\n| where DeviceName in~ (listOfFirstComputer) or DeviceName in~ (listOfSecondComputer)\\n| summarize arg_max(TimeGenerated, ClientIP) by Computer= DeviceName\\n| project Computer=toupper(Computer), ResolvedIP = ClientIP;\\n// Join resolved IPs with the RDP connections\\nrdpConnections\\n| join kind=inner (resolvedIPs) on $left.FirstComputer == $right.Computer\\n| join kind=inner (resolvedIPs) on $left.SecondComputer == $right.Computer\\n// | where ResolvedIP != ResolvedIP1\\n| distinct\\nAccount,\\nFirstHop,\\nFirstComputer,\\nFirstComputerIP = ResolvedIP,\\nFirstRemoteIPAddress,\\nSecondHop,\\nSecondComputer,\\nSecondComputerIP = ResolvedIP1,\\nSecondRemoteIPAddress,\\nAccountType,\\nActivity,\\nLogonTypeName,\\nProcessName\\n// Ensure the first connection is before the second connection\\n// Identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match\\n// Ensure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers\\n| where FirstComputer != SecondComputer\\nand FirstRemoteIPAddress != SecondRemoteIPAddress\\nand SecondHop \u003e FirstHop\\n// Ensure the second hop occurs within 30 minutes of the first hop\\n| where SecondHop \u003c= FirstHop + 30m\\n| where SecondRemoteIPAddress == FirstComputerIP\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop)\\nby\\nAccount,\\nFirstComputer,\\nFirstComputerIP,\\nFirstRemoteIPAddress,\\nSecondHop,\\nSecondComputer,\\nSecondComputerIP,\\nSecondRemoteIPAddress,\\nAccountType,\\nActivity,\\nLogonTypeName,\\nProcessName\\n| extend\\nAccountName = tostring(split(Account, @\\\"\\\")[1]),\\nAccountNTDomain = tostring(split(Account, @\\\"\\\")[0])\\n| extend\\nHostName1 = tostring(split(FirstComputer, \\\".\\\")[0]),\\nDomainIndex = toint(indexof(FirstComputer, \u0027.\u0027))\\n| extend HostNameDomain1 = iff(DomainIndex != -1, substring(FirstComputer, DomainIndex + 1), FirstComputer)\\n| extend\\nHostName2 = tostring(split(SecondComputer, \\\".\\\")[0]),\\nDomainIndex = toint(indexof(SecondComputer, \u0027.\u0027))\\n| extend HostNameDomain2 = iff(DomainIndex != -1, substring(SecondComputer, DomainIndex + 1), SecondComputer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"FirstComputer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName1\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain1\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SecondComputer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName2\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain2\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FirstIPAddress\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"RDP Nesting\",\"description\":\"Query detects potential lateral movement within a network by identifying when an RDP connection (EventID 4624, LogonType 10) is made to an initial system, followed by a subsequent RDP connection from that system to another, using the same account within a 60-minute window.\\n To reduce false positives, it excludes scenarios where the same account has made 5 or more connections to the same set of computers in the previous 7 days. This approach focuses on highlighting unusual RDP behaviour that suggests lateral movement, which is often associated with attacker tactics during a network breach.\",\"lastUpdatedDateUTC\":\"2024-09-27T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"name\":\"694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let queryperiod = 14d;\\nlet queryfrequency = 2h;\\nlet security_info_actions = dynamic([\\\"User registered security info\\\", \\\"User changed default security info\\\", \\\"User deleted security info\\\", \\\"Admin updated security info\\\", \\\"User reviewed security info\\\", \\\"Admin deleted security info\\\", \\\"Admin registered security info\\\"]);\\nlet VIPUsers = (\\n IdentityInfo\\n | where TimeGenerated \u003e ago(queryperiod)\\n | mv-expand AssignedRoles\\n | where AssignedRoles contains \u0027Admin\u0027\\n | summarize by AccountUPN);\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName in (security_info_actions)\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName)\\n )\\n| where TargetUserPrincipalName in~ (VIPUsers)\\n// Uncomment the line below if you are experiencing high volumes of Target entities. If this is uncommented, the Target column will not be mapped to an entity.\\n//| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result\\n// Comment out this line below, if line above is used.\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8) by InitiatingAppName, InitiatingAppServicePrincipalId, \\nInitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIpAddress, TargetUserPrincipalName, Result\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1]), \\nTargetName = iff(tostring(TargetUserPrincipalName) has \\\"[\\\", \\\"\\\", tostring(split(TargetUserPrincipalName,\u0027@\u0027,0)[0])), TargetUPNSuffix = iff(tostring(TargetUserPrincipalName) has \\\"[\\\", \\\"\\\", tostring(split(TargetUserPrincipalName,\u0027@\u0027,1)[0]))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Methods Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"name\":\"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b185ac23-dc27-4573-8192-1134c7a95f4f\",\"name\":\"b185ac23-dc27-4573-8192-1134c7a95f4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"Dynamics365Activity\\n| extend Message = tostring(split(OriginalObjectId, \u0027 \u0027)[0])\\n| where Message =~ \u0027IsDataEncryptionActive\u0027\\n| project-reorder TimeGenerated, Message, UserId, ClientIP, InstanceUrl, UserAgent\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Dynamics Encryption Settings Changed\",\"description\":\"This query looks for changes to the Data Encryption settings for Dynamics 365.\\nReference: https://docs.microsoft.com/microsoft-365/compliance/office-365-encryption-in-microsoft-dynamics-365\",\"lastUpdatedDateUTC\":\"2022-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Dynamics365\",\"dataTypes\":[\"Dynamics365Activity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"name\":\"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"LateralMovement\"],\"displayName\":\"Changes to Amazon VPC settings\",\"description\":\"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"name\":\"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// Look for agents being added to a pool of a OS type not seen with that pool before\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, OsDescription),\\n// Look for users addeing agents to a pool that they have not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New Agent Added to Pool by New User or Added to a New OS Type\",\"description\":\"As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \\nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have not added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a configurable allow list to allow for certain users to be excluded from the logic.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\"name\":\"f948a32f-226c-4116-bddd-d95e91d97eb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nlet threshold = 5;\\nlet o365_attack_regex = \\\"contacts.read|user.read|mail.read|notes.read.all|mailboxsettings.readwrite|Files.ReadWrite.All|mail.send|files.read|files.read.all\\\";\\nlet o365_attack = dynamic([\\\"contacts.read\\\", \\\"user.read\\\", \\\"mail.read\\\", \\\"notes.read.all\\\", \\\"mailboxsettings.readwrite\\\", \\\"Files.ReadWrite.All\\\", \\\"mail.send\\\", \\\"files.read\\\", \\\"files.read.all\\\"]);\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend AppDisplayName = tostring(TargetResource.displayName),\\n AppClientId = tostring(TargetResource.id),\\n props = TargetResource.modifiedProperties\\n )\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\"))) // NOTE: a MATCH from this list will cause the alert to NOT fire - please modify for your environment!\\n| mv-apply ConsentFull = props on \\n (\\n where ConsentFull.displayName =~ \\\"ConsentAction.Permissions\\\"\\n )\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\", CreatedDateTime\\\" * \\\"]\\\" *\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| where ConsentFull has_any (o365_attack) \\n| extend GrantScopeCount = countof(tolower(GrantScope1), o365_attack_regex, \u0027regex\u0027)\\n| where GrantScopeCount \u003e threshold\\n| extend GrantInitiatedByAppName = tostring(InitiatedBy.app.displayName)\\n| extend GrantInitiatedByAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend GrantInitiatedByUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend GrantInitiatedByAadUserId = tostring(InitiatedBy.user.id)\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(GrantInitiatedByUserPrincipalName), GrantInitiatedByUserPrincipalName, GrantInitiatedByAppName)\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend GrantUserAgent = AdditionalDetail.value\\n )\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantInitiatedByUserPrincipalName, GrantInitiatedByAadUserId, GrantInitiatedByAppName, GrantInitiatedByAppServicePrincipalId, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n | where TimeGenerated \u003e ago(joinLookback)\\n | where LoggedByService =~ \\\"Core Directory\\\"\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName =~ \\\"Add service principal\\\"\\n | mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend props = TargetResource.modifiedProperties,\\n AppClientId = tostring(TargetResource.id)\\n )\\n | mv-apply Property = props on \\n (\\n where Property.displayName =~ \\\"AppAddress\\\" and Property.newValue has \\\"AddressType\\\"\\n | extend AppReplyURLs = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n | distinct AppClientId, tostring(AppReplyURLs)\\n) on AppClientId\\n| join kind = innerunique (AuditLogs\\n | where TimeGenerated \u003e ago(joinLookback)\\n | where LoggedByService =~ \\\"Core Directory\\\"\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n | mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\" and array_length(TargetResource.modifiedProperties) \u003e 0 and isnotnull(TargetResource.displayName)\\n | extend GrantAuthentication = tostring(TargetResource.displayName)\\n )\\n | extend GrantOperation = OperationName\\n | project GrantAuthentication, GrantOperation, CorrelationId\\n ) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantInitiatedByUserPrincipalName, GrantInitiatedByAadUserId, GrantInitiatedByAppName, GrantInitiatedByAppServicePrincipalId, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend Name = tostring(split(GrantInitiatedByUserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(GrantInitiatedByUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GrantInitiatedByUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"GrantInitiatedByAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"GrantInitiatedByAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"GrantIpAddress\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AppDisplayName\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to O365 Attack Toolkit\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\"name\":\"157c0cfc-d76d-463b-8755-c781608cdc1a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| where ipv4_is_private(SourceIP) == false\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n table(tableName)\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\")\\n) on $left.SourceIP == $right.IPAddress\\n| extend AccountName = tostring(split(Account, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(Account, \\\"@\\\")[1])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco - firewall block but success logon to Microsoft Entra ID\",\"description\":\"Correlate IPs blocked by a Cisco firewall appliance with successful Microsoft Entra ID signins.\\nBecause the IP was blocked by the firewall, that same IP logging on successfully to Entra ID is potentially suspect and could indicate credential compromise for the user account.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"name\":\"6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// Add non-approved user principal names or apps to the list below to search for their account creation/deletion activity\\n// ex: dynamic([\\\"UPN1\\\", \\\"upn123\\\"])\\nlet nonapproved_users = dynamic([]);\\nlet nonapproved_apps = dynamic([]);\\nAuditLogs\\n| where OperationName =~ \\\"Add user\\\" or OperationName =~ \\\"Delete user\\\"\\n| where Result =~ \\\"success\\\"\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| where InitiatingUserPrincipalName has_any (nonapproved_users) or InitiatingAppName has_any (nonapproved_apps)\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account created or deleted by non-approved user\",\"description\":\"Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\"name\":\"f845881e-2500-44dc-8ed7-b372af3e1e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog\\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) \u003c= short_uaLength or string_size(csUserAgent) \u003e= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount \u003c c_threshold\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(csUserName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(csUserName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"csUserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"cIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous User Agent connection attempt\",\"description\":\"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\"lastUpdatedDateUTC\":\"2023-12-28T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"name\":\"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.6\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent\\n| where EventID == 4688\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Computer, SubjectAccount = Account, SubjectUserName, SubjectDomainName, SubjectUserSid, Process, ProcessId, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n),\\n(WindowsEvent\\n| where EventID == 4688 and EventData has \u0027rundll32.exe\u0027 and EventData has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, SubjectAccount, SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserSid = tostring(EventData.SubjectUserSid), Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n)\\n)\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"SubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Midnight Blizzard - suspicious rundll32.exe execution of vbscript\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2024-01-22T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"name\":\"fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.6\",\"severity\":\"Low\",\"query\":\"let querystarttime = 2d;\\nlet queryendtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\nlet LocalNetworks=dynamic([\\\"169.254.0.0/16\\\",\\\"127.0.0.0/8\\\"]);\\n_Im_NetworkSession(starttime=ago(querystarttime), endtime=ago(queryendtime))\\n| where not(ipv4_is_private(DstIpAddr))\\n| where not (ipv4_is_in_any_range(DstIpAddr, LocalNetworks))\\n| project \\n TimeGenerated\\n , SrcIpAddr\\n , SrcPortNumber\\n , DstIpAddr\\n , DstPortNumber\\n , DstBytes\\n , SrcBytes\\n| sort by \\n SrcIpAddr asc\\n , TimeGenerated asc\\n , DstIpAddr asc\\n , DstPortNumber asc\\n| serialize\\n| extend \\n nextTimeGenerated = next(TimeGenerated, 1)\\n , nextSrcIpAddr = next(SrcIpAddr, 1)\\n| extend \\n TimeDeltainSeconds = datetime_diff(\u0027second\u0027, nextTimeGenerated, TimeGenerated)\\n| where SrcIpAddr == nextSrcIpAddr\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| project\\n TimeGenerated\\n , TimeDeltainSeconds\\n , SrcIpAddr\\n , SrcPortNumber\\n , DstIpAddr\\n , DstPortNumber\\n , DstBytes\\n , SrcBytes\\n| summarize\\n count()\\n , sum(DstBytes)\\n , sum(SrcBytes)\\n , make_list(TimeDeltainSeconds) \\n by TimeDeltainSeconds\\n , bin(TimeGenerated, 1h)\\n , SrcIpAddr\\n , DstIpAddr\\n , DstPortNumber\\n| summarize\\n (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds)\\n , TotalEvents=sum(count_)\\n , TotalSrcBytes = sum(sum_SrcBytes)\\n , TotalDstBytes = sum(sum_DstBytes)\\n by bin(TimeGenerated, 1h)\\n , SrcIpAddr\\n , DstIpAddr\\n , DstPortNumber\\n| where TotalEvents \u003e TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\",\"customDetails\":{\"DstPortNumber\":\"DstPortNumber\",\"FrequencyCount\":\"TotalSrcBytes\",\"FrequencyTime\":\"MostFrequentTimeDeltaCount\",\"TotalDstBytes\":\"TotalDstBytes\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}}\",\"alertDescriptionFormat\":\"Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/). The recurring frequency, reported as FrequencyTime in the custom details, and the total transferred volume reported as TotalDstBytes in the custom details, can help to determine the significance of this incident.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential beaconing activity (ASIM Network Session schema)\",\"description\":\"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. \\nSuch potential outbound beaconing patterns to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](https://medium.com/@HuntOperator/detect-beaconing-with-flare-elastic-stack-and-intrusion-detection-systems-110dc74e0c56).\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"AzureNSG\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoAsaAma\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"AIVectraStream\",\"dataTypes\":[\"VectraStream\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoMeraki\",\"dataTypes\":[\"Syslog\",\"CiscoMerakiNativePoller\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fed0668-6d43-4c78-87e6-510f96f12145\",\"name\":\"2fed0668-6d43-4c78-87e6-510f96f12145\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"//Finding MDO Security alerts and extracting the Entities user, Domain, Ip, and URL.\\nlet Alert_List= dynamic([\\n\\\"Phishing link click observed in Network Traffic\\\",\\n\\\"Phish delivered due to an IP allow policy\\\",\\n\\\"A potentially malicious URL click was detected\\\",\\n\\\"High Risk Sign-in Observed in Network Traffic\\\",\\n\\\"A user clicked through to a potentially malicious URL\\\",\\n\\\"Suspicious network connection to AitM phishing site\\\",\\n\\\"Messages containing malicious entity not removed after delivery\\\",\\n\\\"Email messages containing malicious URL removed after delivery\\\",\\n\\\"Email reported by user as malware or phish\\\",\\n\\\"Phish delivered due to an ETR override\\\",\\n\\\"Phish not zapped because ZAP is disabled\\\"]);\\nSecurityAlert\\n|where ProviderName in~ (\\\"Office 365 Advanced Threat Protection\\\", \\\"OATP\\\")\\n| where AlertName in~ (Alert_List)\\n//extracting Alert Entities\\n | extend Entities = parse_json(Entities)\\n| mv-apply Entity = Entities on\\n(\\nwhere Entity.Type == \u0027account\u0027\\n| extend EntityUPN = iff(isempty(Entity.UserPrincipalName), tostring(strcat(Entity.Name, \\\"@\\\", tostring (Entity.UPNSuffix))), tostring(Entity.UserPrincipalName))\\n)\\n| mv-apply Entity = Entities on\\n(\\nwhere Entity.Type == \u0027url\u0027\\n| extend EntityUrl = tostring(Entity.Url)\\n)\\n| summarize AccountUpn=tolower(tostring(take_any(EntityUPN))),Url=tostring(tolower(take_any(EntityUrl))),AlertTime= min(TimeGenerated)by SystemAlertId, ProductName\\n// filtering 3pnetwork devices\\n| join kind= inner (CommonSecurityLog\\n| where DeviceVendor has_any (\\\"Palo Alto Networks\\\", \\\"Fortinet\\\", \\\"Check Point\\\", \\\"Zscaler\\\")\\n| where DeviceAction != \\\"Block\\\"\\n| where DeviceProduct startswith \\\"FortiGate\\\" or DeviceProduct startswith \\\"PAN\\\" or DeviceProduct startswith \\\"VPN\\\" or DeviceProduct startswith \\\"FireWall\\\" or DeviceProduct startswith \\\"NSSWeblog\\\" or DeviceProduct startswith \\\"URL\\\"\\n| where isnotempty(RequestURL)\\n| where isnotempty(SourceUserName)\\n| extend SourceUserName = tolower(SourceUserName)\\n| project\\n3plogTime=TimeGenerated,\\nDeviceVendor,\\nDeviceProduct,\\nActivity,\\nDestinationHostName,\\nDestinationIP,\\nRequestURL=tostring(tolower(RequestURL)),\\nMaliciousIP,\\nName = tostring(split(SourceUserName,\\\"@\\\")[0]),\\nUPNSuffix =tostring(split(SourceUserName,\\\"@\\\")[1]),\\nSourceUserName,\\nIndicatorThreatType,\\nThreatSeverity,AdditionalExtensions,\\nThreatConfidence)on $left.Url == $right.RequestURL and $left.AccountUpn == $right.SourceUserName\\n// Applied the condition where alert trigger 1st and then the 3p Network activity execution\\n| where AlertTime between ((3plogTime - 1h) .. (3plogTime + 1h))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUserName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DestinationHostName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Phishing link click observed in Network Traffic\",\"description\":\"The purpose of this content is to identify successful phishing links accessed by users. Once a user clicks on a phishing link, we observe successful network activity originating from non-Microsoft network devices. These devices may include Palo Alto Networks, Fortinet, Check Point, and Zscaler devices.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2023-05-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9d2eebc-5dcb-4888-8165-900db44443ab\",\"name\":\"b9d2eebc-5dcb-4888-8165-900db44443ab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"// Enter a reference list of hostnames for your DC servers\\n//let DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\nSecurityEvent\\n//| where Computer in (DCServersList)\\n| where EventID == 4662 and ObjectServer == \u0027DS\u0027\\n| where AccountType != \u0027Machine\u0027\\n| where Properties has \u00271131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes\\n or Properties has \u00271131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes-All\\n or Properties has \u002789e95b76-444d-4c62-991a-0facbeda640c\u0027 //DS-Replication-Get-Changes-In-Filtered-Set\\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\\n| join kind=leftouter\\n(\\n SecurityEvent\\n //| where Computer in (DCServersList)\\n | where EventID == 4624 and LogonType == 3\\n | where AccountType != \u0027Machine\u0027\\n | project TargetLogonId, IpAddress\\n)\\non $left.SubjectLogonId == $right.TargetLogonId\\n| project-reorder TimeGenerated, Computer, Account, IpAddress\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, \\\"\\\\\\\\\\\")[0]), AccountNTDomain = tostring(split(Account, \\\"\\\\\\\\\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Non Domain Controller Active Directory Replication\",\"description\":\"This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\\nA domain user with privileged permissions to use directory replication services is rare.\",\"lastUpdatedDateUTC\":\"2024-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-05-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/276d5190-38de-4eb2-9933-b3b72f4a5737\",\"name\":\"276d5190-38de-4eb2-9933-b3b72f4a5737\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P2D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// In User \u0026 Groups and in Applications, the following \\\"AccessType\\\" values in columns PremodifiedInboundSettings and ModifiedInboundSettings are interpreted accordingly\\n// When Access Type in premodified inbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified inbound settings value was 2 that means that the initial access was blocked.\\n// When Access Type in modified inbound settings value is 1 that means that now access is allowed. When Access Type in modified inbound settings value is 2 that means that now access is blocked.\\nAuditLogs\\n| where OperationName has \\\"Update a partner cross-tenant access setting\\\"\\n| mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type =~ \\\"Policy\\\"\\n | extend Properties = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = Properties on\\n (\\n where Property.displayName =~ \\\"b2bDirectConnectInbound\\\"\\n | extend PremodifiedInboundSettings = trim(\u0027\\\"\u0027,tostring(Property.oldValue)),\\n ModifiedInboundSettings = trim(@\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where PremodifiedInboundSettings != ModifiedInboundSettings\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Cross-tenant Access Settings Organization Inbound Direct Settings Changed\",\"description\":\"Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Direct Settings are changed for \\\"Users \u0026 Groups\\\" and for \\\"Applications\\\".\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/86a036b2-3686-42eb-b417-909fc0867771\",\"name\":\"86a036b2-3686-42eb-b417-909fc0867771\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue =~ \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId has \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/delete\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid), AccountName = tostring(claimsJson.name), Name = tostring(split(Caller,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Caller,\u0027@\u0027,1)[0])\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Microsoft Entra ID Hybrid Health AD FS Service Delete\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Microsoft Entra ID Hybrid Health AD FS service instance in a tenant.\\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\\nThe health AD FS service can then be deleted after it is no longer needed via HTTP requests to Azure.\\nMore information is available in this blog https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"name\":\"feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"let VIPUsers = (IdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| summarize by tolower(AccountUPN));\\nAuditLogs\\n| where TimeGenerated \u003e ago(2h)\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName =~ \\\"User registered security info\\\"\\n| where LoggedByService =~ \\\"Authentication Methods\\\"\\n| extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n| where tolower(TargetUserPrincipalName) in (VIPUsers)\\n| extend TargetAadUserId = tostring(TargetResources[0].id)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend TargetAccountName = tostring(split(TargetUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \\\"@\\\")[1])\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"TargetAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Method Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"name\":\"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| join kind=rightanti (\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| project-away DomainIndex\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Silk Typhoon New UM Service Child Process\",\"description\":\"This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"name\":\"09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.3\",\"severity\":\"Medium\",\"query\":\"let default_file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]); // Update this list as per your requirement\\nlet custom_file_ext_blocklist=toscalar(_GetWatchlist(\u0027RiskyFileTypes\u0027)\\n | extend Extension=column_ifexists(\\\"Extension\\\", \\\"\\\")\\n | where isnotempty(Extension)\\n | summarize make_set(Extension)); // If you have an extensive list, you can also create a Watchlist that includes the file extensions you want to detect\\nlet file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);\\n_Im_WebSession(starttime=ago(10min), url_has_any=file_ext_blocklist, eventresult=\u0027Success\u0027)\\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\\\"Path\\\"]), \u0027/\u0027)[-1])\\n| extend requestedFileExtension=extract(@\u0027(\\\\.\\\\w+)$\u0027, 1, requestedFileName, typeof(string))\\n| where requestedFileExtension in (file_ext_blocklist)\\n| summarize\\n EventStartTime=min(TimeGenerated),\\n EventEndTime=max(TimeGenerated),\\n EventCount=count()\\n by SrcIpAddr, SrcUsername, SrcHostname, requestedFileName, Url\\n| extend\\n Name = iif(SrcUsername contains \\\"@\\\", tostring(split(SrcUsername, \u0027@\u0027, 0)[0]), SrcUsername),\\n UPNSuffix = iif(SrcUsername contains \\\"@\\\", tostring(split(SrcUsername, \u0027@\u0027, 1)[0]), \\\"\\\")\",\"customDetails\":{\"requestedFileExt\":\"requestedFileExtension\",\"Username\":\"SrcUsername\",\"SrcHostname\":\"SrcHostname\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"requestedFileName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUsername\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Client {{SrcIpAddr}} accessed a URL with potentially harmful extension {{requestedFileExtension}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} accessed the URL {{Url}} that has the extension {{requestedFileExtension}}. Downloading a file with this extension may be harmful and may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"A client made a web request to a potentially harmful file (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/74ed028d-e392-40b7-baef-e69627bf89d1\",\"name\":\"74ed028d-e392-40b7-baef-e69627bf89d1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action its unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"name\":\"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where ObjectServer == \u0027DS\u0027\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend AccountName = SubjectUserName, AccountDomain = SubjectDomainName\\n| extend timestamp = TimeGenerated, DeviceName = Computer\\n),\\n( WindowsEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where EventData has_all(\u0027Object Access\u0027, \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027,\u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027) \\n| extend ObjectServer = tostring(EventData.ObjectServer)\\n| where ObjectServer == \u0027DS\u0027\\n| extend OperationType = tostring(EventData.OperationType)\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| extend Properties = tostring(EventData.Properties)\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend AccountName = tostring(EventData.SubjectUserName), AccountDomain = tostring(EventData.SubjectDomainName)\\n| extend timestamp = TimeGenerated, DeviceName = Computer\\n),\\n(DeviceEvents\\n| where ActionType =~ \\\"LdapSearch\\\"\\n| where AdditionalFields.AttributeList contains \\\"thumbnailPhoto\\\"\\n| where AdditionalFields.DistinguishedName contains \\\"CN=ADFS,CN=Microsoft,CN=Program Data\\\" // Filter results to show only hits related to the ADFS AD container\\n| extend timestamp = TimeGenerated, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain\\n)\\n)\\n| extend Account = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS DKM Master Key Export\",\"description\":\"Identifies an export of the ADFS DKM Master Key from Active Directory.\\nReferences: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\\nTo understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:\\nhttps://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469\\nhttps://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339\\n\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}}]}", "isContentBase64": false } }, - "Get-AzSentinelAlertRuleTemplate+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRuleTemplate+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "167" ], - "x-ms-client-request-id": [ "50570555-a2dc-4673-82d4-63bb14c21c38" ], + "x-ms-unique-id": [ "10" ], + "x-ms-client-request-id": [ "a3e1eb68-6d6d-44ae-84b8-d80110a7c76f" ], "CommandName": [ "Get-AzSentinelAlertRuleTemplate" ], "FullCommandName": [ "Get-AzSentinelAlertRuleTemplate_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,37 +67,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11990" ], - "x-ms-request-id": [ "01b797f8-b581-4872-9e02-52a84481e967" ], - "x-ms-correlation-request-id": [ "01b797f8-b581-4872-9e02-52a84481e967" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160654Z:01b797f8-b581-4872-9e02-52a84481e967" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/15f557e5-3f31-4cc9-ba8c-be0b626bb1de" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "48360258-5d3d-475e-9673-2dd4e1b93e4d" ], + "x-ms-correlation-request-id": [ "48360258-5d3d-475e-9673-2dd4e1b93e4d" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074409Z:48360258-5d3d-475e-9673-2dd4e1b93e4d" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:06:54 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 9CC95A722E3941BDB55A2C792808530C Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:09Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:09 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1435342" ], + "Content-Length": [ "1889450" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57c7e832-64eb-411f-8928-4133f01f4a25\",\"name\":\"57c7e832-64eb-411f-8928-4133f01f4a25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where ResourceType =~ \\\"VAULTS\\\"\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where KeyVaultEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = KeyVaultEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure Key Vault logs\",\"description\":\"Identifies a match in Azure Key Vault logsfrom any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\"name\":\"f948a32f-226c-4116-bddd-d95e91d97eb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to O365 Attack Toolkit\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"name\":\"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"name\":\"87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\\n// On the downloads page, click the \u0027details\u0027 button, and then replace just the filename in the URL below\\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n[\\\"https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20220321.json\\\"]\\nwith(format=\u0027multijson\u0027)\\n| mv-expand values\\n| mv-expand values.properties.addressPrefixes\\n| mv-expand values_properties_addressPrefixes\\n| summarize by tostring(values_properties_addressPrefixes);\\nSigninLogs\\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\\n| where AppDisplayName =~ \\\"Azure Portal\\\"\\n// Only get logons where the IP address is in an Azure range\\n| evaluate ipv4_lookup(azure_ranges, IPAddress, values_properties_addressPrefixes)\\n// Limit to where the user is external to the tenant\\n| where HomeTenantId != ResourceTenantId\\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\\n| where ResourceTenantId == AADTenantId\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Portal Signin from another Azure Tenant\",\"description\":\"This query looks for sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.\",\"lastUpdatedDateUTC\":\"2022-03-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"name\":\"29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nimFileEvent\\n| where ((FilePath has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((FilePath has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\\n// Increase risk score if recent alerts for the host\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021 (ASIM Version)\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"name\":\"0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated \u003e ago(1d)\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DvcHostname\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\n A threat actor may use these policies to deploy files or scripts to all hosts in a domain.\\n This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\"name\":\"871ba14c-88ef-48aa-ad38-810f26760ca3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1d;\\nlet queryperiod = 7d;\\nOfficeActivity\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n//| where Operation in (\\\"Set-Mailbox\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\")\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1 and EndTime \u003e ago(queryfrequency)\\n| mv-expand UserId to typeof(string)\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2022-06-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"name\":\"a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT20M\",\"queryPeriod\":\"PT20M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 10;\\nlet successCountThreshold = 1;\\n// let authenticationWindow = 20m; // Implicit in the analytic rule query period \\nimAuthentication\\n| summarize \\n StartTime = min(TimeGenerated), \\n EndTime = max(TimeGenerated), \\n IpAddresses = make_set (SrcDvcIpAddr, 100),\\n ReportedBy = make_set (strcat (EventVendor, \\\"/\\\", EventProduct), 100),\\n FailureCount = countif(EventResult==\u0027Failure\u0027),\\n SuccessCount = countif(EventResult==\u0027Success\u0027)\\n by \\n TargetUserId, TargetUsername, TargetUserType \\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| extend\\n IpAddresses = strcat_array(IpAddresses, \\\", \\\"), \\n ReportedBy = strcat_array(ReportedBy, \\\", \\\")\",\"customDetails\":{\"IpAddresses\":\"IpAddresses\",\"ReportedBy\":\"ReportedBy\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUsername\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against user credentials (Uses Authentication Normalization)\",\"description\":\"Identifies evidence of brute force activity against a user based on multiple authentication failures \\nand at least one successful authentication within a given time window. Note that the query does not enforce any sequence,\\nand does not require the successful authentication to occur last.\\nThe default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"name\":\"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let DomainNames = dynamic([\u0027onetechcompany.com\u0027, \u0027reyweb.com\u0027, \u0027srfnetwork.org\u0027, \u0027sense4baby.fr\u0027, \u0027nikeoutletinc.org\u0027, \u0027megatoolkit.com\u0027]);\\nlet IPList = dynamic([\u0027185.225.69.69\u0027]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NOBELIUM - Domain and IP IOCs - March 2021\",\"description\":\"Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM.\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"name\":\"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"// Replace these with the username or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic([\u0027vip1@email.com\u0027,\u0027vip2@email.com\u0027]);\\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\\nlet allowed_users = dynamic([]);\\nLAQueryLogs\\n| where QueryText has_any (vips) or QueryText has_any (\u0027_GetWatchlist(\\\"VIPUsers\\\")\u0027, \\\"_GetWatchlist(\u0027VIPUsers\u0027)\\\")\\n| where AADEmail !in (allowed_users)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"RequestTarget\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Users searching for VIP user activity\",\"description\":\"This query monitors for users running Log Analytics queries that contain filters\\nfor specific, defined VIP user accounts or the VIPUser watchlist template.\\nUse this detection to alert for users specifically searching for activity of sensitive users.\",\"lastUpdatedDateUTC\":\"2021-11-11T00:00:00Z\",\"createdDateUTC\":\"2020-09-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\"name\":\"62085097-d113-459f-9ea7-30216f2ee6af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 3d;\\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated \u003e= ago(starttime)\\n| where EventID in (4722,4723) | where TargetUserName !endswith \\\"$\\\"\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\\nlet userEnable = SecEvents\\n| extend EventID4722Time = TimeGenerated\\n// 4722: User Account Enabled\\n| where EventID == 4722\\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\\nlet userPwdSet = SecEvents\\n// 4723: Attempt made by user to set password\\n| where EventID == 4723\\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\\n| extend PasswordSetAttemptDelta_Min = datetime_diff(\u0027minute\u0027, Time_Event4723, Time_Event4722)\\n| where PasswordSetAttemptDelta_Min \u003e 2880 or isempty(PasswordSetAttemptDelta_Min)\\n| project-away TargetAccount1, TargetSid1\\n| extend Reason = @\\\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\\\"\\n| order by Time_Event4722 asc \\n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD user enabled and password not set within 48 hours\",\"description\":\"Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which \\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\\nIt is recommended that this time period is adjusted per your internal company policy.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f9949656-473f-4503-bf43-a9d9890f7d08\",\"name\":\"f9949656-473f-4503-bf43-a9d9890f7d08\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n//Exclude local addresses, using the ipv4_is_private operator\\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AppServiceHTTPLogs | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(CIp)\\n | extend WebApp = split(_ResourceId, \u0027/\u0027)[8]\\n // renaming time column so it is clear the log this came from\\n | extend AppService_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CIp\\n| where AppService_TimeGenerated \u003c ExpirationDateTime\\n| summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp\\n| project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, \\nWebApp = split(_ResourceId, \u0027/\u0027)[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId\\n| extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AppServiceHTTPLogs\",\"description\":\"Identifies a match in AppServiceHTTPLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-04-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"name\":\"f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n | where isnotempty(Process)\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines (Normalized Process Events)\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"name\":\"c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID==4688\\n | where isnotempty(CommandLine)\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0433c8a3-9aa6-4577-beef-2ea23be41137\",\"name\":\"0433c8a3-9aa6-4577-beef-2ea23be41137\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | where TimeGenerated \u003e ago(2d)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName has \\\"Add eligible member\\\"\\n | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(userPrincipalName) in (admin_users)\\n | extend Group = tostring(TargetResources[0].displayName)\\n | extend AddedTo = iif(isnotempty(userPrincipalName), userPrincipalName, Group)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedBy = iif(isnotempty(appName), appName, UPN)\\n | mv-expand mod_props\\n | where mod_props.displayName == \\\"Role.DisplayName\\\"\\n | extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))\\n | project-reorder TimeGenerated, OperationName, AddedTo, RoleAdded, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Account Permissions Changed\",\"description\":\"Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.\\nReview any modifications to ensure they were made legitimately.\\nRef: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\"name\":\"79566f41-df67-4e10-a703-c38a6213afd8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66276b14-32c5-4226-88e3-080dacc31ce1\",\"name\":\"66276b14-32c5-4226-88e3-080dacc31ce1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet AccountAllowList = dynamic([\u0027SYSTEM\u0027]);\\nlet SubCategoryList = dynamic([\\\"Logoff\\\", \\\"Account Lockout\\\", \\\"User Account Management\\\", \\\"Authorization Policy Change\\\"]); // Add any Category in the list to be allowed or disallowed\\nlet tokens = dynamic([\\\"clear\\\", \\\"remove\\\", \\\"success:disable\\\",\\\"failure:disable\\\"]); \\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n// | where InitiatingProcessFileName =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Audit policy manipulation using auditpol utility\",\"description\":\"This detects attempt to manipulate audit policies using auditpol command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but \\nif the results show unrelated false positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"name\":\"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where ObjectServer == \u0027DS\u0027\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount\\n),\\n( WindowsEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where EventData has_all(\u0027Object Access\u0027, \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027,\u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027) \\n| extend ObjectServer = tostring(EventData.ObjectServer)\\n| where ObjectServer == \u0027DS\u0027\\n| extend OperationType = tostring(EventData.OperationType)\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| extend Properties = tostring(EventData.Properties)\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend \\n timestamp = TimeGenerated,\\n HostCustomEntity = Computer,\\n AccountCustomEntity = SubjectAccount\\n),\\n(DeviceEvents\\n| where ActionType =~ \\\"LdapSearch\\\"\\n| where AdditionalFields.AttributeList contains \\\"thumbnailPhoto\\\"\\n| where AdditionalFields.DistinguishedName contains \\\"CN=ADFS,CN=Microsoft,CN=Program Data\\\" // Filter results to show only hits related to the ADFS AD container\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS DKM Master Key Export\",\"description\":\"Identifies an export of the ADFS DKM Master Key from Active Directory.\\nReferences: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\\nTo understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:\\nhttps://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469\\nhttps://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\"name\":\"2391ce61-8c8d-41ac-9723-d945b2e90720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\\n| join kind=leftouter (\\n SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday \u003e= coalesce(CountPrev7day,0)*threshold and CountToday \u003e= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\\n| order by sum_CountToday desc nulls last \\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Process\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Windows logon failures\",\"description\":\"User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"name\":\"56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4657\\n | parse ObjectName with \\\"\\\\\\\\REGISTRY\\\\\\\\\\\" KeyPrefix \\\"\\\\\\\\\\\" RegistryKey\\n | project-reorder RegistryKey\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (\\n SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\"name\":\"4b93c5af-d20b-4236-b696-a28b8c51407f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n (union isfuzzy=true\\n (SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was created\\n| where EventID == 4720\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was created\\n| where EventID == 4720\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4720 - A user account was created.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid \\n))\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n | where EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n| where EventID == 4726\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4726 - A user account was deleted.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, AccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid))\\n) on Computer, TargetAccount\\n| where deletionTime - creationTime \u003c spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToCreate\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account created and deleted within 10 mins\",\"description\":\"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7feb859-f03e-4e8d-8b21-617be0213b13\",\"name\":\"d7feb859-f03e-4e8d-8b21-617be0213b13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where OperationName =~ \\\"Admin registered security info\\\"\\n | where ResultReason =~ \\\"Admin registered temporary access pass method for user\\\"\\n | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(userPrincipalName) in (admin_users)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Addition of a Temporary Access Pass to a Privileged Account\",\"description\":\"Detects when a Temporary Access Pass (TAP) is created for a Privileged Account.\\n A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.\\n A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.\\n Review any TAP creations to ensure they were used legitimately.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1399664f-9434-497c-9cde-42e4d74ae20e\",\"name\":\"1399664f-9434-497c-9cde-42e4d74ae20e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Impossible travel activity\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| project TimeGenerated,Account,IpAddress,CompromisedEntity,Description,ProviderName,ResourceId\\n| join kind=inner\\n(\\nOfficeActivity\\n| where Operation =~ \\\"Add-MailboxPermission\\\"\\n| extend value = tostring(parse_json(Parameters)[3].Value)\\n| where value contains \\\"FullAccess\\\"\\n| where ResultStatus == \\\"True\\\"\\n| project Parameters,TimeGenerated,value,RecordType,Operation,OrganizationId,UserType,UserKey,OfficeWorkload,ResultStatus,OfficeObjectId,UserId,ClientIP,ExternalAccess,OriginatingServer,OrganizationName,TenantId,ElevationTime,SourceSystem,OfficeId,OfficeTenantId,Type,SourceRecordId\\n) on $left.Account == $right.UserId\\n| join kind=inner\\n(\\nAuditLogs\\n| where ActivityDisplayName =~ \\\"Add eligible member to role in PIM requested (timebound)\\\"\\n| where AADOperationType =~ \\\"CreateRequestEligibleRole\\\"\\n| where TargetResources has_any (\\\"-PRIV\\\", \\\"Administrator\\\", \\\"Security\\\")\\n| extend BuiltinRole = tostring(parse_json(TargetResources[0].displayName))\\n| extend CustomGroup = tostring(parse_json(TargetResources[3].displayName))\\n| extend TargetAccount = tostring(parse_json(TargetResources[2].displayName))\\n| extend Initiatedby = Identity\\n| project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResourceId, Id\\n| sort by TimeGenerated desc\\n) on $left.UserId == $right.Initiatedby\\n| project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Detecting Impossible travel with mailbox permission tampering \u0026 Privilege Escalation attempt\",\"description\":\"This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group.\\nEnsure this impossible travel incident with increase of privileges is legitimate in your environment.\",\"lastUpdatedDateUTC\":\"2022-02-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"name\":\"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Security Group ingress and egress settings\",\"description\":\"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"name\":\"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(timeframe)\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s\\n) on Resource, TimeGenerated\\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure Key Vault access TimeSeries anomaly\",\"description\":\"Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"name\":\"6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nimAuthentication\\n| where EventType== \u0027Logon\u0027 and EventResult== \u0027Failure\u0027\\n// reason: creds \\n| where EventResultDetails in (\u0027No such user or password\u0027, \u0027Incorrect password\u0027)\\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\\n , Users = make_set(TargetUserId,100) \\n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\\n| where UserCount \u003e FailureThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack (Uses Authentication Normalization)\",\"description\":\"This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"name\":\"a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Sign-in from an infected device\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| summarize count() by AlertName, AlertSeverity, CompromisedEntity, Account, IpAddress\\n| join kind=inner \\n(\\nAzureActivity\\n| where OperationNameValue hassuffix (\\\"/workspaces/computes/delete\\\")\\n| where ActivityStatusValue =~ \\\"Succeeded\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), OperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on $left. IpAddress == $right. CallerIpAddress\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Impact\"],\"displayName\":\"Workspace deletion attempt from an infected device\",\"description\":\"This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. \\nAttackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.\",\"lastUpdatedDateUTC\":\"2022-04-11T00:00:00Z\",\"createdDateUTC\":\"2022-04-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"name\":\"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\" \\n| extend EnforceLogin = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", \\\"\\\") \\n| where EnforceLogin == \u0027false\u0027 or EnforceLoginDomain == \u0027false\u0027 or GuestAlerts == \u0027false\u0027 \\n| extend SettingChanged = case(EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"All settings changed\\\", \\n EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027, \\\"Enforced Logons and Restricted Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"Enforced Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027, \\\"Enfored Domains Changed\\\", \\n GuestAlerts == \u0027false\u0027, \\\"Guest Join Alerts Changed\\\", \\n EnforceLogin == \u0027false\u0027, \\\"Enforced Logins Changed\\\", \\n \\\"No Changes\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"External User Access Enabled\",\"description\":\"This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"name\":\"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 1h;\\nlet tls_ciphers = dynamic([\u0027RC4-SHA\u0027, \u0027DES-CBC3-SHA\u0027]);\\nProofpointPOD\\n| where EventType == \u0027message\u0027\\n| where TlsCipher in (tls_ciphers)\\n| extend IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"ProofpointPOD - Weak ciphers\",\"description\":\"Detects when weak TLS ciphers are used.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"name\":\"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n //Extract domain patterns from message\\n | extend domain = todynamic(dynamic_to_json(extract_all(@\\\"(((xn--)?[a-z0-9\\\\-]+\\\\.)+([a-z]+|(xn--[a-z0-9]+)))\\\", dynamic([1]), tolower(Entities))))\\n | mv-expand domain\\n | extend domain = tostring(domain[0])\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities)\\n | mv-apply EntitiesDynamicArray on\\n (summarize\\n HostName = take_anyif(tostring(EntitiesDynamicArray.HostName), EntitiesDynamicArray.Type == \\\"host\\\"),\\n IP_addr = take_anyif(tostring(EntitiesDynamicArray.Address), EntitiesDynamicArray.Type == \\\"ip\\\")\\n )\\n | extend Alert_TimeGenerated = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"name\":\"88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"name\":\"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 15;\\nSyslog\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\\n| where PerHourCount \u003e threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SSH - Potential Brute Force\",\"description\":\"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/55073036-bb86-47d3-a85a-b113ac3d9396\",\"name\":\"55073036-bb86-47d3-a85a-b113ac3d9396\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admins=(IdentityInfo\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let known_asns = (\\n SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admins)\\n | where AutonomousSystemNumber !in (known_asns)\\n | project-reorder TimeGenerated, UserPrincipalName, UserAgent, IpAddress, AutonomousSystemNumber\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Privileged User Logon from new ASN\",\"description\":\"Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days.\\n Monitor these logons to ensure they are legitimate and identify if there are any similar sign ins.\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7b9df32-1367-402d-b385-882daf6e3020\",\"name\":\"a7b9df32-1367-402d-b385-882daf6e3020\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==10\\n| parse EventData with * \u0027TargetImage\\\"\u003e\u0027 TargetImage \\\"\u003c\\\" * \u0027GrantedAccess\\\"\u003e\u0027 GrantedAccess \\\"\u003c\\\" * \u0027CallTrace\\\"\u003e\u0027 CallTrace \\\"\u003c\\\" * \\n| where GrantedAccess == \\\"0x1FFFFF\\\" and TargetImage == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and CallTrace has_any (\\\"dbghelp.dll\\\",\\\"dbgcore.dll\\\")\\n| parse EventData with * \u0027SourceProcessGUID\\\"\u003e\u0027 SourceProcessGUID \\\"\u003c\\\" * \u0027SourceImage\\\"\u003e\u0027 SourceImage \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"SourceImage\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Dumping LSASS Process Into a File\",\"description\":\"Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). \\nAfter a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. \\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material. \\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\\nRef: https://attack.mitre.org/techniques/T1003/001/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"name\":\"94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer , Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = EventDetail.[4].[\\\"#text\\\"]\\n| where Image has_any (file_path1) or Image has_any (file_path3)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = DestinationIP, Alert = \u0027SOURGUM IOC detected\u0027\\n), \\n(DeviceNetworkEvents\\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, Alert = \u0027SOURGUM IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source), Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\\n),\\n(DeviceRegistryEvents\\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine, Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceRegistryEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95407904-0131-4918-bc49-ebf282ce149a\",\"name\":\"95407904-0131-4918-bc49-ebf282ce149a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"135.125.147.170:80\\\",\\\"185.244.129.79:63047\\\",\\\"185.244.129.79:80\\\",\\\"45.80.149.108:63047\\\",\\\"45.80.149.108:80\\\",\\\"45.80.149.57:63047\\\",\\\"45.80.149.68:63047\\\",\\\"45.80.149.71:80\\\",\\\"185.244.129.109\\\",\\\"172.96.188.51\\\",\\\"51.83.246.73\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known POLONIUM IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the POLONIUM activity group. \\n References: BLOGURL\u0027 \",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"name\":\"ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 25; \\nlet TimeSeriesData = \\nAzureActivity \\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OperationNameValue endswith \\\"delete\\\" \\n| project TimeGenerated, Caller \\n| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Caller; \\nlet TimeSeriesAlerts = materialize(TimeSeriesData \\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, \u0027linefit\u0027) \\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long) \\n| where anomalies \u003e 0 \\n| project Caller, TimeGenerated, Total, baseline, anomalies, score \\n| where Total \u003e TotalEventsThreshold and baseline \u003e 0 ); \\nTimeSeriesAlerts \\n| where TimeGenerated \u003e (ago(endtime)) \\n| project TimeGenerated, Caller \\n| join (AzureActivity \\n| where TimeGenerated \u003e (ago(endtime)) \\n| where OperationNameValue endswith \\\"delete\\\" \\n| summarize count(), make_set(OperationNameValue), make_set(Resource) by bin(TimeGenerated, 1h), Caller) on TimeGenerated, Caller \\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Mass Cloud resource deletions Time Series Anomaly\",\"description\":\"This query generates baseline pattern of cloud resource deletions by an user and generated anomaly \\nwhen any unusual spike is detected.\\nThese anomalies from unusual or privileged users could be an indication of cloud infrastructure \\ntake-down by an adversary \",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6988c32-4f3b-4a45-8313-b46b33061a74\",\"name\":\"b6988c32-4f3b-4a45-8313-b46b33061a74\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-06-01T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"name\":\"fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let account_threshold = 5;\\nAADNonInteractiveUserSignInLogs\\n//| where ResultType == \\\"81016\\\"\\n| where ResultType startswith \\\"81\\\"\\n| summarize DistinctAccounts = dcount(UserPrincipalName), DistinctAddresses = make_set(IPAddress) by ResultType\\n| where DistinctAccounts \u003e account_threshold\\n| mv-expand IPAddress = DistinctAddresses\\n| extend IPAddress = tostring(IPAddress)\\n| join kind=leftouter (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs) on IPAddress\\n| summarize\\n StartTime = min(TimeGenerated),\\n EndTime = max(TimeGenerated),\\n UserPrincipalName = make_set(UserPrincipalName),\\n UserAgent = make_set(UserAgent),\\n ResultDescription = take_any(ResultDescription),\\n ResultSignature = take_any(ResultSignature)\\n by IPAddress, Type, ResultType\\n| project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD Seamless SSO\",\"description\":\"This query detects when there is a spike in Azure AD Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\\nAzure AD only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/825991eb-ea39-4590-9de2-ee97ef42eb93\",\"name\":\"825991eb-ea39-4590-9de2-ee97ef42eb93\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or (ProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ProcessCommandLine has (\u0027.wav\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\nor (ProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, InitiatingProcessFolderPath, ProcessId, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256, FileName\\n| extend Account = AccountName, Computer = DeviceName, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = FileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or (ActingProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ActingProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ActingProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ActingProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027.wav\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\n or (ActingProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = Hash\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027) or (CommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DnsEvents\\n| where Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, File = ProcessName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) \\n| where RemoteUrl in~ (domains) \\n| project Type, TimeGenerated, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessAccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"ACTINIUM Actor IOCs - Feb 2022\",\"description\":\"Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.\",\"lastUpdatedDateUTC\":\"2022-03-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"name\":\"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"LateralMovement\"],\"displayName\":\"Changes to Amazon VPC settings\",\"description\":\"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\\nin a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\"name\":\"f2eb15bd-8a88-4b24-9281-e133edfba315\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming time column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e715730-82c0-496c-983b-7a20c4590bd9\",\"name\":\"6e715730-82c0-496c-983b-7a20c4590bd9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let accountLookback = 3d;\\nlet requestLookback = 3d;\\nlet extraction_regex = @\\\"(?:\\\\?|\u0026)[a-zA-Z0-9\\\\%]*=([a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Collect account names and base64 encode them\\nDeviceEvents\\n| where TimeGenerated \u003e ago(accountLookback)\\n| summarize make_set(DeviceId), make_set(DeviceName) by InitiatingProcessAccountName\\n| where isnotempty(InitiatingProcessAccountName)\\n| extend base64_user = base64_encode_tostring(InitiatingProcessAccountName)\\n| join (\\n // Collect requests and extract base64 parameters\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(requestLookback)\\n | where isnotempty(RequestURL)\\n // Summarize early on the RequestURL\\n | summarize FirstRequest=min(TimeGenerated), LastRequest=max(TimeGenerated), NumberOfRequests=count() by RequestURL\\n | extend base64_candidate = extract_all(extraction_regex, RequestURL)\\n | mv-expand base64_candidate to typeof(string)\\n) on $left.base64_user == $right.base64_candidate\\n| project FirstRequest, LastRequest, NumberOfRequests, RequestURL, DeviceIds=set_DeviceId, DeviceNames=set_DeviceName, UserName=InitiatingProcessAccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Windows host username encoded in base64 web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table.\\nThis technique was seen usee by POLONIUM in their RunningRAT tool.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"name\":\"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| where OldE2ESetting =~ \u0027false\u0027 and NewE2ESetting =~ \u0027true\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Zoom E2E Encryption Disabled\",\"description\":\"This alerts when end to end encryption is disabled for Zoom meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"name\":\"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Exchange AuditLog disabled\",\"description\":\"Identifies when the exchange audit logging has been disabled which may be an adversary attempt\\nto evade detection or avoid other defenses.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/218f60de-c269-457a-b882-9966632b9dc6\",\"name\":\"218f60de-c269-457a-b882-9966632b9dc6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\\n| where dcount_Target \u003e 9\\n| join kind=rightsemi (AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Bulk Changes to Privileged Account Permissions\",\"description\":\"Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"name\":\"6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.1\",\"severity\":\"High\",\"query\":\"let IPList = externaldata(IPAddress:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//Network logs\\nlet CSlogSourceIP = CommonSecurityLog | summarize by IPAddress = SourceIP, Type;\\nlet CSlogDestIP = CommonSecurityLog | summarize by IPAddress = DestinationIP, Type;\\nlet CSlogMsgIP = CommonSecurityLog | extend MessageIP = extract(IPRegex, 0, Message) | summarize by IPAddress = MessageIP, Type;\\nlet DnsIP = DnsEvents | summarize by IPAddress = IPAddresses, Type;\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workspace, you can uncomment one or both below. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let imDnsIP = imDns (response_has_any_prefix=IPList) | summarize by IPAddress = ResponseName, Type;\\n//let imNetSessIP = imNetworkSession (dstipaddr_has_any_prefix=IPList) | summarize by IPAddress = DstIpAddr, Type;\\n//Cloud service logs\\nlet officeIP = OfficeActivity | summarize by IPAddress = ClientIP, Type;\\nlet signinIP = SigninLogs | summarize by IPAddress, Type;\\nlet nonintSigninIP = AADNonInteractiveUserSignInLogs | summarize by IPAddress, Type;\\nlet azureActIP = AzureActivity | summarize by IPAddress = CallerIpAddress, Type;\\nlet awsCtIP = AWSCloudTrail | summarize by IPAddress = SourceIpAddress, Type;\\n//Device logs\\nlet vmConnSourceIP = VMConnection | summarize by IPAddress = SourceIp, Type;\\nlet vmConnDestIP = VMConnection | summarize by IPAddress = DestinationIp, Type;\\nlet iisLogIP = W3CIISLog | summarize by IPAddress = cIP, Type;\\nlet devNetIP = DeviceNetworkEvents | summarize by IPAddress = RemoteIP, Type;\\n//need to parse to get IP\\nlet azureDiagIP = AzureDiagnostics | where ResourceType == \\\"AZUREFIREWALLS\\\" | where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\") \\n| where msg_s has_any (IPList) | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action | summarize by IPAddress = DestinationHost, Type;\\nlet sysEvtIP = Event | where Source == \\\"Microsoft-Windows-Sysmon\\\" | where EventID == 3 | where EventData has_any (IPList) | extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) | extend IPAddress = iff(SourceIP in (IPList), SourceIP, DestinationIP) | summarize by IPAddress, Type;\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP, imDnsIP, imNetSessIP\\n// If you uncomment above, then comment out the line below\\nlet ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP\\n| summarize by IPAddress\\n| where isnotempty(IPAddress) | where not(ipv4_is_private(IPAddress)) and IPAddress !in (\u00270.0.0.0\u0027,\u0027127.0.0.1\u0027);\\nlet ipMatch = ipsort | where IPAddress in (IPList);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch) or Message has_any (ipMatch)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", MessageIP in (ipMatch), \\\"Message\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"No Match\\\")\\n),\\n(OfficeActivity\\n| where ClientIP in (ipMatch)\\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(DnsEvents\\n| where IPAddresses has_any (ipMatch)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (ipMatch) or DestinationIp in (ipMatch)\\n| project TimeGenerated, Computer, SourceIp, DestinationIp, Type\\n| extend IPMatch = case( SourceIp in (ipMatch), \\\"SourceIP\\\", DestinationIp in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| where EventData has_any (ipMatch)\\n| project TimeGenerated, EventData, UserName, Computer, Type\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch)\\n| extend IPMatch = case( SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog\\n| where cIP in (ipMatch)\\n| project TimeGenerated, Computer, cIP, csUserName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity\\n| where CallerIpAddress in (ipMatch)\\n| project TimeGenerated, CallerIpAddress, Caller, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where SourceIpAddress in (ipMatch)\\n| project TimeGenerated, SourceIpAddress, UserIdentityUserName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n), \\n( \\nDeviceNetworkEvents\\n| where RemoteIP in (ipMatch)\\n| where ActionType == \\\"InboundConnectionAccepted\\\"\\n| project TimeGenerated, RemoteIP, DeviceName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\")\\n| where msg_s has_any (ipMatch)\\n| project TimeGenerated, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceIP \u0027:\u0027 SourcePort \u0027to \u0027 DestinationIP \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationIP has_any (ipMatch)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP\\n)\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//,\\n//(imDns (response_has_any_prefix=IPList)\\n//| project TimeGenerated, ResponseName, SrcIpAddr, Type\\n//| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr\\n//| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n//),\\n//(imNetworkSession (dstipaddr_has_any_prefix=IPList)\\n//| project TimeGenerated, DstIpAddr, SrcIpAddr, Type\\n//| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr\\n//)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Log4j vulnerability exploit aka Log4Shell IP IOC\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. \\n References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228\u0027 \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"name\":\"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple archived attachments to the same recipient\",\"description\":\"Detects when multiple emails where sent to the same recipient with large archived attachments.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1baaaf00-655f-4de9-8ff8-312e902cda71\",\"name\":\"1baaaf00-655f-4de9-8ff8-312e902cda71\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_locations = (\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location);\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend City = tostring(parse_json(LocationDetails).city)\\n | extend State = tostring(parse_json(LocationDetails).state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(Place) by ServicePrincipalName, Location\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Service Principal Authentication Attempt from New Country\",\"description\":\"Detects when there is a Service Principal login attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\"name\":\"39198934-62a0-4781-8416-a81265c03fd6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to PwnAuth\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"name\":\"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\n| summarize make_set(Operation);\\nOfficeActivity\\n// Only admin or global-admin can disable/remove policy\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Office policy tampering\",\"description\":\"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://learn.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\"name\":\"06a9b845-6a95-4432-a78b-83919b28c375\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n// Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal \u003e percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly detection for total volume of traffic\",\"description\":\"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\"name\":\"f110287e-1358-490d-8147-ed804b328514\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AWSCloudTrail | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| where AWSCloudTrail_TimeGenerated \u003c ExpirationDateTime\\n| summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress\\n| project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AWSCloudTrail\",\"description\":\"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\"name\":\"7249500f-3038-4b83-8549-9cd8dfa2d498\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ \u0027OATP\u0027\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Known PHOSPHORUS group domains/IP - October 2020\",\"description\":\"Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics (Azure Firewall)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\"name\":\"5ef06767-b37c-4818-b035-47de950d0046\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688\\n| where Process has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688 and EventData has_any (build_processes)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (build_processes)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663 and EventData has_any (\\\"0x6\\\", \\\"0x4\\\", \\\"0X100\\\") and EventData has_any (\\\".cs\\\", \\\".cpp\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| extend AccessMask = tostring(EventData.AccessMask) \\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\\n))\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"name\":\"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/42436753-9944-4d70-801c-daaa4d19ddd2\",\"name\":\"42436753-9944-4d70-801c-daaa4d19ddd2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Powershell\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"]\\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running PowerShell\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by PoerShell and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong PowerShell. \u003cbr\u003eYou can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56fe0db0-6779-46fa-b3c5-006082a53064\",\"name\":\"56fe0db0-6779-46fa-b3c5-006082a53064\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2022-03-31T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"name\":\"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHashValue, FileHashType\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to CommonSecurityLog Event\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"name\":\"1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"PIM\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has \\\"Disable PIM Alert\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n \u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\\n| extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Detect PIM Alert Disabling activity\",\"description\":\"Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. \\nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d99cf5c3-d660-436c-895b-8a8f8448da23\",\"name\":\"d99cf5c3-d660-436c-895b-8a8f8448da23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"},{\"identifier\":\"AadTenantId\",\"columnName\":\"AADTenantId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"MFA Rejected by User\",\"description\":\"Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"name\":\"d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where ResourceProvider == \u0027MICROSOFT.SQL\u0027\\n | where Category == \u0027SQLSecurityAuditEvents\u0027\\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\\n // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas\\n | extend ClientIP = column_ifexists(\\\"client_ip_s\\\", \\\"Not Available\\\"), Action = column_ifexists(\\\"action_name_s\\\", \\\"Not Available\\\"), \\n Application = column_ifexists(\\\"application_name_s\\\", \\\"Not Available\\\"), HostName = column_ifexists(\\\"host_name_s\\\", \\\"Not Available\\\")\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where SQLSecurityAuditEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SQLSecurityAuditEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure SQL Security Audit Events\",\"description\":\"Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"name\":\"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserId)\\n | where UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.UserId\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, UserId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\"name\":\"44a555d8-ecee-4a25-95ce-055879b4b14b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount \u003e= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High count of connections by client IP on many ports\",\"description\":\"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2de8abd6-a613-450e-95ed-08e503369fb3\",\"name\":\"2de8abd6-a613-450e-95ed-08e503369fb3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"AzureDiagnostics\\n| where details_data_s has \\\"jndi:\\\"\\n| parse details_data_s with * \u0027${\u0027 MaliciousCommand \u0027}\u0027 *\\n| extend EncodeCmd = iff(MaliciousCommand has \u0027Base64/\u0027, split(split(MaliciousCommand, \\\"Base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend EncodeCmd1 = iff(MaliciousCommand has \u0027base64/\u0027, split(split(MaliciousCommand, \\\"base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend CmdLine = iff( isnotempty(EncodeCmd), EncodeCmd, EncodeCmd1)\\n| extend DecodedCmdLine = base64_decode_tostring(tostring(CmdLine))\\n| extend DecodedCmdLine = iff( isnotempty(DecodedCmdLine), DecodedCmdLine, \\\"Unable to decode\\\")\\n| project TimeGenerated, Target=hostname_s, MaliciousHost = clientIp_s, MaliciousCommand, details_data_s, DecodedCmdLine, Message, ruleSetType_s, OperationName, SubscriptionId, details_message_s, details_file_s \\n| extend IPCustomEntity = MaliciousHost, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure WAF matching for Log4j vuln(CVE-2021-44228)\",\"description\":\"This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis.\\n Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-12-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/972c89fa-c969-4d12-932f-04d55d145299\",\"name\":\"972c89fa-c969-4d12-932f-04d55d145299\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"( union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| extend FileName = Process, ProcessCommandLine = CommandLine\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(DeviceProcessEvents\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\nor ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1 \\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\"), ProcessCommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend FileName = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"MSHTML vulnerability CVE-2021-40444 attack\",\"description\":\"This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. \\n The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : \\\".cpl:../../msword.inf\\\"\\n Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\"name\":\"4ca74dc0-8352-4ac5-893c-73571cc78331\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let keywords = dynamic([\\\"secret\\\", \\\"secrets\\\", \\\"password\\\", \\\"PAT\\\", \\\"passwd\\\", \\\"pswd\\\", \\\"pwd\\\", \\\"cred\\\", \\\"creds\\\", \\\"credentials\\\", \\\"credential\\\", \\\"key\\\"]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend Type = tostring(Data.Type)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| mv-expand Data.Variables\\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\\n| where Type != \\\"AzureKeyVault\\\"\\n| where Data_Variables !has \\\"IsSecret\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps Variable Secret Not Secured\",\"description\":\"Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \\nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"name\":\"cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName =~ \\\"Add owner to application\\\"\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AddedUser = TargetResources[0].userPrincipalName\\n | mv-expand mod_props\\n | where mod_props.displayName =~ \\\"Application.DisplayName\\\"\\n | extend AppName = tostring(parse_json(tostring(mod_props.newValue)))\\n | project-reorder TimeGenerated, OperationName, AppName, AddedUser, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Ownership\",\"description\":\"Detects changes to the ownership of an appplicaiton.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#new-owner\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15049017-527f-4d3b-b011-b0e99e68ef45\",\"name\":\"15049017-527f-4d3b-b011-b0e99e68ef45\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityEvent\\n| where EventID == 4688 and Process has_any (procList) and not (NewProcessName has (\\\"C:\\\\\\\\Windows\\\\\\\\\\\"))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SubjectUserName, NewProcessName, Process, CommandLine\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Executed from Non-Default Directory\",\"description\":\"The query detects Windows binaries, that can be executed from a non-default directory (e.g. C:\\\\Windows\\\\, C:\\\\Windows\\\\System32 etc.). \\nRef: https://lolbas-project.github.io/\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"name\":\"2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\\n//let adfsuser = \u0027adfsadmin\u0027;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe+lookback)\\n | where EventSourceName == \u0027AD FS Auditing\u0027\\n | distinct Computer\\n);\\nSecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // A token of type \u0027http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation\u0027\\n // for relying party \u0027-\u0027 was successfully authenticated.\\n | where EventID == 412\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | extend InstanceId = tostring(EventData[0])\\n| join kind=inner\\n(\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // Events to identify caller identity from event 412\\n | where EventID == 501\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | where tostring(EventData[1]) contains \u0027identity/claims/name\u0027\\n | extend InstanceId = tostring(EventData[0])\\n | extend ClaimsName = tostring(EventData[2])\\n // Filter on the use of a specific AD FS user account\\n //| where ClaimsName contains adfsuser\\n)\\non $left.InstanceId == $right.InstanceId\\n| join kind=inner\\n(\\n SecurityEvent\\n | where EventID == 5156\\n | where Computer in~ (ADFS_Servers)\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend DestPort = column_ifexists(\\\"DestPort\\\", \\\"\\\"),\\n Direction = column_ifexists(\\\"Direction\\\", \\\"\\\"),\\n Application = column_ifexists(\\\"Application\\\", \\\"\\\"),\\n DestAddress = column_ifexists(\\\"DestAddress\\\", \\\"\\\"),\\n SourceAddress = column_ifexists(\\\"SourceAddress\\\", \\\"\\\"),\\n SourcePort = column_ifexists(\\\"SourcePort\\\", \\\"\\\")\\n // Look for inbound connections from endpoints on port 80\\n | where DestPort == 80 and Direction == \u0027%%14592\u0027 and Application == \u0027System\u0027\\n | where DestAddress !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027) \\n)\\non $left.Computer == $right.Computer\\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\\n| extend HostCustomEntity = Computer, AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote Auth Sync Connection\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious authentication events on an AD FS server. The results then get\\ncorrelated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract\\nsensitive information such as AD FS certificates.\\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"name\":\"d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let IPList = dynamic([\\\"185.63.90.137\\\"]); \\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = \\ndynamic([\\\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\\\",\\n\\\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\\\",\\n\\\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\\\",\\n\\\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\\\",\\n\\\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\\\",\\n\\\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\\\",\\n\\\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\",\\n\\\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\"\\n]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost) \\n| where SourceHost in (IPList) or DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceFileEvents\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n| where FileHash in (sha256Hashes)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where CommandLine has_any (IPList) \\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n(WindowsEvent\\n| where EventID == \u00274688\u0027 and has_any_ipv4(EventData, toscalar(IPList)) \\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName in (IPList) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021\",\"description\":\"Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs\\nReference: \\nhttps://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders\\nhttps://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"name\":\"ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let SunburstURL=dynamic([\\\"panhardware.com\\\",\\\"databasegalore.com\\\",\\\"avsvmcloud.com\\\",\\\"freescanonline.com\\\",\\\"thedoccloud.com\\\",\\\"deftsecurity.com\\\"]);\\nDeviceNetworkEvents\\n| where ActionType == \\\"ConnectionSuccess\\\"\\n| where RemoteUrl in(SunburstURL)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = InitiatingProcessMD5, \\n HashAlgorithm = \u0027MD5\u0027,\\n URLCustomEntity = RemoteUrl,\\n IPCustomEntity = RemoteIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST network beacons\",\"description\":\"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/baedfdf4-7cc8-45a1-81a9-065821628b83\",\"name\":\"baedfdf4-7cc8-45a1-81a9-065821628b83\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let runningRAT_parameters = dynamic([\u0027/ui/chk\u0027, \u0027mactok=\u0027, \u0027UsRnMe=\u0027, \u0027IlocalP=\u0027, \u0027kMnD=\u0027]);\\nCommonSecurityLog\\n| where RequestMethod == \\\"GET\\\"\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\\n| where RequestURL has_any (runningRAT_parameters)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"RunningRAT request parameters\",\"description\":\"This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication\\npresence of this alert means the RunningRAT implant is likely still executing on the source host.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"name\":\"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet AuthorizedBypassers = dynamic([\u0027foo@baz.com\u0027, \u0027test@foo.com\u0027]);\\nlet historicBypassers = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| parse ScopeDisplayName with OrganizationName \u0027(Organization)\u0027\\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \\n BypassReason = Data.BypassReason, PRLink = strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_git/\u0027, Data.RepoName, \u0027/pullrequest/\u0027, Data.PullRequestId)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Pull Request Policy Bypassing - Historic allow list\",\"description\":\"This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\"name\":\"75bf9902-0789-47c1-a5d8-f57046aa72df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688 and EventData has_any (procList) and EventData has \\\":\\\\\\\\recycler\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName) \\n| extend NewProcessName = tostring(EventData.NewProcessName) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n));\\nprocessEvents};\\nProcessCreationEvents \\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin\",\"description\":\"The query detects Windows binaries, that can be used for executing malware, that have been hidden in the recycle bin. \\n The list of these binaries are sourced from https://lolbas-project.github.io/\\n References: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2399891-383c-4caf-ae67-68a008b9f89e\",\"name\":\"e2399891-383c-4caf-ae67-68a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where TI_ipEntity != \\\"NO_IP\\\";\\nlet IP_TI_list=toscalar(IP_TI | summarize NIoCs=dcount(TI_ipEntity), IoCs=make_set( TI_ipEntity)\\n | project IoCs=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs));\\nIP_TI\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique \\n (\\n union \\n (\\n _Im_NetworkSession (starttime=ago(dt_lookBack), dstipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated, IoCIP=DstIpAddr, IoCIPDirection=\u0027Destination\u0027\\n ),\\n (\\n _Im_NetworkSession (starttime=ago(dt_lookBack), srcipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(DstIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated, IoCIP=SrcIpAddr, IoCIPDirection=\u0027Source\u0027\\n )\\n)on $left.TI_ipEntity == $right.IoCIP\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\",\"IoCIPDirection\":\"IoCIPDirection\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IoCIP\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A network session {{IoCIPDirection}} address {{IoCIP}} matched an IoC.\",\"alertDescriptionFormat\":\"The {{IoCIPDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema)\",\"description\":\"This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC. \u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"name\":\"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to internet facing AWS RDS Database instances\",\"description\":\"Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-11-28T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"name\":\"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Barium activity group. \\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\u0027 \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"name\":\"595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), Account = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), File = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, Account = UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027, Type\\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, Account = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) \\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = tostring(EventDetail.[4].[\\\"#text\\\"]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessFolderPath has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlertDetail = \u0027Chia crypto IOC detected\u0027, FileHashAlgo = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| project TimeGenerated, EventDetail, UserName, Computer, Type\\n| extend Image = tostring(EventDetail.[4].[\\\"#text\\\"]), CommandLine = tostring(EventDetail.[10].[\\\"#text\\\"]), Account = UserName, FileHash = tostring(EventDetail.[17].[\\\"#text\\\"]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| where Image has_any (process)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath= replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceEvents\\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName has_any (process)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n)\\n)\\n| extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\"name\":\"dd0a6029-ecef-4507-89c4-fc355ac52111\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend DomainName = tolower(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"name\":\"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"union isfuzzy=true \\n(\\n SecurityEvent\\n | where EventID == 4738\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | where UserAccountControl has \\\"%%2089\\\" \\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\\n ),\\n (\\n WindowsEvent\\n | where EventID == 4738 and EventData has \u00272089\u0027\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | extend UserAccountControl = tostring(EventData.UserAccountControl)\\n | where UserAccountControl has \\\"%%2089\\\" \\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | extend Activity=\\\"4738 - A user account was changed.\\\"\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD account with Don\u0027t Expire Password\",\"description\":\"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 resolves to \\\"Don\u0027t Expire Password - Enabled\\\".\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"name\":\"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\nbefore conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\nits unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2559891-383c-4caf-ae67-55a008b9f89e\",\"name\":\"e2559891-383c-4caf-ae67-55a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where TI_ipEntity != \\\"NO_IP\\\";\\nlet IP_TI_list=toscalar(IP_TI | summarize NIoCs= dcount(TI_ipEntity), IoCs=make_set(TI_ipEntity) \\n | project IoCs=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs ) );\\nIP_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession (starttime=ago(dt_lookBack), srcipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SrcIpAddr\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Dvc, SrcIpAddr, DstIpAddr\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The IP {{SrcIpAddr}} of a web request to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"The source address {{SrcIpAddr}} of a web request for URL {{Url}} matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the source IP address is a known IoC. \u003cbr\u003e\u003cbr\u003eThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2022-03-15T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"name\":\"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Elastic Load Balancer security groups\",\"description\":\"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"name\":\"bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where Process hassuffix \u0027rundll32.exe\u0027\\n| where CommandLine has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"name\":\"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Extract URL from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,Entities)\\n // We only want alerts that actually contain URL data\\n | where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to SecurityAlert data\",\"description\":\"Identifies a match in SecurityAlert data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"name\":\"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nWindowsEvent\\n| where EventID == 1102 and Provider == \\\"Microsoft-Windows-Eventlog\\\" \\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend Activity= \\\"1102 - The audit log was cleared.\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"name\":\"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n //Extract the Url from a number of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url = tostring(split(Url, \u0027;\u0027)[0])\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n // Project a single user identity that we can use for entity mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))\\n) on Url\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \\nUserType, OfficeWorkload, Parameters, Url, User\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to OfficeActivity data\",\"description\":\"Identifies a match in OfficeActivity data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"name\":\"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 25;\\nlet TotalEventsThreshold = 30;\\nlet MostFrequentTimeDeltaThreshold = 25;\\nlet PercentBeaconThreshold = 80;\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where ipv4_is_private(DestinationIP)== false\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| summarize count(), sum(ReceivedBytes), sum(SentBytes)\\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents \u003e TotalEventsThreshold and MostFrequentTimeDeltaCount \u003e MostFrequentTimeDeltaThreshold\\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Palo Alto - potential beaconing detected\",\"description\":\"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"name\":\"14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService == \\\"Core Directory\\\" and OperationName == \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"NRT Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"name\":\"f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject==\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\SecurityProviders\\\\\\\\WDigest\\\\\\\\UseLogonCredential\\\" and Details !=\\\"DWORD (0x00000000)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"WDigest downgrade attack\",\"description\":\"When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory.\\nRef: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"name\":\"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime \u003e= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime \u003c ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"New UserAgent observed in last 24 hours\",\"description\":\"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\\nextracts words from user agents to build the baseline and determine rareity rather than perform a\\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments,\\nthese new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\"name\":\"155e9134-d5ad-4a6f-88f3-99c220040b66\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Set the lookback to determine if user has created pipelines before\\nlet timeback = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a list of previous Release Pipeline creators to exclude\\nlet releaseusers = AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show results where the user as AADIdP alerts\\n//| where Alerts \u003e 0\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Pipeline modified by a new user.\",\"description\":\"There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \\nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) \\nin order to show if the user conducting the action has any associated AAD IdP alerts. You can also choose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"name\":\"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was enabled\\n| where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| where TargetAccount !endswith \\\"$\\\"\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was enabled\\n| where EventID == 4722\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where TargetAccount !endswith \\\"$\\\"\\n| extend Activity=\\\"4722 - A user account was enabled.\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n))\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n| where AccountType =~ \\\"User\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(WindowsEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4725 - A user account was disabled.\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid))\\n) on Computer, TargetAccount\\n| where DisableTime - EnableTime \u003c spanoftime\\n| extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, \\nDisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\\n| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToEnable\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account enabled and disabled within 10 mins\",\"description\":\"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"name\":\"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"Event\\n| where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription startswith \\\"An unhandled exception occurred in a UM worker process\\\" or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious UM Service Error\",\"description\":\"This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"name\":\"09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let default_file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet custom_file_ext_blocklist=toscalar(_GetWatchlist(\u0027RiskyFileTypes\u0027) | extend Extension=column_ifexists(\\\"Extension\\\",\\\"\\\") | where isnotempty(Extension) | summarize make_set(Extension));\\nlet file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);\\n_Im_WebSession(url_has_any=file_ext_blocklist, eventresult=\u0027Success\u0027)\\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\\\"Path\\\"]),\u0027/\u0027)[-1])\\n| extend requestedFileExt=extract(@(\\\\.\\\\w+)$,1,requestedFileName, typeof(string))\\n| where requestedFileExtension in (file_ext_blocklist)\\n| summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url\\n| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url\",\"customDetails\":{\"requestedFileName\":\"requestedFileName\",\"requestedFileExt\":\"requestedFileExt\",\"Username\":\"SrcUsername\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Client {{SrcIpAddr}} accessed a URL with potentially harmful extension {{requestedFileExt}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} accessed the URL {{Url}} that has the extension {{requestedFileExt}}. Downloading a file with this extension may be harmful and may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"A client made a web request to a potentially harmful file (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced Security Information Model (ASIM).\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"name\":\"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserID\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, \\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, \\nDestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"name\":\"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let lookBack_long = 7d;\\nlet lookBack_med = 3d;\\nlet lookBack = 1d;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_long))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n// Create time series \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_med))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n) on UserPrincipalName, AppDisplayName\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 5\\n| top 50 by Slope desc\\n// Higher threshold requirement on last day anomaly\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous sign-in location by user account and authenticating application\",\"description\":\"This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \\nDirectory application and picks out the most anomalous change in location profile for a user within an \\nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\\nover last day but also over the last 3-day and 7-day periods.\\nPlease note that on workspaces with larger volume of Signin data (~10M+ events a day) may timeout when using this default query time period.\\nIt is recommended that you test and tune this appropriately for the workspace.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"name\":\"1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let PortScanThreshold = 50;\\n_Im_NetworkSession\\n| where ipv4_is_private(SrcIpAddr) == False\\n| summarize AttemptedPortsCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 5m)\\n| where AttemptedPortsCount \u003e PortScanThreshold\",\"customDetails\":{\"AttemptedPortsCount\":\"AttemptedPortsCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential port scan from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"A port scan has been performed from address {{SrcIpAddr}} over {{AttemptedPortsCount}} pots within 5 minutes. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Discovery\"],\"displayName\":\"Port scan detected (ASIM Network Session schema)\",\"description\":\"This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eda260eb-f4a1-4379-ad98-452604da9b3e\",\"name\":\"eda260eb-f4a1-4379-ad98-452604da9b3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let eventsThreshold = 20;\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName\\n| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has \\\"login.microsoftonline.com/consumers/oauth2/v2.0/token\\\"), graph=(RequestURL has \\\"graph.microsoft.com/v1.0/me/drive/\\\"), SourceIP, SourceHostName)\\n| summarize Events=count() by SourceIP, SourceHostName\\n| where Events \u003e= eventsThreshold\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive request URL sequence\",\"description\":\"CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths.\\nThis detecton will alert when over 20 sequences are observed in a single day.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\"name\":\"3533f74c-9207-4047-96e2-0eb9383be587\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Suspicious application consent for offline access\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"name\":\"0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserIdentityUserName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"NRT Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for administrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used\\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/269435e3-1db8-4423-9dfc-9bf59997da1c\",\"name\":\"269435e3-1db8-4423-9dfc-9bf59997da1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService == \\\"Core Directory\\\" and OperationName == \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"name\":\"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by FileHashValue\\n| project CommonSecurityLog_TimeGenerated, FileHashValue, FileHashType, Description, ThreatType, \\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Microsoft COVID-19 file hash indicator matches\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"name\":\"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n| extend Reason = coalesce(\\n column_ifexists(\\\"Reason\\\", \\\"\\\"), \\n extract(\\\"reason=(.+?)(;|$)\\\", 1, AdditionalExtensions),\\n \\\"\\\"\\n )\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \\n| where Reason !has \\\"aged-out\\\" \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where Reason !has \\\"tcp-fin\\\" \\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n// Already performed\\n//| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ \u003e= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Palo Alto - possible internal to external port scanning\",\"description\":\"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \\nresults in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication \\nof internal to external port scanning or probing attack. \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/677da133-e487-4108-a150-5b926591a92b\",\"name\":\"677da133-e487-4108-a150-5b926591a92b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.1\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256s = (iocs | where Type =~ \\\"SHA256\\\"| project IoC);\\nlet ips = (iocs | where Type =~ \\\"IP\\\"| project IoC);\\nlet IPList = dynamic([\\\"192.99.221.77\\\",\\\"83.171.237.173\\\"]);\\nlet ips_list=toscalar(ips | summarize makeset(IoC));\\nlet full_ip_list= array_concat(ips_list, IPList);\\nlet domains = (iocs | where Type =~ \\\"Domain\\\"| project IoC);\\nlet domain_list=toscalar(domains | summarize make_set(IoC));\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = dynamic([\\\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\\\",\\n\\\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\\\",\\n\\\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\\\",\\n\\\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\\\",\\n\\\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\\\",\\n\\\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (domains), \\\"RequestUrl\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=todynamic(domain_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=todynamic(full_ip_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList) or ClientIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(_Im_NetworkSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"SourceIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = SrcIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_NetworkSession(dstipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"DestinationIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = DstIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_WebSession(url_has_any=domains)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(_Im_WebSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"NOBELIUM - Domain, Hash and IP IOCs - May 2021\",\"description\":\"Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM.\\nRef: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"name\":\"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details of operations conducted by user soon after elevation of permissions\\n| join (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\\n| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New PA, PCA, or PCAS added to Azure DevOps\",\"description\":\"In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \\nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of \\nusers granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these \\nshould also be conducted.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\"name\":\"bf07ca9c-e408-443a-8939-6860a45a929e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps New Extension Added\",\"description\":\"Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \\nThis query looks for new extensions that are not from a configurable list of approved publishers.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\"name\":\"65c78944-930b-4cae-bd79-c3664ae30ba7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(AuditLogs \\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\") \\n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"MFA disabled for a user\",\"description\":\"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user \",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"name\":\"4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet parentprocess = (iocs | where Type =~ \\\"parentprocess\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (IPList), \\\"RequestUrl\\\",\\\"NoMatch\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, IPMatch == \\\"RequestUrl\\\", RequestURL, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Dev-0322 IOC match\u0027, UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where SourceHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ParentImage = EventDetail.[20].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceProcessEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Dev-0322 IOC match\u0027, IPCustomEntity = CommandLineIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"DEV-0322 Serv-U related IOCs - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to DEV-0322 targeting SolarWinds Serv-U software.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"name\":\"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"name\":\"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (DomainNames) \\n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n (_Im_Dns (domain_has_any=DomainNames)\\n | extend DNSName = DnsQuery \\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (_Im_WebSession (url_has_any=DomainNames)\\n | extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer = DeviceName \\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (DomainNames) \\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ) \\n ) \\n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium domains\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let fileAccessThrehold = 10;\\nOfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberAdded\\\"\\n | extend UPN = tostring(parse_json(Members)[0].UPN)\\n | where UPN contains (\\\"#EXT#\\\")\\n | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n | join kind = inner(\\n OfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberRemoved\\\"\\n | extend UPN = tostring(parse_json(Members)[0].UPN)\\n | where UPN contains (\\\"#EXT#\\\")\\n | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n ) on UPN\\n | where TimeDeleted \u003e TimeAdded\\n | join kind=inner \\n (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | where Operation == \\\"FileUploaded\\\"\\n | join kind = inner \\n (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where Operation == \\\"FileAccessed\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | summarize FileAccessCount = count() by OfficeObjectId\\n | where FileAccessCount \u003e fileAccessThrehold\\n ) on $left.OfficeObjectId == $right.OfficeObjectId\\n )on $left.UPN == $right.UserId\\n | extend timestamp=TimeGenerated, AccountCustomEntity = UserWhoAdded\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Accessed files shared by temporary external user\",\"description\":\"This detection identifies an external user is added to a Team or Teams chat\\nand shares a files which is accessed by many users (\u003e10) and the users is removed within short period of time. This might be\\nan indicator of suspicious activity.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2020-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"name\":\"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Changes made to AWS CloudTrail logs\",\"description\":\"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \",\"lastUpdatedDateUTC\":\"2022-01-11T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"name\":\"3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nSigninLogs\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n| where AppDisplayName =~ \\\"Windows Sign In\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against a Cloud PC\",\"description\":\"Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\"name\":\"173f8699-6af5-484a-8b06-8c47ba89b380\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| where array_length(DeletedTeams) \u003e max_delete_count\\n| extend timestamp = StartTime, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple Teams deleted by a single user\",\"description\":\"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Microsoft Sentinel.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9f9c1e51-4fb1-4510-a675-c7c2fb32f47e\",\"name\":\"9f9c1e51-4fb1-4510-a675-c7c2fb32f47e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let knotweed_sigs = dynamic([\\\"JumplumpDropper\\\", \\\"Jumplump\\\", \\\"Corelump\\\", \\\"Medcerc\\\", \\\"SuspModuleLoad\\\", \\\"Mexlib\\\"]);\\n let mde_data = (DeviceInfo\\n | extend DeviceName = tolower(DeviceName)\\n | join kind=rightouter ( SecurityAlert\\n | where ProviderName =~ \\\"MDATP\\\"\\n | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n | where ThreatFamilyName in~ (knotweed_sigs)\\n | extend CompromisedEntity = tolower(CompromisedEntity)\\n ) on $left.DeviceName == $right.CompromisedEntity);\\n let event_data = ( Event\\n | where EventID in (1006, 1009, 1116, 1119)\\n | extend ThreatData = parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_xml(EventData).DataItem)).EventData)).Data))\\n | mv-expand ThreatData\\n | where tostring(ThreatData.[\\\"@Name\\\"]) == \\\"Threat Name\\\"\\n | extend EventData = parse_xml(EventData)\\n | where tostring(ThreatData.[\\\"#text\\\"]) has_any (knotweed_sigs));\\n union mde_data, event_data\\n | extend ThreatName = iif(isnotempty(ThreatName), ThreatName, tostring(ThreatData.[\\\"#text\\\"]))\\n | extend ThreatFamilyName = iif(isnotempty(ThreatFamilyName), ThreatFamilyName, split(tostring(ThreatData.[\\\"#text\\\"]), \\\"/\\\")[-1])\\n | extend TimeGenerated = iif(isnotempty(TimeGenerated), TimeGenerated, TimeGenerated1)\\n | extend DeviceName = iif(isnotempty(DeviceName), DeviceName, Computer)\\n | project-reorder TimeGenerated, CompromisedEntity, ThreatName, ThreatFamilyName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"KNOTWEED AV Detection\",\"description\":\"This query looks for Microsoft Defender AV detections related to the KNOTWEED threat actor and the Corelump and Jumplump malware.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-27T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f171045-88ab-4634-baae-a7b6509f483b\",\"name\":\"5f171045-88ab-4634-baae-a7b6509f483b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let Dev0530_threats = dynamic([\\\"Trojan:Win32/SiennaPurple.A\\\", \\\"Ransom:Win32/SiennaBlue.A\\\", \\\"Ransom:Win32/SiennaBlue.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Dev0530_threats) or ThreatFamilyName in~ (Dev0530_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Dev-0530 actors\",\"description\":\"This query looks for Microsoft Defender AV detections related to Dev-0530 actors. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, \\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\"name\":\"fbfbf530-506b-49a4-81ad-4030885a195c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions that suit your web application environment - a sample are provided below\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData = materialize(SecurityAlert \\n| where TimeGenerated \u003e ago(alertTimeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet fileData = alertData\\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet hostData = alertData\\n// Extract server details from alerts and map to alert id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| join ( \\n// Find requests that were made to this file on the impacted server in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated \u003e ago(logTimeWindow) \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts\",\"description\":\"Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\\nhas been provided in scriptExtensions that should be tailored to your environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\"name\":\"5f0d80db-3415-4265-9d52-8466b7372e3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps PAT used with Browser.\",\"description\":\"Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \\nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \\nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/86a036b2-3686-42eb-b417-909fc0867771\",\"name\":\"86a036b2-3686-42eb-b417-909fc0867771\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/delete\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Service Delete\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\\nMore information in this blog https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"name\":\"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationNameValue =~ \\\"microsoft.authorization/roleassignments/write\\\";\\ncreateRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), \\nOperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Suspicious granting of permissions to an account\",\"description\":\"Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"name\":\"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let szOperationNames = dynamic([\\\"Microsoft.Compute/virtualMachines/write\\\", \\\"Microsoft.Resources/deployments/write\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| project ResourceGroup, Caller, OperationNameValue, CallerIpAddress\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatusValue = makeset(ActivityStatusValue), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious Resource deployment\",\"description\":\"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4902eddb-34f7-44a8-ac94-8486366e9494\",\"name\":\"4902eddb-34f7-44a8-ac94-8486366e9494\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 5000;\\n_Im_NetworkSession(eventresult=\u0027Failure\u0027)\\n| summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m)\\n| where Count \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"customDetails\":{\"NumberOfDenies\":\"Count\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of failed connections from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} generated more than {{threshold}} failures over a 5 minutes time window, which may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"Excessive number of failed connections from a single source (ASIM Network Session schema)\",\"description\":\"This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"name\":\"f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let known_locations = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | summarize by LocationDetail);\\n let known_asn = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where isempty(DeviceDetail.deviceId)\\n | where AuthenticationRequirement == \\\"singleFactorAuthentication\\\"\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomolous Single Factor Signin\",\"description\":\"Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.\\n Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"name\":\"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent = (union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * \u0027TicketEncryptionType\\\"\u003e\u0027 TicketEncryptionType \\\"\u003c\\\" *\\n| where TicketEncryptionType == \u00270x17\u0027\\n| parse EventData with * \u0027TicketOptions\\\"\u003e\u0027 TicketOptions \\\"\u003c\\\" *\\n| where TicketOptions == \u00270x40810000\u0027\\n| parse EventData with * \u0027Status\\\"\u003e\u0027 Status \\\"\u003c\\\" *\\n| where Status == \u00270x0\u0027\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\" \\n| parse EventData with * \u0027TargetUserName\\\"\u003e\u0027 TargetUserName \\\"\u003c\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * \u0027IpAddress\\\"\u003e::ffff:\u0027 ClientIPAddress \\\"\u003c\\\" *\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769 and EventData has \u00270x17\u0027 and EventData has \u00270x40810000\u0027 and EventData has \u0027krbtgt\u0027\\n| extend TicketEncryptionType = tostring(EventData.TicketEncryptionType)\\n| where TicketEncryptionType == \u00270x17\u0027\\n| extend TicketOptions = tostring(EventData.TicketOptions)\\n| where TicketOptions == \u00270x40810000\u0027\\n| extend Status = tostring(EventData.Status)\\n| where Status == \u00270x0\u0027\\n| extend ServiceName = tostring(EventData.ServiceName)\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| extend ClientIPAddress = tostring(EventData.IpAddress) \\n));\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h \u003c prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, TargetDomainName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h \u003e prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Kerberoasting\",\"description\":\"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \\na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \\nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \\nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/508cef41-2cd8-4d40-a519-b04826a9085f\",\"name\":\"508cef41-2cd8-4d40-a519-b04826a9085f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared.\\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\"name\":\"3ff0fffb-d963-40c0-b235-3404f915add7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce02935c-cc67-4b77-9b96-93d9947e119a\",\"name\":\"ce02935c-cc67-4b77-9b96-93d9947e119a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"acrobatrelay.com\\\", \\\"finconsult.cc\\\", \\\"realmetaldns.com\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where DNSName in~ (DomainNames) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n), \\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession (url_has_any=DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n| where isnotempty(DNSName) \\n| where DNSName in~ (DomainNames) \\n| extend IPAddress = RemoteIp \\n), \\n( \\n DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) \\n| where RemoteUrl has_any (DomainNames) \\n| extend IPAddress = RemoteIP \\n| extend Computer = DeviceName \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n) \\n) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"KNOTWEED C2 Domains July 2022\",\"description\":\"This query looks for references to known KNOTWEED Domains in network logs.\\n This query was published July 2022.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-27T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/594c653d-719a-4c23-b028-36e3413e632e\",\"name\":\"594c653d-719a-4c23-b028-36e3413e632e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2022-05-22T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"name\":\"50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" *\\n| where ParentCommandLine == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k DcomLaunch\\\" and CommandLine == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe -Embedding\\\"\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Lateral Movement via DCOM\",\"description\":\"This query detects a fairly uncommon attack technique using the Windows Distributed Component Object Model (DCOM) to make a remote execution call to another computer system and gain lateral movement throughout the network.\\nRef: http://thenegative.zone/incident%20response/2017/02/04/MMC20.Application-Lateral-Movement-Analysis.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"name\":\"b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet DOMAIN_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName);\\nlet DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName) \\n | project Domains=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), Domains) ));\\nDOMAIN_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession(starttime=ago(dt_lookBack), url_has_any= DOMAIN_TI_list )\\n //Extract domain patterns from syslog message\\n | extend domain = tostring(parse_url(Url)[\\\"Host\\\"])\\n | where isnotempty(domain)\\n | extend tld = tostring(split(domain, \u0027.\u0027)[-1])\\n | extend Event_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Event_TimeGenerated \u003c ExpirationDateTime\\n| summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain\\n| project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url\",\"customDetails\":{\"EventTime\":\"Event_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the target URL hostname is a known IoC. \u003cbr\u003e\u003cbr\u003eThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\"name\":\"643c2025-9604-47c5-833f-7b4b9378a1f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold\\nlet aadFunc = (tableName:string){\\nlet Suspicious_signins = \\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\nSuspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet Suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to AWS Console\",\"description\":\"Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"name\":\"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n (WindowsEvent\\n| where EventID == 4663 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\") and EventData has_any (scriptExtensions) \\n| where EventData has_any (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (scriptExtensions)\\n| extend AccessMask = tostring(EventData.AccessMask)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n and\\n TargetFileName has_any (scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where FileName has_any(scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM UM Service writing suspicious file\",\"description\":\"This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d714ef62-1a56-4779-804f-91c4158e528d\",\"name\":\"d714ef62-1a56-4779-804f-91c4158e528d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let ImagesList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\"]); \\nlet OriginalFileNameList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\",\\\"SR.exe\\\",\\\"utilman2.exe\\\",\\\"ScreenMagnifier.exe\\\"]); \\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where Image has_any (ImagesList) and not (OriginalFileName has_any (OriginalFileNameList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Modification of Accessibility Features\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\\n Two common accessibility programs are C:\\\\Windows\\\\System32\\\\sethc.exe, launched when the shift key is pressed five times and C:\\\\Windows\\\\System32\\\\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as \\\"sticky keys\\\", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1]\\nRef: https://attack.mitre.org/techniques/T1546/008/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"name\":\"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 1;\\nAzureDiagnostics\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\\n | where count_ \u003e= [\\\"threshold\\\"]\\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Several deny actions registered\",\"description\":\"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-10-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9d2eebc-5dcb-4888-8165-900db44443ab\",\"name\":\"b9d2eebc-5dcb-4888-8165-900db44443ab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of hostnames for your DC servers\\n//let DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\nSecurityEvent\\n//| where Computer in (DCServersList)\\n| where EventID == 4662 and ObjectServer == \u0027DS\u0027\\n| where AccountType != \u0027Machine\u0027\\n| where Properties has \u00271131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes\\n or Properties has \u00271131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes-All\\n or Properties has \u002789e95b76-444d-4c62-991a-0facbeda640c\u0027 //DS-Replication-Get-Changes-In-Filtered-Set\\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\\n| join kind=leftouter\\n(\\n SecurityEvent\\n //| where Computer in (DCServersList)\\n | where EventID == 4624 and LogonType == 3\\n | where AccountType != \u0027Machine\u0027\\n | project TargetLogonId, IpAddress\\n)\\non $left.SubjectLogonId == $right.TargetLogonId\\n| project-reorder TimeGenerated, Computer, Account, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, SourceAddress = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Non Domain Controller Active Directory Replication\",\"description\":\"This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\\nA domain user with privileged permissions to use directory replication services is rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"lastUpdatedDateUTC\":\"2021-11-08T00:00:00Z\",\"createdDateUTC\":\"2021-05-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"name\":\"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(domain_lookBack) and TimeGenerated \u003c ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to unpopular website (possible malicious payload delivery)\\\"\\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Connection to Unpopular Website Detected\",\"description\":\"Detects first connection to an unpopular website (possible malicious payload delivery).\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89a86f70-615f-4a79-9621-6f68c50f365f\",\"name\":\"89a86f70-615f-4a79-9621-6f68c50f365f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 7d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet HistThreshold = 25; \\nlet CurrThreshold = 10; \\nlet HistoricalThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceVendor;\\nlet CurrentHourThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(timeframe)\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceProduct, DeviceVendor;\\nCurrentHourThreats \\n| where TotalEvents \u003c CurrThreshold\\n| join kind = leftanti (HistoricalThreats \\n| where TotalEvents \u003e HistThreshold) on SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"Discovery\",\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Palo Alto Threat signatures from Unusual IP addresses\",\"description\":\"Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. \\nThis detection is also leveraged and required for MDE and PAN Fusion scenario\\nhttps://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall\",\"lastUpdatedDateUTC\":\"2022-04-20T00:00:00Z\",\"createdDateUTC\":\"2022-03-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\"name\":\"35a0792a-1269-431e-ac93-7ae2980d4dde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(EmailSenderAddress)\\n| extend TI_emailEntity = EmailSenderAddress\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcUserUpn)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientEmail = SrcUserUpn\\n\\n)\\non $left.TI_emailEntity == $right.ClientEmail\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail\\n| project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ClientEmail\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender in TI list\",\"description\":\"Email sender in TI list.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"name\":\"c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\n_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n| where isnotempty(DnsResponseCodeName)\\n//| where DnsResponseCodeName =~ \\\"NXDOMAIN\\\"\\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n ) on SrcIpAddr\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a172107d-794c-48c0-bc26-d3349fe10b4d\",\"name\":\"a172107d-794c-48c0-bc26-d3349fe10b4d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Dev-0530_July2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\n(union isfuzzy=true \\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) \\nand InitiatingProcessCommandLine has (\u0027sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID, CommandLine\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and ActingProcessCommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(EmailEvents\\n| where SenderFromAddress == \u0027H0lyGh0st@mail2tor.com\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = SenderIPv4, AccountCustomEntity = SenderFromAddress \\n),\\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) or FileHash in (sha256Hashes)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch , FileHash\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 IOC - July 2022\",\"description\":\"Identifies a IOC match related to Dev-0530 actor across various data sources.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceProcessEvents\",\"DeviceNetworkEvents\",\"EmailEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"name\":\"572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let inviting_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(invitingUser)\\n | summarize by invitingUser);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(invitingUser) and invitingUser !in (inviting_users)\\n | extend invitedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"invitingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"invitedUserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Guest Users Invited to Tenant by New Inviters\",\"description\":\"Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts added should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\"name\":\"500415fb-bba7-4227-a08a-9857fb61b6a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", OfficeObjectId,\\n Operation =~ \\\"New-TransportRule\\\", ParsedParameters.Name,\\n \\\"Unknown\\\")\\n| mv-expand ExpandedParameters = todynamic(Parameters)\\n| where ExpandedParameters.Name in~ (\\\"BlindCopyTo\\\", \\\"RedirectMessageTo\\\") and isnotempty(ExpandedParameters.Value)\\n| extend RedirectTo = ExpandedParameters.Value\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, Operation, RuleName, Parameters\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Mail redirect via ExO transport rule\",\"description\":\"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\"lastUpdatedDateUTC\":\"2022-04-18T00:00:00Z\",\"createdDateUTC\":\"2020-05-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\"name\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\" \\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \\napplicationSet = make_set(AppDisplayName) by IPAddress, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n table(tableName)\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n) on IPAddress \\n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts.\\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"name\":\"e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n | where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n | parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" *\\n | where ParentImage has \\\"svchost.exe\\\" and Image has \\\"rundll32.exe\\\" and CommandLine has \\\"{c08afd90-f2a1-11d1-8455-00a0c91f3880}\\\"\\n | parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Detecting Macro Invoking ShellBrowserWindow COM Objects\",\"description\":\"This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-doc-with-macro-invoking.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"name\":\"c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where ScanStatus == \\\"Failed\\\"\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"displayName\":\"AppServices AV Scan Failure\",\"description\":\"Identifies if an AV scan fails in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"name\":\"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Oct 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"name\":\"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nSyslog\\n| where Facility =~ \\\"authpriv\\\"\\n| where SyslogMessage has \\\"authentication failure\\\" and SyslogMessage has \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" RemoteIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID\\n| join kind=innerunique (\\n // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\n Syslog \\n | where Facility =~ \\\"authpriv\\\"\\n | where SyslogMessage has \\\"user unknown\\\"\\n | project Computer, HostIP, ProcessID\\n ) on Computer, HostIP, ProcessID\\n// Count the number of failed logon attempts by External IP and internal machine\\n| summarize FirstLogonAttempt = min(TimeGenerated), LatestLogonAttempt = max(TimeGenerated), TotalLogonAttempts = count() by Computer, HostIP, RemoteIP\\n// Calculate the time between first and last logon attempt (AttemptPeriodLength)\\n| extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt\\n| where TotalLogonAttempts \u003e= threshold\\n| project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, DestinationHost = Computer, DestinationAddress = HostIP\\n| sort by DestinationHost asc nulls last\\n| extend timestamp = FirstLogonAttempt, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts in authpriv\",\"description\":\"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \\nisn\u0027t provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren\u0027t authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\"name\":\"f041e01d-840d-43da-95c8-4188f6cef546\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | distinct Country, Actor, TimeGenerated\\n) on Actor \\n| where set_Country !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"GitHub Activites from a New Country\",\"description\":\"Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\"name\":\"40ba9493-4183-4eee-974f-87fe39c8f267\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Identity alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Identity\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (AATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"name\":\"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from a new IP\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via previously unseen IPs\",\"description\":\"Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds a threshold (default is 50).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\"name\":\"4a3073ac-7383-48a9-90a8-eb6716183a54\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-02-01T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"name\":\"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where NetworkBytes \u003e msgszthreshold\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple large emails to the same recipient\",\"description\":\"Detects when multiple emails with large size where sent to the same recipient.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6dd2629c-534b-4275-8201-d7968b4fa77e\",\"name\":\"6dd2629c-534b-4275-8201-d7968b4fa77e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 4657\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\"), OperationType = column_ifexists(\u0027OperationType\u0027, \\\"\\\"), ObjectValueName = column_ifexists(\u0027ObjectValueName\u0027, \\\"\\\")\\n| where ObjectName has \u0027Schedule\\\\\\\\TaskCache\\\\\\\\Tree\u0027 and ObjectValueName == \\\"SD\\\" and OperationType == \\\"%%1906\\\" // %%1906 - Registry value deleted\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Scheduled Task Hide\",\"description\":\"This query detects attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task disappearing from schtasks /query and Task Scheduler.\\n The query requires auditing to be turned on for HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree registry hive as well as audit policy for registry auditing to be turned on.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\\n Reference: https://4sysops.com/archives/audit-changes-in-the-windows-registry/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"name\":\"3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Hacking Tool\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running a hacking tool\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by a hacking tool and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"A host is potentially running a hacking tool (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.\u003cbr\u003eYou can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\"name\":\"738702fd-0a66-42c7-8586-e30f0583f8fe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName contains \\\"svchost.exe\\\" and FileName contains \\\"NetSetupSvc.dll\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \\\"SHA1\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"TEARDROP memory-only dropper\",\"description\":\"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window\u0027s defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"name\":\"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, \u0027|\u0027, 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity == $right.PIP\\n| where AzureNetworkAnalytics_CL_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId, PIP\\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\"description\":\"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/968358d6-6af8-49bb-aaa4-187b3067fb95\",\"name\":\"968358d6-6af8-49bb-aaa4-187b3067fb95\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let successCodes = dynamic([200, 302, 401]);\\nW3CIISLog\\n| where scStatus has_any (successCodes)\\n| where ipv4_is_private(cIP) == False\\n| where csUriStem hasprefix \\\"/autodiscover/autodiscover.json\\\"\\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\\n| where (csUriQuery !has \\\"Protocol\\\" and isnotempty(csUriQuery))\\nor (csUriQuery has_any(\\\"/mapi/\\\", \\\"powershell\\\"))\\nor (csUriQuery contains \\\"@\\\" and csUriQuery matches regex @\\\"\\\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\\\/)\\\")\\nor (csUriQuery contains \\\":\\\" and csUriQuery matches regex @\\\"\\\\:[0-9]{2,4}\\\\/\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange SSRF Autodiscover ProxyShell - Detection\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit patterns recently\\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"name\":\"999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet DomainTIs= ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | where Active == true\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \\n | project DomainList = iff(NDomains \u003e HAS_ANY_MAX, dynamic([]), DomainsList) ;\\nDomainTIs\\n | join (\\n _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.DnsQuery\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"DnsQuery\":\"DnsQuery\",\"QueryType\":\"DnsQueryType\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any Domain IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\"name\":\"f2dd4a3a-ebac-4994-9499-1a859938c947\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false\\n| extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where ipv4_is_private(DestinationIP) == false\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where ipv4_is_private(DestinationIP) == false\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false | extend DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly for data size transferred to public internet\",\"description\":\"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"name\":\"06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\MicrosoftOnline\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n ( WindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n( WindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Service Agents Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent.\\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\"name\":\"a35f2c18-1b97-458f-ad26-e033af18eb99\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.2\",\"severity\":\"Low\",\"query\":\"// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nunion isfuzzy=true \\n(\\nSecurityEvent \\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account added to built in domain local or global group\",\"description\":\"Identifies when a user account has been added to a privileged built in domain local group or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"name\":\"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"W3CIISLog\\n| where csMethod == \u0027GET\u0027\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"CommandAndControl\"],\"displayName\":\"SUPERNOVA webshell\",\"description\":\"Identifies SUPERNOVA webshell based on W3CIISLog data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-01-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\"name\":\"223db5c1-1bf8-47d8-8806-bed401b356a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet aadFunc = (tableName:string){\\nlet azPortalSignins = materialize(table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70044\\\", \\\"70043\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins \\n) on UserPrincipalName\\n| where TimeGenerated \u003e TimeGenerated1 or isempty(TimeGenerated1)\\n| project-away TimeGenerated1, UserPrincipalName1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend FullLocation = strcat(Region,\u0027|\u0027, State, \u0027|\u0027, City)\\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\\n| where (IPAddressCount \u003e= threshold_IPAddressCount and FailedLogonCount \u003e= threshold_Failed) or FailedLogonCount \u003e= threshold_FailedwithSingleIP\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed login attempts to Azure Portal\",\"description\":\"Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to \u0027Keep me signed in\u0027 interrupt when the user was signing-in.\",\"lastUpdatedDateUTC\":\"2022-04-21T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acc4c247-aaf7-494b-b5da-17f18863878a\",\"name\":\"acc4c247-aaf7-494b-b5da-17f18863878a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OperationName in (\\\"Invite external user\\\", \\\"Bulk invite users - started (bulk)\\\", \\\"Invite external user with reset invitation status\\\")\\n| extend InitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n// Uncomment the following line to filter events where the inviting user was a guest user\\n//| where InitiatedBy has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend InvitedUser = TargetResources[0].userPrincipalName\\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\\n| where UserToCompare has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend\\n parsedUser = replace_string(tolower(iff(UserToCompare startswith \\\"live.com#\\\", tostring(split(UserToCompare, \\\"#\\\")[1]), tostring(split(UserToCompare, \\\"#EXT#\\\")[0]))), \\\"@\\\", \\\"_\\\"),\\n InvitationTime = TimeGenerated\\n| join (\\n (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where UserType != \\\"Member\\\"\\n | where AppId has_any\\n (\\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\",// Azure Active Directory PowerShell\\n \\\"04b07795-8ddb-461a-bbee-02f9e1bf7b46\\\",// Microsoft Azure CLI\\n \\\"1950a258-227b-4e31-a9cf-717495945fc2\\\",// Microsoft Azure PowerShell\\n \\\"a0c73c16-a7e3-4564-9a95-2bdf47383716\\\",// Microsoft Exchange Online Remote PowerShell\\n \\\"fb78d390-0c51-40cd-8e17-fdbfab77341b\\\",// Microsoft Exchange REST API Based Powershell\\n \\\"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\\\",// Microsoft Intune PowerShell\\n \\\"9bc3ab49-b65d-410a-85ad-de819febfddc\\\",// Microsoft SharePoint Online Management Shell\\n \\\"12128f48-ec9e-42f0-b203-ea49fb6af367\\\",// MS Teams Powershell Cmdlets\\n \\\"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\\\",// Power BI PowerShell\\n \\\"31359c7f-bd7e-475c-86db-fdb8c937548e\\\",// PnP Management Shell\\n \\\"90f610bf-206d-4950-b61d-37fa6fd1b224\\\" // Aadrm Admin Powershell\\n )\\n | summarize arg_min(TimeGenerated, *) by UserPrincipalName\\n | extend\\n parsedUser = replace_string(UserPrincipalName, \\\"@\\\", \\\"_\\\"),\\n SigninTime = TimeGenerated\\n )\\n on parsedUser\\n| project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InvitedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"External guest invitation followed by Azure AD PowerShell signin\",\"description\":\"By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests\\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\\nRef : \u0027https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"name\":\"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 1;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend ConditionalAccessPolicies = todynamic(ConditionalAccessPolicies)\\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status), StatusDetails = make_list(StatusDetails), IPAddresses = make_list(IPAddress), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId) \\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, Type\\n| where IPAddressCount \u003e threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = make_set(IPAddresses), Status = make_set(Status), CorrelationIds = make_set(CorrelationIds) \\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount, Type\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Attempt to bypass conditional access rule in Azure AD\",\"description\":\"Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b904747-1336-4363-8d84-df2710bfe5e7\",\"name\":\"0b904747-1336-4363-8d84-df2710bfe5e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\", \\\"AzureFirewallNetworkRuleLog\\\")\\n | parse kind=regex flags=U msg_s with Protocol \u0027request from \u0027 SourceHost \u0027to \u0027 DestinationHost @\u0027\\\\.? Action: \u0027 Firewall_Action @\u0027\\\\.\u0027 Rest_msg\\n | extend SourceAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, SourceHost)\\n | extend DestinationAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, DestinationHost)\\n | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, \\\"\\\")\\n // Traffic that involves a public address, and in case this is the source address then the traffic was not denied\\n | where isnotempty(RemoteIP)\\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where AzureFirewall_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated,\\nTI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureFirewall\",\"description\":\"Identifies a match in AzureFirewall (NetworkRule \u0026 ApplicationRule Logs) from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"name\":\"4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of decoy users (usernames) \\\"Case Sensitive\\\"\\nlet MaliciousServiceArtifacts = dynamic ([\\\"fgexec\\\",\\\"cachedump\\\",\\\"mimikatz\\\",\\\"mimidrv\\\",\\\"wceservice\\\",\\\"pwdump\\\"]);\\nEvent\\n| where Source == \\\"Service Control Manager\\\" and EventID == 7045\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" * \u0027ImagePath\\\"\u003e\u0027 ImagePath \\\"\u003c\\\" *\\n| where ServiceName has_any (MaliciousServiceArtifacts) or ImagePath has_any (MaliciousServiceArtifacts)\\n| parse EventData with * \u0027AccountName\\\"\u003e\u0027 AccountName \\\"\u003c\\\" *\\n|summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ServiceName, ImagePath, AccountName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountName\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ImagePath\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - Service Installation\",\"description\":\"This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz.\\nRef: https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"name\":\"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\\nlet allowed_sources = dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// Look for feeds created or modified at either the organization or project level\\n| where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and locations in the allow list\\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"External Upstream Source Added to Azure DevOps Feed\",\"description\":\"The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \\nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"name\":\"feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let VIPUsers = (IdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| summarize by tolower(AccountUPN));\\nAuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName =~ \\\"User registered security info\\\"\\n| where LoggedByService =~ \\\"Authentication Methods\\\"\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| where AccountCustomEntity in (VIPUsers)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Method Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indicated of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"name\":\"2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| where ObjectClass == \\\"computer\\\" and AttributeLDAPDisplayName == \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN, AttributeLDAPDisplayName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Possible Resource-Based Constrained Delegation Abuse\",\"description\":\"This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. \\nThis query checks for event id 5136 that the Object Class field is \\\"computer\\\" and the LDAP Display Name is \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\" which is an indicator of Resource-based constrained delegation.\\nRef: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html\",\"lastUpdatedDateUTC\":\"2022-01-19T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"name\":\"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT4H\",\"queryPeriod\":\"PT4H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Change to true to monitor for Project Administrator adds to *any* project\\nlet MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\\nlet ProjectsToMonitor = dynamic([\u0027\u003cproject_X\u003e\u0027,\u0027\u003cproject_Y\u003e\u0027]);\\nAzureDevOpsAuditing\\n| where Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has \u0027Administrators\u0027\\n| where Details has \\\"was added as a member of group\\\" and (Details endswith \u0027\\\\\\\\Project Administrators\u0027 or Details endswith \u0027\\\\\\\\Project Collection Administrators\u0027)\\n| parse Details with AddedIdentity \u0027 was added as a member of group [\u0027 EntityName \u0027]\\\\\\\\\u0027 GroupName\\n| extend Level = iif(GroupName == \u0027Project Collection Administrators\u0027, \u0027Organization\u0027, \u0027Project\u0027), AddedIdentityId = Data.MemberId\\n| extend Severity = iif(Level == \u0027Organization\u0027, \u0027High\u0027, \u0027Medium\u0027), AlertDetails = strcat(\u0027At \u0027, TimeGenerated, \u0027 UTC \u0027, ActorUPN, \u0027/\u0027, ActorDisplayName, \u0027 added \u0027, AddedIdentity, \u0027 to the \u0027, EntityName, \u0027 \u0027, Level)\\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == \u0027Organization\u0027\\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Administrator Group Monitoring\",\"description\":\"This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"name\":\"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let servicelist = dynamic([\u0027Services\\\\\\\\HealthService\u0027, \u0027Services\\\\\\\\Sense\u0027, \u0027Services\\\\\\\\WinDefend\u0027, \u0027Services\\\\\\\\MsSecFlt\u0027, \u0027Services\\\\\\\\DiagTrack\u0027, \u0027Services\\\\\\\\SgrmBroker\u0027, \u0027Services\\\\\\\\SgrmAgent\u0027, \u0027Services\\\\\\\\AATPSensorUpdater\u0027 , \u0027Services\\\\\\\\AATPSensor\u0027, \u0027Services\\\\\\\\mpssvc\u0027]);\\nlet filename = dynamic([\\\"subinacl.exe\\\",\u0027SetACL.exe\u0027]);\\nlet parameters = dynamic ([\u0027/deny=SYSTEM\u0027, \u0027/deny=S-1-5-18\u0027, \u0027/grant=SYSTEM=r\u0027, \u0027/grant=S-1-5-18=r\u0027, \u0027n:SYSTEM;p:READ\u0027, \u0027n1:SYSTEM;ta:remtrst;w:dacl\u0027]);\\nlet FullAccess = dynamic([\u0027A;CI;KA;;;SY\u0027, \u0027A;ID;KA;;;SY\u0027, \u0027A;CIID;KA;;;SY\u0027]);\\nlet ReadAccess = dynamic([\u0027A;CI;KR;;;SY\u0027, \u0027A;ID;KR;;;SY\u0027, \u0027A;CIID;KR;;;SY\u0027]);\\nlet DenyAccess = dynamic([\u0027D;CI;KR;;;SY\u0027, \u0027D;ID;KR;;;SY\u0027, \u0027D;CIID;KR;;;SY\u0027]);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName has_any (servicelist)\\n| parse EventData with * \u0027OldSd\\\"\u003e\u0027 OldSd \\\"\u003c\\\" *\\n| parse EventData with * \u0027NewSd\\\"\u003e\u0027 NewSd \\\"\u003c\\\" *\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670 and EventData has_any (servicelist) and EventData has \u0027Key\u0027\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (servicelist)\\n| extend OldSd = tostring(EventData.OldSd)\\n| extend NewSd = tostring(EventData.NewSd)\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend ProcessId = tostring(EventData.ProcessId)\\n| extend Activity= \\\"4670 - Permissions on an object were changed.\\\"\\n| extend HandleId = tostring(EventData.HandleId)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688 and EventData has_any (filename) and EventData has_any (servicelist) and EventData has_any (parameters)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountDomain = tostring(EventData.AccountDomain)\\n| extend Activity=\\\"4688 - A new process has been created.\\\"\\n| extend EventSourceName=Provider\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename) \\n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Service Registry ACL Modification\",\"description\":\"Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. \\n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. \\n Reference on guidance for enabling registry auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule \\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-01-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"name\":\"29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let UserAgentString = dynamic ([\\\"${jndi:ldap:/\\\", \\\"${jndi:rmi:/\\\", \\\"${jndi:ldaps:/\\\", \\\"${jndi:dns:/\\\", \\\"${jndi:iiop:/\\\",\\\"${jndi:\\\",\\\"${jndi:nds:/\\\",\\\"${jndi:corba/\\\"]);\\nlet UARegexMinimalString=dynamic([\u0027{\u0027,\u0027%7b\u0027, \u0027%7B\u0027]);\\nlet UARegex = @\u0027(\\\\\\\\$|%24)(\\\\\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\\\\\$|%24|}|%7D)\u0027;\\n(union isfuzzy=true\\n(OfficeActivity\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, Operation\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(AzureDiagnostics\\n| where Category in (\\\"FrontdoorWebApplicationFirewallLog\\\", \\\"FrontdoorAccessLog\\\", \\\"ApplicationGatewayFirewallLog\\\", \\\"ApplicationGatewayAccessLog\\\")\\n| where userAgent_s has_any (UserAgentString) or userAgent_s matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = userAgent_s, SourceIP = clientIP_s, Type, host_s, requestUri_s, httpStatus_d\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, UrlCustomEntity = requestUri_s\\n),\\n(\\nW3CIISLog\\n| where csUserAgent has_any (UserAgentString) or csUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(SigninLogs\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(_Im_WebSession (httpuseragent_has_any=array_concat(UserAgentString,UARegexMinimalString))\\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, Url, Type\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User agent search for log4j exploitation attempt\",\"description\":\"This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in \\n many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation.\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"name\":\"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated \u003e ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// where destination IPs are public\\n| where ipv4_is_private(DestinationIP) == false\\n// sort into source-\u003edestination \u0027sessions\u0027\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds \u003e TimeDeltaThresholdInSeconds\\n// summarize the deltas by source-\u003edestination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers \u003e 1.5 or outliers \u003c -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev \u003c MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount \u003e TotalBeaconsThreshold and (sum_SentBytes \u003e 0 or sum_ReceivedBytes \u003e 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity \u003e= (10*TimeDeltaThresholdInSeconds)\\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Fortinet - Beacon pattern detected\",\"description\":\"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\\n detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\\n automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-03-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\"name\":\"80733eb7-35b2-45b6-b2b8-3c51df258206\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"name\":\"3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1\\n| mv-expand UserId to typeof(string)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"NRT Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination.\\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2022-06-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"name\":\"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName), \\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\\n| where applicationCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Attempts to sign in to disabled accounts\",\"description\":\"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"name\":\"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let s_threshold = 30;\\nlet l_threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName, Type \\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount \u003e s_threshold and LocationCount \u003e= l_threshold\\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Distributed Password cracking attempts in AzureAD\",\"description\":\"Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"name\":\"7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection.\\nThe first CommandLine component is looking for Python decoding base64.\\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"name\":\"95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"imAuthentication\\n| where EventResult ==\u0027Failure\u0027\\n| where EventResultDetails == \u0027User disabled\u0027\\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\\n , applicationsTargeted = dcount(TargetAppName)\\n , applicationSet = make_set(TargetAppName) \\n by SrcDvcIpAddr, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind=leftouter \\n (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n imAuthentication\\n | where EventResult==\u0027Success\u0027\\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on SrcDvcIpAddr\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"name\":\"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"CommonSecurityLog \\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - threat detection message fired\",\"description\":\"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"name\":\"1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Tarrask_threats = dynamic([\\\"HackTool:Win64/Tarrask!MS\\\", \\\"HackTool:Win64/Ligolo!MSR\\\", \\\"Behavior:Win32/ScheduledTaskHide.A\\\", \\\"Tarrask\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=rightouter ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Tarrask_threats) or ThreatFamilyName in~ (Tarrask_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AV detections related to Tarrask malware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel the SecurityAlerts table \\n includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. \\n This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\"name\":\"157c0cfc-d76d-463b-8755-c781608cdc1a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| where ipv4_is_private(SourceIP) == false\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n table(tableName)\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco - firewall block but success logon to Azure AD\",\"description\":\"Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \\nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\\nand could indicate credential compromise for the user account.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"name\":\"875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| where AttributeLDAPDisplayName == \\\"servicePrincipalName\\\" and ObjectClass == \\\"user\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeValue\\\"\u003e\u0027 AttributeValue \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Name (SPN) Assigned to User Account\",\"description\":\"This query identifies whether a Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. \\nThis query checks for event id 5136 that the Object Class field is \\\"user\\\" and the LDAP Display Name is \\\"servicePrincipalName\\\".\\nRef: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf\",\"lastUpdatedDateUTC\":\"2022-02-02T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45076281-35ae-45e0-b443-c32aa0baf965\",\"name\":\"45076281-35ae-45e0-b443-c32aa0baf965\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nimProcessCreate\\n//looks for execution from a shell\\n| where ActingProcessName has_any (parentProcesses)\\n| extend ActingProcessFileName = tostring(split(ActingProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ActingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where Process hassuffix \\\"AdFind.exe\\\" or TargetProcessSHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or CommandLine has_any (args)\\n| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, CommandLineCustomEntity = CommandLine, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = TargetProcessSHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLineCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage (Normalized Process Events)\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-09T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\"name\":\"910124df-913c-47e3-a7cd-29e1643fa55e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AWS Console logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a779e2d5-9109-4f0a-a75e-f3d4f3c58560\",\"name\":\"a779e2d5-9109-4f0a-a75e-f3d4f3c58560\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let sha256Hashes = dynamic([\\\"78c255a98003a101fa5ba3f49c50c6922b52ede601edac5db036ab72efc57629\\\", \\\"0588f61dc7e4b24554cffe4ea56d043d8f6139d2569bc180d4a77cf75b68792f\\\", \\\"441a3810b9e89bae12eea285a63f92e98181e9fb9efd6c57ef6d265435484964\\\", \\\"cbae79f66f724e0fe1705d6b5db3cc8a4e89f6bdf4c37004aa1d45eeab26e84b\\\", \\\"fd6515a71530b8329e2c0104d0866c5c6f87546d4b44cc17bbb03e64663b11fc\\\", \\\"5d169e083faa73f2920c8593fb95f599dad93d34a6aa2b0f794be978e44c8206\\\", \\\"7f29b69eb1af1cc6c1998bad980640bfe779525fd5bb775bc36a0ce3789a8bfc\\\", \\\"02a59fe2c94151a08d75a692b550e66a8738eb47f0001234c600b562bf8c227d\\\", \\\"7f84bf6a016ca15e654fb5ebc36fd7407cb32c69a0335a32bfc36cb91e36184d\\\", \\\"afab2e77dc14831f1719e746042063a8ec107de0e9730249d5681d07f598e5ec\\\", \\\"894138dfeee756e366c65a197b4dbef8816406bc32697fac6621601debe17d53\\\", \\\"4611340fdade4e36f074f75294194b64dcf2ec0db00f3d958956b4b0d6586431\\\", \\\"c96ae21b4cf2e28eec222cfe6ca903c4767a068630a73eca58424f9a975c6b7d\\\", \\\"fa30be45c5c5a8f679b42ae85410f6099f66fe2b38eb7aa460bcc022babb41ca\\\", \\\"e64bea4032cf2694e85ede1745811e7585d3580821a00ae1b9123bb3d2d442d6\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"KNOTWEED File Hashes July 2022\",\"description\":\"This query looks for references to known KNOTWEED file hashes in various logs.\\n This query was published July 2022.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-27T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"name\":\"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@\u0027\\\\A(.*?)@\u0027, 1, SrcUserUpn)\\n| extend sender_domain = extract(@\u0027@(.*)$\u0027, 1, SrcUserUpn)\\n| extend recipient = extract(@\u0027\\\\A(.*?)@\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| extend recipient_domain = extract(@\u0027@(.*)$\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Possible data exfiltration to private email\",\"description\":\"Detects when sender sent email to the non-corporate domain and recipient\u0027s username is the same as sender\u0027s username.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"name\":\"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex emailregex\\n | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming timestamp column so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.EmailSenderAddress == $right.UserPrincipalName\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, UserPrincipalName\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"name\":\"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has_any (\\\".decode(\u0027base64\u0027)\\\", \\\"base64 --decode\\\", \\\".decode64(\\\" )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend FileName=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, CommandLine, ParentProcessName\\n));\\nprocessEvents;\\n};\\nProcessCreationEvents \\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\"name\":\"a04cf847-a832-4c60-b687-b0b6147da219\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Collection\"],\"displayName\":\"Known Manganese IP and UserAgent activity\",\"description\":\"Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\\nReferences: \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/74ed028d-e392-40b7-baef-e69627bf89d1\",\"name\":\"74ed028d-e392-40b7-baef-e69627bf89d1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\n before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\n its unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a356c8bd-c81d-428b-aa36-83be706be034\",\"name\":\"a356c8bd-c81d-428b-aa36-83be706be034\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// AADJoined or Register Device Registry Keys\\nlet aadJoinRoot = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\CloudDomainJoin\\\\\\\\JoinInfo\\\\\\\\\\\";\\nlet aadRegisteredRoot = \\\"\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\WorkplaceJoin\\\";\\n// Transport Key Registry Key\\nlet keyTransportKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\Cryptography\\\\\\\\Ngc\\\\\\\\KeyTransportKey\\\\\\\\\\\";\\n(union isfuzzy=true\\n(\\n// Access to Object Requested\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData contains aadJoinRoot or EventData contains aadRegisteredRoot\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadJoinRoot and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274656\u0027\\n | where EventData contains keyTransportKey\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName startswith keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, tostring(Process), ProcessName, ProcessId, EventID\\n),\\n// Accessing Object\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where (ObjectName startswith aadJoinRoot or ObjectName contains aadRegisteredRoot) and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend Account = SubjectAccount\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274663\u0027\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName contains keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend Account = SubjectAccount\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, Process, ProcessName, ProcessId, EventID\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"AAD Local Device Join Information and Transport Key Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts by the same process\\n to registry keys that provide information about an AAD joined or registered devices and Transport keys (tkpub / tkpriv).\\n This information can be used to export the Device Certificate (dkpub / dkpriv) and Transport key (tkpub/tkpriv).\\n These set of keys can be used to impersonate existing Azure AD joined devices.\\n This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable objects:\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\CloudDomainJoin (AAD joined devices)\\n HKCU:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\WorkplaceJoin (AAD registered devices)\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Cryptography\\\\Ngc\\\\KeyTransportKey (Transport Key)\\n Make sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n Reference: https://o365blog.com/post/deviceidentity/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"name\":\"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let schedule_lookback = 14d; \\nlet join_lookback = 1d; \\n// If you want to whitelist specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet meetings = ( \\nZoomLogs \\n| where TimeGenerated \u003e= ago(schedule_lookback) \\n| where Event =~ \\\"meeting.created\\\" \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); \\nZoomLogs \\n| where TimeGenerated \u003e= ago(join_lookback) \\n| where Event =~ \\\"meeting.participant_joined\\\" \\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) \\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId \\n| where SchedTimezone != JoinedTimeZone \\n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1 \\n| extend timestamp = TimeGenerated, AccountCustomEntity = JoiningUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"User joining Zoom meeting from suspicious timezone\",\"description\":\"The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"name\":\"a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName =~ \\\"Update user\\\"\\n | where Result =~ \\\"success\\\"\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"TargetId.UserType\\\"\\n | extend UpdatingServicePrincipal = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend UpdatingUserPrincipal = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatingUser = iif(isnotempty(UpdatingServicePrincipal), UpdatingServicePrincipal, UpdatingUserPrincipal)\\n | extend UpdatedUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n | project-reorder TimeGenerated, UpdatedUserPrincipalName, UpdatingUser\\n | where parse_json(tostring(TargetResources_modifiedProperties.newValue)) =~ \\\"\\\\\\\"Member\\\\\\\"\\\" and parse_json(tostring(TargetResources_modifiedProperties.oldValue)) =~ \\\"\\\\\\\"Guest\\\\\\\"\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedUserPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User State changed from Guest to Member\",\"description\":\"Detects when a guest account in a tenant is converted to a member of the tenant.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts converted to members should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"name\":\"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"Cisco Umbrella - Windows PowerShell User-Agent Detected\",\"description\":\"Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"name\":\"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = \u0027FileUploaded\u0027;\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic([\u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027]);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated \u003e= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount \u003e threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, \u0027/\u0027)[-2])\\n| extend UserIdUserFolderFormat = tolower(replace(\u0027@|\\\\\\\\.\u0027, \u0027_\u0027,UserId))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has \u0027/personal/\u0027 and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"New executable via Office FileUploaded Operation\",\"description\":\"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes \u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027 file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\"name\":\"69a45b05-71f5-45ca-8944-2e038747fb39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\\nlet threshold = 5;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 // Labeling the first RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account)\\n))\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10 // Labeling the second RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n))\\n) on Account\\n// Make sure that the first connection is after the second connection --\u003e SecondHop \u003e FirstHop\\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --\u003e FirstComputer != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --\u003e FirstIPAddress != SecondIPAddress\\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop \u003e FirstHop\\n// where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop \u003c= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 \\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n))\\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"RDP Nesting\",\"description\":\"Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system\\nto another system with the same account within the 60 minutes. Additionally, if historically daily\\nRDP connections are indicated by the logged EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\"name\":\"884c4957-70ea-4f57-80b9-1bca3890315b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"\u0026\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"\u0026\\\")[0]),tostring(split(csUriQuery, \\\"\u0026\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed logons by a user\",\"description\":\"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"name\":\"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add = \\n(union isfuzzy=true \\n(SecurityEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n),\\n(WindowsEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend AddingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupAddedTo = TargetUserName\\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n)\\n);\\nlet AC_Remove = \\n( union isfuzzy=true \\n(SecurityEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n),\\n(WindowsEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend RemovingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupRemovedFrom = TargetUserName\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n)); \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed = datetime_diff (\u0027second\u0027, AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed \u003e 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Account added and removed from privileged groups\",\"description\":\"Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.\u0027 \",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f68a5046-b7eb-4f69-9519-1e99708bb9e0\",\"name\":\"f68a5046-b7eb-4f69-9519-1e99708bb9e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"DeviceFileEvents\\n | where ActionType =~ \\\"FileCreated\\\"\\n | where FolderPath has \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\\\\\\\\\" \\n | where FileName endswith \\\".exe\\\" or FileName endswith \\\".dll\\\"\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"PE file dropped in Color Profile Folder\",\"description\":\"This query looks for writes of PE files to C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\.\\n This is a common directory used by malware, as well as some legitimate programs, and writes of PE files to the folder should be monitored.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-26T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"name\":\"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Alert1 = \\nSecurityAlert\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[3].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[3].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[3].Location)).City))\\n| extend CurrentIPAddress = tostring(parse_json(Entities)[2].Address)\\n| extend PreviousIPAddress = tostring(parse_json(Entities)[3].Address)\\n;\\nAlert1\\n| join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff(\u0027minute\u0027, Alert1Time, Alert2Time)) \u003c=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = CurrentIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Correlate Unfamiliar sign-in properties and atypical travel alerts\",\"description\":\"The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.\",\"lastUpdatedDateUTC\":\"2021-12-07T00:00:00Z\",\"createdDateUTC\":\"2020-09-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed8c9153-6f7a-4602-97b4-48c336b299e1\",\"name\":\"ed8c9153-6f7a-4602-97b4-48c336b299e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let guids = dynamic([\\\"{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\",\\\"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\",\\\"{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\", \\\"{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\", \\\"{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\"]);\\n let mde_data = DeviceRegistryEvents\\n | where ActionType =~ \\\"RegistryValueSet\\\"\\n | where RegistryKey contains \\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Classes\\\\\\\\CLSID\\\"\\n | where RegistryKey has_any (guids)\\n | where RegistryValueData has \\\"System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\";\\n let event_data = SecurityEvent\\n | where EventID == 4657\\n | where ObjectName contains \\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Classes\\\\\\\\CLSID\\\"\\n | where ObjectName has_any (guids)\\n | where NewValue has \\\"System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\"\\n | extend RegistryKey = ObjectName, RegistryValueData = NewValue, DeviceName=Computer, InitiatingProcessFileName = Process, InitiatingProcessAccountName=SubjectAccount;\\n union mde_data, event_data\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"RegistryKey\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"InitiatingProcessFileName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"COM Registry Key Modified to Point to File in Color Profile Folder\",\"description\":\"This query looks for changes to COM registry keys to point to files in C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\.\\n This can be used to enable COM hijacking for persistence.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-26T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceRegistryEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"name\":\"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = (union isfuzzy=true \\n(SecurityEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = Account, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid\\n));\\nlet GroupCreated = (union isfuzzy=true \\n(SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid\\n),\\n(WindowsEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\", \\\"Machine\\\", iff(SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", iff(isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")))\\n| where AccountType =~ \\\"User\\\"\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName) \\n| extend TargetSid = tostring(EventData.TargetSid) \\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid\\n));\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"GroupCreateSubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Group created then added to built in domain local or global group\",\"description\":\"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \\nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b443f22-9be9-4c35-ac70-a94757748439\",\"name\":\"3b443f22-9be9-4c35-ac70-a94757748439\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nDeviceProcessEvents\\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\\n| extend DvcId = DeviceId\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"name\":\"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where CommandLine has_all (cmdList)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where EventData has_all (cmdList)\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_all (cmdList)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessCommandLine has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Email access via active sync\",\"description\":\"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\n- Note that this query can be changed to use the KQL \\\"has_all\\\" operator, which hasn\u0027t yet been documented officially, but will be soon.\\n In short, \\\"has_all\\\" will only match when the referenced field has all strings in the list.\\n- Refer to Set-CASMailbox syntax: https://learn.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps \",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"name\":\"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total \u003e TotalEventsThreshold);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Process execution frequency anomaly\",\"description\":\"Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"name\":\"694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"High\",\"query\":\"let queryperiod = 14d;\\nlet queryfrequency = 2h;\\nlet security_info_actions = dynamic([\\\"User registered security info\\\", \\\"User changed default security info\\\", \\\"User deleted security info\\\", \\\"Admin updated security info\\\", \\\"User reviewed security info\\\", \\\"Admin deleted security info\\\", \\\"Admin registered security info\\\"]);\\nlet VIPUsers = (\\n IdentityInfo\\n | where TimeGenerated \u003e ago(queryperiod)\\n | mv-expand AssignedRoles\\n | where AssignedRoles matches regex \u0027Admin\u0027\\n | summarize by tolower(AccountUPN));\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName in (security_info_actions)\\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\\n| extend IP = tostring(InitiatedBy.user.ipAddress)\\n| extend Target = tolower(tostring(TargetResources[0].userPrincipalName))\\n| where Target in (VIPUsers)\\n// Uncomment the line below if you are experiencing high volumes of Target entities. If this is uncommented, the Target column will not be mapped to an entity.\\n//| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result\\n// Comment out this line below, if line above is used.\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8) by Initiator, IP, Result, Targets = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Targets\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Methods Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"name\":\"6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| where AlertName =~ \\\"mass download by a single user\\\"\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project timestamp=TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| join kind=inner\\n( \\nDeviceEvents\\n| where ActionType == \\\"PnpDeviceConnected\\\"\\n| extend parsed = parse_json(AdditionalFields)\\n| project DeviceId, DriveClass = tostring(parsed.ClassName), UsbDeviceId = tostring(parsed.DeviceId), ClassId = tostring(parsed.DeviceId), DeviceDescription = tostring(parsed.DeviceDescription), VendorIds = tostring(parsed.VendorIds), AccountDomain,AccountName,TimeGenerated, ActionType, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, Type\\n| where DriveClass == \u0027USB\u0027 and DeviceDescription == \u0027USB Mass Storage Device\u0027\\n) on $left.Account == $right.AccountName\\n| join kind=inner \\n(\\nDeviceFileEvents\\n| where FolderPath !startswith \\\"c\\\" and FolderPath !startswith @\\\"\\\\\\\"\\n) on DeviceId\\n| project TimeGenerated, ActionType, Computer, FileName, FileSize, IpAddress, InitiatingProcessCommandLine, InitiatingProcessFileName, Account\\n| extend timestamp = TimeGenerated, CompromisedEntity = Computer, AccountCustomEntity=Account, ProcessCustomEntity = InitiatingProcessFileName, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Mass Download \u0026 copy to USB device by single user\",\"description\":\"This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. \\nThis query could also reveal unintentional insider that had no intention of malicious activity but their actions may impact an organizations security posture.\\nReference:https://docs.microsoft.com/defender-cloud-apps/policy-template-reference\",\"lastUpdatedDateUTC\":\"2022-05-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3edb7215-250b-40c0-8b46-79093949242d\",\"name\":\"3edb7215-250b-40c0-8b46-79093949242d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| where Severity_s == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/492fbe35-cbac-4a8c-9059-826782e6915a\",\"name\":\"492fbe35-cbac-4a8c-9059-826782e6915a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | extend Action = tostring(mod_props.displayName)\\n | where Action contains \\\"Url\\\"\\n | extend OldURL = tostring(mod_props.oldValue)\\n | extend NewURL = tostring(mod_props.newValue)\\n | project-reorder TimeGenerated, OperationName, Action, AppName, OldURL, NewURL, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"OldURL\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURL\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Logout URL\",\"description\":\"Detects changes to an applications sign out URL.\\n Look for any modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#logout-url-modified-or-removed\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"name\":\"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, CallerIpAddress\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, \\nCaller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"name\":\"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA265 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known ZINC related maldoc hash\",\"description\":\"Document hash used by ZINC in highly targeted spear phishing campaign.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"name\":\"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"name\":\"0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName =~ \\\"Update role setting in PIM\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, OperationName, ResultReason, userPrincipalName, ipAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Changes to PIM Settings\",\"description\":\"PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.\\n Monitor these changes to ensure they are being made legitimately and don\u0027t confer more privileges than expected or reduce the security of a PIM elevation.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"name\":\"c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft 365 Insider Risk Management\",\"displayName\":\"(Private Preview) Create incidents based on Microsoft 365 Insider Risk Management\",\"description\":\"Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management\",\"lastUpdatedDateUTC\":\"2021-05-13T00:00:00Z\",\"createdDateUTC\":\"2021-05-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeIRM\",\"dataTypes\":[\"SecurityAlert (OfficeIRM)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\"name\":\"09551db0-e147-4a0c-9e7b-918f88847605\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.2\",\"severity\":\"High\",\"query\":\"let tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic([\u0027codevexillium.org\u0027, \u0027angeldonationblog.com\u0027, \u0027investbooking.de\u0027, \u0027krakenfolio.com\u0027]);\\nlet SHA256Hash = dynamic([\u002758a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495\u0027,\u0027e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e\u0027,\u00273d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9\u0027, \u00270a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4\u0027, \u002796d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe\u0027,\u0027dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c\u0027, \u002746efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a\u0027, \u002795e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008\u0027, \u00279d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5\u0027, \u00279fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3\u0027, \u0027ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720\u0027, \u0027edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee\u0027, \u002733665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998\u0027, \u00273ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c\u0027, \u0027b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c\u0027, \u002753f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5\u0027, \u002799c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777\u0027, \u0027f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef\u0027, \u00272cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da\u0027, \u0027079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447\u0027]);\\nlet SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(_Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend Type = \\\"imDns\\\", IPAddress = SrcIpAddr, Computer=Dvc\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hash)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| where EventID == 4688\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n( WindowsEvent\\n| where EventID == 4688\\n| where EventData has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\") and EventData has_any (tokens, \\\"Debug\\\\\\\\Browse\\\",\\\"is64bitoperatingsystem\\\" ) \\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"Known ZINC Comebacker and Klackring malware hashes\",\"description\":\"ZINC attacks against security researcher campaign malware hashes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"name\":\"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// Look for agents being added to a pool of a OS type not seen with that pool before\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, OsDescription),\\n// Look for users addeing agents to a pool that they have not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New Agent Added to Pool by New User or Added to a New OS Type.\",\"description\":\"As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \\nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have \\nnot added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a \\nconfigurable allow list to allow for certain users to be excluded from the logic.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"name\":\"05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated \u003e ago(1d)\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n // This will likely apply to multiple hosts so summarize these data\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, NewProcessName, CommandLine, Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\nA threat actor may use these policies to deploy files or scripts to all hosts in a domain.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"name\":\"c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppCert DLL Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec.\\nRef: https://attack.mitre.org/techniques/T1546/009/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"name\":\"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\u0027127.0.0.1\u0027, \u0027::1\u0027)\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons = (union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason\\n),\\n(WindowsEvent\\n| where EventID == 4624 and has_any_ipv4(EventData, toscalar(suspicious_signins))\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend Activity = \\\"4624 - An account was successfully logged on.\\\"\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend AccountType =case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, TargetUserSid, Reason\\n)\\n);\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to host\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\"name\":\"46ac55ae-47b8-414a-8f94-89ccd1962178\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let queryperiod = 1d;\\nlet mode = \u0027Blocked\u0027;\\nlet successCode = dynamic([\u0027200\u0027, \u0027101\u0027,\u0027204\u0027, \u0027400\u0027,\u0027504\u0027,\u0027304\u0027,\u0027401\u0027,\u0027500\u0027]);\\nlet sessionBin = 30m;\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where Category == \u0027ApplicationGatewayFirewallLog\u0027 and action_s == mode\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\\n| extend SessionBlockedStarted = row_window_session(TimeGenerated, queryperiod, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| summarize SessionBlockedEnded = max(TimeGenerated), SessionBlockedCount = count() by hostname_s, clientIp_s, SessionBlockedStarted\\n| extend TimeKey = range(bin(SessionBlockedStarted, sessionBin), bin(SessionBlockedEnded, sessionBin), sessionBin)\\n| mv-expand TimeKey to typeof(datetime)\\n| join kind = inner(\\n AzureDiagnostics\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where Category == \u0027ApplicationGatewayAccessLog\u0027 and (isempty(httpStatus_d) or httpStatus_d in (successCode))\\n | extend TimeKey = bin(TimeGenerated, sessionBin)\\n) on TimeKey, $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s\\n| where TimeGenerated between (SessionBlockedStarted..SessionBlockedEnded)\\n| extend\\n originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", \\\"\\\"),\\n serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", \\\"\\\")\\n| summarize\\n SuccessfulAccessCount = count(),\\n UserAgents = make_set(userAgent_s, 250),\\n RequestURIs = make_set(requestUri_s, 250),\\n OriginalRequestURIs = make_set(originalRequestUriWithArgs_s, 250),\\n SuccessCodes = make_set(httpStatus_d, 250),\\n SuccessCodes_BackendServer = make_set(serverStatus_s, 250),\\n take_any(SessionBlockedEnded, SessionBlockedCount)\\n by hostname_s, clientIp_s, SessionBlockedStarted\\n| where SessionBlockedCount \u003e SuccessfulAccessCount\\n| extend timestamp = SessionBlockedStarted, IPCustomEntity = clientIp_s\\n| extend BlockvsSuccessRatio = SessionBlockedCount/toreal(SuccessfulAccessCount)\\n| sort by BlockvsSuccessRatio desc, timestamp asc\\n| project-reorder SessionBlockedStarted, SessionBlockedEnded, hostname_s, clientIp_s, SessionBlockedCount, SuccessfulAccessCount, BlockvsSuccessRatio, SuccessCodes, RequestURIs, OriginalRequestURIs, UserAgents\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"A potentially malicious web request was executed against a web server\",\"description\":\"Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \\nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \\na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \\nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \\nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d173248-439b-4741-8b37-f63ad0c896ae\",\"name\":\"4d173248-439b-4741-8b37-f63ad0c896ae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\nWindowsEvent\\n| where EventID == \u00274688\u0027 and EventData has_any (process)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName has_any (process)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n , Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n , NewProcessId = tostring(EventData.NewProcessId)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n| project TimeGenerated, timestamp, File, AlertDetail, FilePath,Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2022-05-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"name\":\"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\"name\":\"ef88eb96-861c-43a0-ab16-f3835a97c928\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker\\\\(\\\\$Volume\\\\){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\n(union isfuzzy=true\\n (SecurityEvent\\n| where EventID == 4688\\n//consider filtering on filename if perf issues occur\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4688 \\n| where EventData has_any (\\\"-encodedCommand\\\", \\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(EventData has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n//consider filtering on filename if perf issues occur\\n//extend NewProcessName = tostring(EventData.NewProcessName)\\n//extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n//FileName = Process\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"Powershell Empire cmdlets seen in command line\",\"description\":\"Identifies instances of PowerShell Empire cmdlets in powershell process command line data.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"name\":\"cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let lookback = 7d; \\nlet timeframe = 1h; \\nlet GlobalAdminsRemoved = AuditLogs \\n| where TimeGenerated \u003e ago(timeframe) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Unassign\\\", \\\"RemoveEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Remove member from role\\\", \\\"Remove eligible member from role\\\") \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) \\n| where displayName_ =~ \\\"Role.DisplayName\\\" \\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.oldValue))) \\n| where RoleName == \\\"Global Administrator\\\" // Add other Privileged role if applicable \\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| extend Target = tostring(TargetResources.userPrincipalName) \\n| summarize RemovedGlobalAdminTime = max(TimeGenerated), TargetAdmins = make_set(Target) by OperationName, RoleName, Initiator, Result; \\nlet GlobalAdminsAdded = AuditLogs \\n| where TimeGenerated \u003e ago(lookback) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\") and Result == \\\"success\\\" \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) \\n| where displayName_ =~ \\\"Role.DisplayName\\\" \\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue))) \\n| where RoleName == \\\"Global Administrator\\\" // Add other Privileged role if applicable \\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| extend Target = tostring(TargetResources.userPrincipalName) \\n| summarize AddedGlobalAdminTime = max(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result \\n| extend AccountCustomEntity = Target; \\nGlobalAdminsAdded \\n| join kind= inner GlobalAdminsRemoved on $left.Target == $right.Initiator \\n| where AddedGlobalAdminTime \u003c RemovedGlobalAdminTime \\n| extend NoofAdminsRemoved = array_length(TargetAdmins) \\n| where NoofAdminsRemoved \u003e 1\\n| project AddedGlobalAdminTime, Initiator, Target, AccountCustomEntity, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple admin membership removals from newly created admin.\",\"description\":\"This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \\n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"name\":\"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\"name\":\"45b903c5-6f56-4969-af10-ae62ac709718\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 \\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n))\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n))\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)\\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Rare RDP Connections\",\"description\":\"Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2020-01-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1080fc1-13d1-479b-8340-255f0290d96c\",\"name\":\"a1080fc1-13d1-479b-8340-255f0290d96c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend AddingUser = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), \\\"\\\")\\n | extend AddingApp = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)) , tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName), \\\"\\\")\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingApp)\\n | project-away AddingApp, AddingUser\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, AddedBy, UserAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application Redirect URL Update\",\"description\":\"Detects the redirect URL of an app being changed.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e42e889a-caaf-4dbb-aec6-371b37d64298\",\"name\":\"e42e889a-caaf-4dbb-aec6-371b37d64298\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\")\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserOrApp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b79f6190-d104-4691-b7db-823e05980895\",\"name\":\"b79f6190-d104-4691-b7db-823e05980895\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"OriginatingServer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"NRT Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.\\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"name\":\"9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category == \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | where mod_props.displayName has \\\"AppIdentifierUri\\\"\\n | extend OldURI = tostring(mod_props.oldValue)\\n | extend NewURI = tostring(mod_props.newValue)\\n | project-reorder TimeGenerated, OperationName, AppName, OldURI, NewURI, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURI\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application ID URI Changed\",\"description\":\"Detects changes to an Application ID URI.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"name\":\"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n// Look for specific Directory Service Changes and parse data\\n| where EventID == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where changes relate to Exchange OAB\\n| extend ObjectClass = column_ifexists(\\\"ObjectClass\\\", \\\"\\\")\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// Look for InternalHostName or ExternalHostName properties being changed\\n| extend AttributeLDAPDisplayName = column_ifexists(\\\"AttributeLDAPDisplayName\\\", \\\"\\\")\\n| where AttributeLDAPDisplayName in (\\\"msExchExternalHostName\\\", \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| extend AttributeValue = column_ifexists(\\\"AttributeValue\\\", \\\"\\\")\\n| where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| extend ObjectDN = column_ifexists(\\\"ObjectDN\\\", \\\"\\\")\\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange OAB Virtual Directory Attribute Containing Potential Webshell\",\"description\":\"This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\\nwhere the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"name\":\"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Cloud App Security\",\"displayName\":\"Create incidents based on Microsoft Cloud App Security alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud Apps\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert (MCAS)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"name\":\"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Binary file in attachment\",\"description\":\"Detects when email received with binary file as attachment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"name\":\"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"union isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has \\\"vmware-vmdmp.log\\\"\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(imFileEvent\\n| where TargetFileName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\\n)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT log file creation\",\"description\":\"This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b6ae038-f66e-4f74-9315-df52fd492be4\",\"name\":\"5b6ae038-f66e-4f74-9315-df52fd492be4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"imProcess\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-s\\\", \\\"-r\\\", \\\"-q\\\")\\n | where Process !endswith \\\"sdelete.exe\\\"\\n | where CommandLine !has \\\"sdelete\\\"\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage (ASIM Version)\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\\nThis detection uses the ASIM imProcess parser, this will need to be deployed before use - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"name\":\"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(lookBack) and TimeGenerated \u003c ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Rare User Agent Detected\",\"description\":\"Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"name\":\"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let logonDiff = 10m;\\nlet aadFunc = (tableName:string){\\ntable(tableName) \\n| where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1]), Type\\n| join kind= inner (\\n table(tableName)\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription, Type\\n) on UserPrincipalName, AppDisplayName \\n| where SuccessLogonTime \u003c FailedLogonTime and FailedLogonTime - SuccessLogonTime \u003c= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription, Type\\n| extend timestamp = SuccessLogonTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuccessIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Successful logon from IP and failure from a different IP\",\"description\":\"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"name\":\"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\"name\":\"78422ef2-62bf-48ca-9bab-72c69818a425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Low\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account, IpAddress, AccountType, Activity, LogonTypeName),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account, IpAddress, AccountType, Activity, LogonTypeName)\\n)\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress)\\n)\\n) on Account, IpAddress\\n| extend Ratio = iff(isempty(ComputerCountPrev7Days), toreal(ComputerCountToday), ComputerCountToday / (ComputerCountPrev7Days * 1.0))\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Multiple RDP connections from Single System\",\"description\":\"Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days.\\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"name\":\"4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-38647\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to OMIGOD CVE-2021-38647\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \\n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\"name\":\"d3980830-dd9d-40a5-911f-76b44dfdce16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppDisplayName == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\\n| where CountOfLocations \u003e 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"GitHub Signin Burst from Multiple Locations\",\"description\":\"This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25a7f951-54b7-4cf5-9862-ebc04306c590\",\"name\":\"25a7f951-54b7-4cf5-9862-ebc04306c590\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | summarize by userPrincipalName);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CAPolicyName = tostring(TargetResources[0].displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | where userPrincipalName !in (known_users)\\n | extend NewPolicyValues = TargetResources[0].modifiedProperties[0].newValue\\n | extend OldPolicyValues = TargetResources[0].modifiedProperties[0].oldValue\\n | project-reorder TimeGenerated, OperationName, CAPolicyName, userPrincipalName, ipAddress, NewPolicyValues, OldPolicyValues\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Conditional Access Policy Modified by New User\",\"description\":\"Detects a Conditional Access Policy being modified by a user who has not modified a policy in the last 14 days.\\n A threat actor may try to modify policies to weaken the security controls in place.\\n Investigate any change to ensure they are approved.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"name\":\"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost \\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"THALLIUM domains included in DCU takedown\",\"description\":\"THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-01-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"name\":\"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId, \\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\"name\":\"50574fac-f8d1-4395-81c7-78a463ff0c52\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\\n| extend Status = todynamic(Status)\\n| where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\\n| order by TimeGenerated desc\\n// New entity mapping\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Active Directory PowerShell accessing non-AAD resources\",\"description\":\"This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://learn.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"name\":\"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.Caller\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, Caller\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, EmailSenderName, EmailRecipient, \\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, \\nResourceGroup, SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"name\":\"9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"beesweiserdog.com\\\", \\n \\\"bluehostfit.com\\\", \\n \\\"business-toys.com\\\", \\n \\\"cleanskycloud.com\\\", \\n \\\"cumberbat.com\\\", \\n \\\"czreadsecurity.com\\\", \\n \\\"dgtresorgouv.com\\\", \\n \\\"dimediamikedask.com\\\", \\n \\\"diresitioscon.com\\\", \\n \\\"elcolectador.com\\\", \\n \\\"elperuanos.org\\\", \\n \\\"eprotectioneu.com\\\", \\n \\\"fheacor.com\\\", \\n \\\"followthewaterdata.com\\\", \\n \\\"francevrteepress.com\\\", \\n \\\"futtuhy.com\\\", \\n \\\"gardienweb.com\\\", \\n \\\"heimflugaustr.com\\\", \\n \\\"ivpsers.com\\\", \\n \\\"jkeducation.org\\\", \\n \\\"micrlmb.com\\\", \\n \\\"muthesck.com\\\", \\n \\\"netscalertech.com\\\", \\n \\\"newgoldbalmap.com\\\", \\n \\\"news-laestrella.com\\\", \\n \\\"noticialif.com\\\", \\n \\\"opentanzanfoundation.com\\\", \\n \\\"optonlinepress.com\\\", \\n \\\"palazzochigi.com\\\", \\n \\\"pandemicacre.com\\\", \\n \\\"papa-ser.com\\\", \\n \\\"pekematclouds.com\\\", \\n \\\"pipcake.com\\\", \\n \\\"popularservicenter.com\\\", \\n \\\"projectsyndic.com\\\", \\n \\\"qsadtv.com\\\", \\n \\\"sankreal.com\\\", \\n \\\"scielope.com\\\", \\n \\\"seoamdcopywriting.com\\\", \\n \\\"slidenshare.com\\\", \\n \\\"somoswake.com\\\", \\n \\\"squarespacenow.com\\\", \\n \\\"subapostilla.com\\\", \\n \\\"suzukicycles.net\\\", \\n \\\"tatanotakeeps.com\\\", \\n \\\"tijuanazxc.com\\\", \\n \\\"transactioninfo.net\\\", \\n \\\"eurolabspro.com\\\", \\n \\\"adelluminate.com\\\", \\n \\\"headhunterblue.com\\\", \\n \\\"primenuesty.com\\\" \\n ]);\\nlet SHA256Hashes = dynamic ([\\\"02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2\\\", \\n \\\"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c\\\", \\n \\\"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c\\\", \\n \\\"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95\\\", \\n \\\"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21\\\", \\n \\\"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49\\\", \\n \\\"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844\\\", \\n \\\"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef\\\", \\n \\\"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822\\\", \\n \\\"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2\\\", \\n \\\"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838\\\", \\n \\\"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65\\\", \\n \\\"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6\\\", \\n \\\"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1\\\", \\n \\\"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90\\\", \\n \\\"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b\\\", \\n \\\"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce\\\", \\n \\\"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0\\\", \\n \\\"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c\\\", \\n \\\"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a\\\", \\n \\\"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b\\\", \\n \\\"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a\\\", \\n \\\"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124\\\", \\n \\\"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa\\\", \\n \\\"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda\\\", \\n \\\"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94\\\", \\n \\\"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6\\\", \\n \\\"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce\\\", \\n \\\"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6\\\", \\n \\\"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba\\\"\\n ]);\\nlet SigNames = dynamic([\\\"Backdoor:Win32/Leeson\\\", \\\"Trojan:Win32/Kechang\\\", \\\"Backdoor:Win32/Nightimp!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"TrojanSpy:Win32/KeyLogger\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns(domain_has_any = DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(_Im_WebSession(url_has_any = DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hashes) \\n| extend Account = UserName\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hashes)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known NICKEL domains and hashes\",\"description\":\"IOC domains and hash values for tools and malware used by NICKEL. \\n Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/720d12c6-a08c-44c4-b18f-2236412d59b0\",\"name\":\"720d12c6-a08c-44c4-b18f-2236412d59b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process !~ \\\"sdelete.exe\\\"\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-r\\\", \\\"-s\\\", \\\"-q\\\", \\\"c:/\\\")\\n | where CommandLine !has (\\\"sdelete\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"name\":\"009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has \\\"Consent to application\\\"\\n | where Result =~ \\\"failure\\\"\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend userAgent = iif(AdditionalDetails[0].key == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))\\n | where isnotempty(TargetResources)\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"MethodExecutionResult.\\\"\\n | extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\\n | where FailureReason contains \\\"Risky\\\"\\n | project-reorder TimeGenerated, OperationName, Result, AppName, FailureReason, userPrincipalName, userAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"End-user consent stopped due to risk-based consent\",\"description\":\"Detects a user\u0027s consent to an OAuth application being blocked due to it being too risky.\\n These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"name\":\"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"DeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName has \\\"Solorigate\\\"\\n| extend HostCustomEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.HostCustomEntity\\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity\\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Solorigate Defender Detections\",\"description\":\"Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as \\n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"name\":\"9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet querystarttime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the cisco umbrella top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n | extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n | extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n | mvexpand Trigram=AllTriGrams to typeof(string)\\n | summarize triCount=count() by Trigram\\n | sort by triCount desc\\n | where triCount \u003e triThreshold\\n | distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = _Im_WebSession \\n| where isnotempty(Url) \\n| extend Name = tolower(tostring(parse_url(Url)[\\\"Host\\\"]))\\n| summarize NameCount=count() by Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n _Im_WebSession\\n | where isnotempty(Url)\\n | extend Url = tolower(Url)\\n | summarize arg_max(TimeGenerated, EventVendor, SrcIpAddr) by Url\\n | extend Name=tostring(parse_url(Url)[\\\"Host\\\"])\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SrcIpAddr, Url\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SrcIpAddr, Url, NameCount\",\"customDetails\":{\"DGAPattern\":\"DGADomain\",\"NameCount\":\"NameCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential communication from {{SrcIpAddr} with a Domain Generation Algorithm (DGA) based host {{Name}}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} communicated with host {{Name}} that have a domain name that might have been generated by a Domain Generation Algorithm (DGA), identified by the pattern {{DGADomain}}. DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like and uses the model to identify domains that may have been randomly generated by an algorithm.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema)\",\"description\":\"This rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA). DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like nad uses the model to identify domains that may have been randomly generated by an algorithm. You can modify the triThreshold and dgaLengthThreshold query parameters to change Analytic Rule sensitivity. The higher the numbers, the less noisy the rule is. \u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f819c592-c5f9-4d5c-a79f-1e6819863533\",\"name\":\"f819c592-c5f9-4d5c-a79f-1e6819863533\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Microsoft Online\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n (\\nWindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Monitoring Agent Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent.\\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"name\":\"066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\nWindowsEvent\\n| where EventID == 4688 and (EventData has_any (file_path1) or EventData has_any (file_path2) or EventData has_any (file_path3) or EventData has_any (\u0027reg add\u0027) or EventData has_any (reg_key) )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where (CommandLine has_any (file_path1)) or\\n (CommandLine has_any (file_path3)) or\\n (CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or \\n (NewProcessName has_any (file_path1)) or\\n (NewProcessName has_any (file_path3)) or\\n (ParentProcessName has_any (file_path1)) or \\n (ParentProcessName has_any (file_path3)) \\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| extend IPCustomEntity = tostring(EventData.IpAddress)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, IPCustomEntity\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2022-05-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6116dc19-475a-4148-84b2-efe89c073e27\",\"name\":\"6116dc19-475a-4148-84b2-efe89c073e27\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"name\":\"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events for ToR proxies\",\"description\":\"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"name\":\"70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId,\\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"NRT User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5239248b-abfb-4c6a-8177-b104ade5db56\",\"name\":\"5239248b-abfb-4c6a-8177-b104ade5db56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let RunCommandData = materialize ( AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Success\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n| join kind=leftouter (\\n DeviceFileEvents\\n | where InitiatingProcessFileName == \\\"RunCommandExtension.exe\\\"\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\\n) on VirtualMachineName\\n// We need to filter by time sadly, this is the only way to link events\\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath\\n| join kind=inner(\\n DeviceEvents\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | where InitiatingProcessCommandLine has \\\"-File\\\"\\n // Extract the script name based on the structure used by the RunCommand extension\\n | extend PowershellFileName = extract(@\\\"\\\\-File\\\\s(script[0-9]{1,9}\\\\.ps1)\\\", 1, InitiatingProcessCommandLine)\\n // Discard results that didn\u0027t successfully extract, these are not run command related\\n | where isnotempty(PowershellFileName)\\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\\n | where PSCommand != PowershellFileName \\n // Now we normalise the cmdlets, we\u0027re aiming to hash them to find scripts using rare combinations\\n | extend PSCommand = toupper(PSCommand)\\n | order by PSCommand asc\\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\\n) on $left.FileName == $right.PowershellFileName\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName\\n| order by StartTime asc \\n// We generate the hash based on the cmdlets called and the size of the powershell script\\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\\nlet totals = toscalar (RunCommandData\\n| summarize count());\\nlet hashTotals = RunCommandData\\n| summarize HashCount=count() by ScriptFingerprintHash;\\nRunCommandData\\n| join kind=leftouter (\\nhashTotals\\n) on ScriptFingerprintHash\\n// Calculate prevalence, while we don\u0027t need this, it may be useful for responders to know how rare this script is in relation to normal activity\\n| extend Prevalence = toreal(HashCount) / toreal(totals) * 100\\n// Where the hash was only ever seen once.\\n| where HashCount == 1\\n| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName\\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\",\"Execution\"],\"displayName\":\"Azure VM Run Command operations executing a unique PowerShell script\",\"description\":\"Identifies when Azure Run command is used to execute a PowerShell script on a VM that is unique.\\nThe uniqueness of the PowerShell script is determined by taking a combined hash of the cmdLets it imports\\nand the file size of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed\\nin your environment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"name\":\"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(ClientIP)\\n | extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]%]+)(%\\\\d+)?\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n | extend IPAddress = tostring(ClientIPValues[0])\\n // renaming time column so it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = TI_ipEntity, AccountCustomEntity = UserId, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"name\":\"a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Extracts plaintext IPv4 addresses\\nlet ipv4_plaintext_extraction_regex = @\\\"((?:(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(?:\\\\.)){3}(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]){1,3})\\\";\\n// Identified base64 encoded IPv4 addresses\\nlet ipv4_encoded_identification_regex = @\\\"\\\\=([a-zA-Z0-9\\\\/\\\\+]*(?:(?:MC|Au|wL|MS|Eu|xL|Mi|Iu|yL|My|Mu|zL|NC|Qu|0L|NS|Uu|1L|Ni|Yu|2L|Ny|cu|3L|OC|gu|4L|OS|ku|5L){1}[a-zA-Z0-9\\\\/\\\\+]{2,4}){3}[a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Extractes IPv4 addresses as hex values\\nlet ipv4_decoded_hex_extract = @\\\"((?:(?:61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|2f|2b|3d),){7,15})\\\";\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n// Identify requests with encoded IPv4 addresses\\n| where RequestURL matches regex ipv4_encoded_identification_regex\\n| project TimeGenerated, RequestURL\\n// Extract IP candidates in their base64 encoded format, significantly reducing the dataset\\n| extend extracted_encoded_ip_candidate = extract_all(ipv4_encoded_identification_regex, RequestURL)\\n// We could have more than one candidate, expand them out\\n| mv-expand extracted_encoded_ip_candidate to typeof(string)\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), make_set(RequestURL) by extracted_encoded_ip_candidate\\n// Pad if we need to\\n| extend extracted_encoded_ip_candidate = iff(strlen(extracted_encoded_ip_candidate) % 2 == 0, extracted_encoded_ip_candidate, strcat(extracted_encoded_ip_candidate, \\\"=\\\"))\\n// Now decode the candidate to a long array, we cannot go straight to string as it cannot handle non-UTF8, we need to strip that first\\n| extend extracted_encoded_ip_candidate = tostring(base64_decode_toarray(extracted_encoded_ip_candidate))\\n// Extract the IP candidates from the array\\n| extend hex_extracted = extract_all(ipv4_decoded_hex_extract, extracted_encoded_ip_candidate)\\n// Expand, it\u0027s still possible that we might have more than 1 IP\\n| mv-expand hex_extracted\\n// Now we should have a clean string. We need to put it back into a dynamic array to convert back to a string.\\n| extend hex_extracted = trim_end(\\\",\\\", tostring(hex_extracted))\\n| extend hex_extracted = strcat(\\\"[\\\",hex_extracted,\\\"]\\\")\\n| extend hex_extracted = todynamic(hex_extracted)\\n| extend extracted_encoded_ip_candidate = todynamic(extracted_encoded_ip_candidate)\\n// Convert the array back into a string\\n| extend decoded_ip_candidate = make_string(hex_extracted)\\n| summarize by decoded_ip_candidate, tostring(set_RequestURL), Start, End\\n// Now the IP candidates will be in plaintext, extract the IPs using a regex\\n| extend ipmatch = extract_all(ipv4_plaintext_extraction_regex, decoded_ip_candidate)\\n// If it\u0027s not an IP, throw it out\\n| where isnotnull(ipmatch)\\n| mv-expand ipmatch to typeof(string)\\n// Join with DeviceNetworkEvents to find instances where an IP of a machine in our MDE estate sent it\u0027s IP in a base64 encoded string\\n| join (\\n DeviceNetworkEvents\\n | summarize make_set(DeviceId), make_set(DeviceName) by RemoteIP\\n) on $left.ipmatch == $right.RemoteIP\\n| project Start, End, IPmatch=ipmatch, RequestURL=set_RequestURL, DeviceNames=set_DeviceName, DeviceIds=set_DeviceId, RemoteIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPmatch\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"IP address of Windows host encoded in web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded IP addresses. After identifying candidates the query\\njoins with DeviceNetworkEvents to idnetify any machine within the network using that IP address. Alerts indicate that the IP address of a machine\\nwithin your network was seen with it\u0027s IP address base64 encoded in an outbounf web request. This method of egressing the IP was seen used in POLONIUM\u0027s\\nRunningRAT tool, however the detection is generic.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"name\":\"cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where OriginalFileName has_any (procList) and not (Image has_any (procList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Lolbins Renamed\",\"description\":\"This query detects the execution of renamed Windows binaries (Lolbins). This is a common technique used by adversaries to evade detection. \\nRef: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/execution-of-renamed-lolbin.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"name\":\"3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 50;\\nlet aadFunc = (tableName:string){\\n // Failed Signins attempts with reasoning related to conditional access policies.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultDescription has_any (\\\"conditional access\\\", \\\"CA\\\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\nallSignins\\n| make-series DailyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1d by UserPrincipalName\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(DailyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand DailyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n// Filtering low count events per baselinethreshold\\n| where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n| extend AnomalyHour = TimeGenerated\\n| project UserPrincipalName, AnomalyHour, TimeGenerated, DailyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Accounts - Sign in Failure due to CA Spikes\",\"description\":\" Identifies spike in failed sign-ins from user accounts due to conditional access policied.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"name\":\"b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let oneDriveCalls = dynamic([\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content\u0027,\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/response.json:/content\u0027]);\\nlet oneDriveCallsRegex = dynamic([@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Uploaded\\\\/.*\\\\:\\\\/content\u0027,@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Downloaded\\\\/.*\\\\:\\\\/content\u0027]);\\nCommonSecurityLog\\n| where RequestURL has_any (oneDriveCalls) or RequestURL matches regex tostring(oneDriveCallsRegex[0]) or RequestURL matches regex tostring(oneDriveCallsRegex[1])\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive URLs\",\"description\":\"CreepyDrive uses OneDrive for command and control. This detection identifies URLs specific to CreepyDrive.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/011c84d8-85f0-4370-b864-24c13455aa94\",\"name\":\"011c84d8-85f0-4370-b864-24c13455aa94\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| extend timestamp = TimeGenerated, Account, MachineName = Computer, IpAddress\\n| join kind=inner\\n(\\nCoreAzureBackup\\n| where State =~ \\\"Deleted\\\"\\n| where OperationName =~ \\\"BackupItem\\\"\\n| extend data = split(BackupItemUniqueId, \\\";\\\")\\n| extend AzureLocation = data[0], VaultId=data[1], MachineName=data[2], DrivesBackedUp=data[3]\\n| project timestamp = TimeGenerated, AzureLocation, VaultId, tostring(MachineName), DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\\n)\\non MachineName\\n| project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"CoreBackUp Deletion in correlation with other related security alerts\",\"description\":\"This query will help detect attackers attempt to delete backup containers in correlation with other alerts that could have triggered to help possibly reveal more details of attacker activity. \\nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.\",\"lastUpdatedDateUTC\":\"2021-11-05T00:00:00Z\",\"createdDateUTC\":\"2021-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\"name\":\"1218175f-c534-421c-8070-5dcaabf28067\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 3; \\nZoomLogs \\n| where Event =~ \\\"chat_message.sent\\\" \\n| extend Channel = tostring(parse_json(ChatEvents).Channel) \\n| extend Message = tostring(parse_json(ChatEvents).Message) \\n| where Message matches regex \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\" \\n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\\n| extend ChannelCount = arraylength(Channels) \\n| where ChannelCount \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Suspicious link sharing pattern\",\"description\":\"Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. \\nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"name\":\"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"name\":\"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| join kind=rightanti (\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM New UM Service Child Process\",\"description\":\"This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\"name\":\"f845881e-2500-44dc-8ed7-b372af3e1e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog \\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) \u003c= short_uaLength or string_size(csUserAgent) \u003e= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount \u003c c_threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous User Agent connection attempt\",\"description\":\"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"name\":\"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend Alert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.EntityEmail\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, \\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"name\":\"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory has_any (\u0027Dynamic and Residential\u0027, \u0027Personal VPN\u0027)\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Cisco Umbrella - Connection to non-corporate private network\",\"description\":\"IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/631d02df-ab51-46c1-8d72-32d0cfec0720\",\"name\":\"631d02df-ab51-46c1-8d72-32d0cfec0720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nimProcessCreate\\n| where Process hassuffix \u0027solarwinds.businesslayerhost.exe\u0027\\n| where not(Process has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = ActorUsername,\\n HostCustomEntity = User,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes (Normalized Process Events)\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\"name\":\"0bd65651-1404-438b-8f63-eecddcec87b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = ( union isfuzzy=true\\n( Event\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and EventData has \\\"0x3e4\\\" and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 and LogonType == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nWindowsEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where EventData has \u0027wmiprvse.exe\u0027 and EventData has_any (\u0027rundll32\u0027) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 3\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where Account !endswith \\\"$\\\"\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, Image, Computer, UserName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via Remote WMI Execution\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\n Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d71fc38-f249-454e-8479-0a358382ef9a\",\"name\":\"3d71fc38-f249-454e-8479-0a358382ef9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-44228\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to log4j CVE-2021-44228\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228. Log4j is an open-source Apache logging library that is used in \\n many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\\n Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"name\":\"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center for IoT\",\"displayName\":\"Create incidents based on Microsoft Defender for IOT alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for IOT\",\"lastUpdatedDateUTC\":\"2019-12-24T00:00:00Z\",\"createdDateUTC\":\"2019-12-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"IoT\",\"dataTypes\":[\"SecurityAlert (ASC for IoT)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2e8fd50-8d66-11ec-b909-0242ac120002\",\"name\":\"d2e8fd50-8d66-11ec-b909-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID in (4624,4625) and LogonType in (10) and IpAddress in (\\\"::1\\\",\\\"127.0.0.1\\\")\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, TargetUserName, TargetLogonId, LogonType, IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential Remote Desktop Tunneling\",\"description\":\"This query detects remote desktop authentication attempts with a localhost source address which can indicate a tunneled login.\\nRef: https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c37711a4-5f44-4472-8afc-0679bc0ef966\",\"name\":\"c37711a4-5f44-4472-8afc-0679bc0ef966\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type == \\\"sha256\\\" | project IoC);\\nlet FilePaths = (iocs | where Type =~ \\\"FilePath\\\" | project IoC);\\nlet POST_URI = (iocs | where Type =~ \\\"URI1\\\" | project IoC);\\nlet GET_URI = (iocs | where Type =~ \\\"URI2\\\" | project IoC);\\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\\nlet ADFS_Servers1 = datatable(Computer:string)\\n[ \\\"\u003cADFS01\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\",\\n\\\"\u003cADFS02\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\"\\n];\\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \\\"Microsoft.IdentityServer.ServiceHost.exe\\\".\\nlet ADFS_Servers2 = \\n(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( WindowsEvent\\n| where EventID == 4688 and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\" and EventData has \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName == \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| distinct Computer\\n),\\n(DeviceProcessEvents\\n| where InitiatingProcessFileName == \u0027Microsoft.IdentityServer.ServiceHost.exe\u0027\\n| extend Computer = DeviceName\\n| distinct Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n);\\nlet ADFS_Servers =\\nADFS_Servers1\\n| union (ADFS_Servers2 | distinct Computer);\\n(union isfuzzy=true\\n(DeviceNetworkEvents\\n| where DeviceName in (ADFS_Servers)\\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" and EventID == \u00277\u0027\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ImageLoaded = EventDetail.[5].[\\\"#text\\\"], Hashes = EventDetail.[11].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\\n| extend Type = strcat(Type,\\\":\\\",EventID, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where DeviceName in (ADFS_Servers)\\n| extend FilePath = strcat(FolderPath, \u0027\\\\\\\\\u0027, FileName)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceImageLoadEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where EventDetail has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(W3CIISLog \\n| where ( csMethod == \u0027GET\u0027 and csUriStem has_any (GET_URI)) or (csMethod == \u0027POST\u0027 and csUriStem has_any (POST_URI))\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \\nby cIP, cIP_MethodCountType = \\\"Count of repeated entries, this is to reduce rowsets returned\\\", csMethod, \\ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\\n),\\n(imFileEvent\\n| where DvcHostname in (ADFS_Servers)\\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"NOBELIUM IOCs related to FoggyWeb backdoor\",\"description\":\"Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM.\\n FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server.\\n It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.\\n Reference: https://aka.ms/nobelium-foggy-web\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/61988db3-0565-49b5-b8e3-747195baac6e\",\"name\":\"61988db3-0565-49b5-b8e3-747195baac6e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]); \\nimProcessCreate\\n| where CommandLine has \\\"recycler\\\"\\n| where Process has_any (procList)\\n| extend FileName = tostring(split(Process, \u0027\\\\\\\\\u0027)[-1])\\n| where FileName in~ (procList)\\n| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin (Normalized Process Events)\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2021-06-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"name\":\"ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"name\":\"32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of malicious file artifacts\\nlet MaliciousFileArtifacts = dynamic ([\\\"lsass.dmp\\\",\\\"test.pwd\\\",\\\"lsremora.dll\\\",\\\"lsremora64.dll\\\",\\\"fgexec.exe\\\",\\\"pwdump\\\",\\\"kirbi\\\",\\\"wce_ccache\\\",\\\"wce_krbtkts\\\",\\\"wceaux.dll\\\",\\\"PwHashes\\\",\\\"SAM.out\\\",\\\"SECURITY.out\\\",\\\"SYSTEM.out\\\",\\\"NTDS.out\\\" \\\"DumpExt.dll\\\",\\\"DumpSvc.exe\\\",\\\"cachedump64.exe\\\",\\\"cachedump.exe\\\",\\\"pstgdump.exe\\\",\\\"servpw64.exe\\\",\\\"servpw.exe\\\",\\\"pwdump.exe\\\",\\\"fgdump-log\\\"]);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==11\\n| parse EventData with * \u0027TargetFilename\\\"\u003e\u0027 TargetFilename \\\"\u003c\\\" *\\n| where TargetFilename has_any (MaliciousFileArtifacts)\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, Image, ProcessGuid, TargetFilename\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetFilename\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Image\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - File Artifacts\",\"description\":\"This query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names.\\nRef: https://jpcertcc.github.io/ToolAnalysisResultSheet/\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/983a6922-894d-413c-9f04-d7add0ecc307\",\"name\":\"983a6922-894d-413c-9f04-d7add0ecc307\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let referencestarttime = 10d;\\nlet referenceendtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \\n {_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027, starttime=stime, endtime=etime)\\n | where DnsQueryTypeName in (\\\"A\\\", \\\"AAAA\\\")\\n | where ipv4_is_match(\\\"127.0.0.1\\\", SrcIpAddr) == False\\n | where DnsQuery !contains \\\"/\\\" and DnsQuery contains \\\".\\\"};\\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold\\n // Filter out previously seen IPs\\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold ) on SrcIpAddr\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected (ASIM DNS Schema)\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18dbdc22-b69f-4109-9e39-723d9465f45f\",\"name\":\"18dbdc22-b69f-4109-9e39-723d9465f45f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet AVHits = (iocs | where Type =~ \\\"AVDetection\\\"| project IoC);\\nSecurityAlert\\n| where ProviderName == \u0027MDATP\u0027\\n| extend ThreatName_ = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName_ has_any (AVHits)\\n| extend Directory = tostring(parse_json(Entities)[0].Directory), SHA256 = tostring(parse_json(tostring(parse_json(Entities)[0].FileHashes))[2].Value), FileName = tostring(parse_json(Entities)[0].Name), Hostname = tostring(parse_json(Entities)[6].FQDN)| extend AccountName = tostring(parse_json(tostring(parse_json(Entities)[6].LoggedOnUsers))[0].AccountName)\\n| project TimeGenerated, AlertName, ThreatName_, ProviderName, AlertSeverity, Description, RemediationSteps, ExtendedProperties, Entities, FileName,SHA256, Directory, Hostname, AccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Hostname , AccountCustomEntity = AccountName, FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"ACTINIUM AV hits - Feb 2022\",\"description\":\"Identifies a match in the Security Alert table for MDATP hits related to the ACTINIUM actor\",\"lastUpdatedDateUTC\":\"2022-02-04T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"name\":\"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet disallowed_ext = dynamic([\u0027ps1\u0027, \u0027exe\u0027, \u0027vbs\u0027, \u0027js\u0027, \u0027scr\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedExt = todynamic(MsgParts)[0][\u0027detectedExt\u0027]\\n| where attachedExt in (disallowed_ext)\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Suspicious attachment\",\"description\":\"Detects when email contains suspicious attachment (file type).\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\"name\":\"707494a5-8e44-486b-90f8-155d1797a8eb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetResourceType = tostring(target.type)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend isAdminConsent = targetModifiedProp[0].newValue\\n| extend Consent_ServicePrincipalNames = targetModifiedProp[5].newValue\\n| extend Consent_Permissions = targetModifiedProp[4].newValue\\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend Credential_KeyDescription = targetModifiedProp[0].newValue\\n| extend UpdatedProperties = targetModifiedProp[1].newValue\\n| extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent \u003e TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential added after admin consented to Application\",\"description\":\"This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11bda520-a965-4654-9a45-d09f372f71aa\",\"name\":\"11bda520-a965-4654-9a45-d09f372f71aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Success\\\"\\n// Extract data from the Authorization field\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n// Create a join key using the Caller (UPN)\\n| extend joinkey = tolower(Caller)\\n// Join the Run Command actions to UEBA data\\n| join kind = inner (\\n BehaviorAnalytics\\n // We are specifically interested in unusual logins\\n | where EventSource == \\\"Azure AD\\\" and ActivityInsights.ActionUncommonlyPerformedByUser == \\\"True\\\"\\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\\n | extend joinkey = tolower(UserPrincipalName)\\n) on joinkey\\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\\n| extend UEBAWindowStart = UEBAEventTime - 1h, UEBAWindowEnd = UEBAEventTime + 6h\\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n| extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operation executed during suspicious login window\",\"description\":\"Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address \\nthat has resulted in a recent user entity behaviour alert.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fe3c520-04f1-44b8-8398-782ed21435f8\",\"name\":\"3fe3c520-04f1-44b8-8398-782ed21435f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Low\",\"query\":\"let torProxies=dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\n_Im_Dns(domain_has_any=torProxies)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"name\":\"d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\\n// Azure Active Directory Connect - cb1056e2-e479-49de-ae31-7812af012ed8\\nlet appList = dynamic([\u0027cf6d7e68-f018-4e0a-a7b3-126e053fb88d\u0027,\u0027cb1056e2-e479-49de-ae31-7812af012ed8\u0027]);\\nlet operationNamesList = dynamic([\u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027,\u0027Microsoft.ADHybridHealthService/services/delete\u0027]);\\nAzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue in~ (operationNamesList)\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| where AppId !in (appList)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Suspicious Application\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance.\\nUsually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"name\":\"9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where NumberOfInfectedFiles \u003e 0\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"displayName\":\"AppServices AV Scan with Infected Files\",\"description\":\"Identifies if an AV scan finds infected files in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2199398-8942-4b8c-91a9-b0a707c5d147\",\"name\":\"b2199398-8942-4b8c-91a9-b0a707c5d147\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/HiveRansomwareJuly2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Hive Ransomware IOC - July 2022\",\"description\":\"Identifies a hash match related to Hive Ransomware across various data sources.\",\"lastUpdatedDateUTC\":\"2022-07-05T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ff56009-db01-4615-8211-d4fda21da02d\",\"name\":\"1ff56009-db01-4615-8211-d4fda21da02d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where AADOperationType =~ \\\"Assign\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ has_any (\\\"AppRole.Value\\\",\\\"DelegatedPermissionGrant.Scope\\\")\\n| extend Permission = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where Permission has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\\n| extend TargetId = iif(displayName_ =~ \u0027DelegatedPermissionGrant.Scope\u0027,\\n tostring(parse_json(tostring(TargetResources.modifiedProperties[2].newValue))),\\n tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue))))\\n| summarize by bin(TimeGenerated, 1h), OperationName, Initiator, Target, TargetId, Result\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Target\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure AD Role Management Permission Grant\",\"description\":\"Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company\u0027s directory.\\nAn adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"name\":\"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| where Data.NewValue == 1 or Data.NewValue \u003c Data.OldValue/2\\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Retention Reduced\",\"description\":\"AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.\",\"lastUpdatedDateUTC\":\"2021-11-02T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"name\":\"979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\DsrmAdminLogonBehavior\\\") and Details == \\\"DWORD (0x00000002)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"DSRM Account Abuse\",\"description\":\"This query detects an abuse of the DSRM account in order to maintain persistence and access to the organization\u0027s Active Directory.\\nRef: https://adsecurity.org/?p=1785\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82eb796-d1eb-43c8-a813-325ce3417cef\",\"name\":\"d82eb796-d1eb-43c8-a813-325ce3417cef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(DeviceFileEvents\\n| where ActionType == \\\"FileCreated\\\"\\n| where FileName endswith \\\".h0lyenc\\\" or FolderPath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), HostCustomEntity = DeviceName, Type, InitiatingProcessId, FileName, FolderPath, EventType = ActionType, Commandline = InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessSHA256, FileHashCustomEntity = SHA256\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\" \\n| where TargetFilePath endswith \\\".h0lyenc\\\" or TargetFilePath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname, DvcId, Type, EventType, FileHashCustomEntity = TargetFileSHA256, Hash, TargetFilePath, Commandline = ActingProcessCommandLine\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 File Extension Rename\",\"description\":\"Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\"name\":\"ba144bf8-75b8-406f-9420-ed74397f9479\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins = \\n table(tableName)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize count() by IPAddress\\n | where count_ \u003e signin_threshold\\n | summarize make_set(IPAddress);\\n suspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\u0027User name: ([^,]+)\u0027, 1, Message) \\n | extend ClientOS = extract(\u0027Client OS version: ([^,\\\\\\\"]+)\u0027, 1, Message)\\n | extend Location = extract(\u0027Source region: ([^,]{2})\u0027,1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\"description\":\"This query creates a list of IP addresses with a number failed login attempts to AAD \\nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\\nof these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\"name\":\"32555639-b639-4c2b-afda-c0ae0abefa55\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| sort by EndTime desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Monitor AWS Credential abuse or hijacking\",\"description\":\"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\"name\":\"53e936c6-6c30-4d12-8343-b8a0456e8429\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT malware hashes\",\"description\":\"This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceImageLoadEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"name\":\"fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let querystarttime = 2d;\\nlet queryendtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\n_Im_NetworkSession(starttime=querystarttime, endtime=queryendtime)\\n| where not(ipv4_is_private(DstIpAddr))\\n| project TimeGenerated, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\\n| sort by SrcIpAddr asc,TimeGenerated asc, DstIpAddr asc, DstPortNumber asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSrcIpAddr = next(SrcIpAddr, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SrcIpAddr == nextSrcIpAddr\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| project TimeGenerated, TimeDeltainSeconds, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\\n| summarize count(), sum(DstBytes), sum(SrcBytes), make_list(TimeDeltainSeconds) \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSrcBytes = sum(sum_SrcBytes), TotalDstBytes = sum(sum_DstBytes) \\nby bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber\\n| where TotalEvents \u003e TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\",\"customDetails\":{\"DstPortNumber\":\"DstPortNumber\",\"FrequencyCount\":\"TotalSrcBytes\",\"FrequencyTime\":\"MostFrequentTimeDeltaCount\",\"TotalDstBytes\":\"TotalDstBytes\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}} over port {{DstPortNumber}}\",\"alertDescriptionFormat\":\"Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/). The recurring frequency, reported as FrequencyTime in the custom details, and the total transferred volume reported as TotalDstBytes in the custom details, can help to determine the significance of this incident.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential beaconing activity (ASIM Network Session schema)\",\"description\":\"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\\\\\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"name\":\"b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let query_frequency = 15m;\\nlet missing_period = 1h;\\n//Enter a reference list of hostnames for your DC servers\\nlet DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\n//Alternatively, a Watchlist can be used\\n//let DCServersList = _GetWatchlist(\u0027HostName-DomainControllers\u0027) | project HostName;\\nHeartbeat\\n| summarize arg_max(TimeGenerated, *) by Computer\\n| where Computer in (DCServersList)\\n//You may specify the OS type of your Domain Controllers\\n//| where OSType == \u0027Windows\u0027\\n| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))\\n| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions\\n| sort by TimeGenerated asc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\",\"DefenseEvasion\"],\"displayName\":\"Missing Domain Controller Heartbeat\",\"description\":\"This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-11-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"name\":\"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous RDP Login Detections\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2020-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"name\":\"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name\\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"name\":\"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n//Exclude local addresses, using the ipv4_is_private operator\\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n W3CIISLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n //Exclude local addresses, using the ipv4_is_private operator\\n | where ipv4_is_private(cIP) == false and cIP !startswith \\\"fe80\\\" and cIP !startswith \\\"::\\\" and cIP !startswith \\\"127.\\\"\\n // renaming time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| where W3CIISLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId, cIP\\n| project W3CIISLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to W3CIISLog\",\"description\":\"Identifies a match in W3CIISLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-04-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\"name\":\"d564ff12-8f53-41b8-8649-44f76b37b99f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// How many greater than Service Connections you want to view per build/release\\nlet ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iif(\\n Type == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\n strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Abuse\",\"description\":\"Flags builds/releases that use a large number of service connections if they aren\u0027t manually in the allow list.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse \\nor dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"name\":\"01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let discord=dynamic([\\\"cdn.discordapp.com\\\", \\\"media.discordapp.com\\\"]);\\n _Im_WebSession(url_has_any=discord, eventresult=\u0027Success\u0027)\\n | where Url has \\\"attachments\\\"\\n | extend DiscordServerId = extract(@\\\"\\\\/attachments\\\\/([0-9]+)\\\\/\\\", 1, Url)\\n | summarize dcount(Url), make_set(SrcUsername), make_set(SrcIpAddr), make_set(Url), min(TimeGenerated), max(TimeGenerated), make_set(EventResult) by DiscordServerId\\n | mv-expand set_SrcUsername to typeof(string), set_Url to typeof(string), set_EventResult to typeof(string), set_SrcIpAddr to typeof(string)\\n | summarize by DiscordServerId, dcount_Url, set_SrcUsername, min_TimeGenerated, max_TimeGenerated, set_EventResult, set_SrcIpAddr, set_Url\\n | project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, Result=set_EventResult, SourceUser=set_SrcUsername, SourceIP=set_SrcIpAddr, RequestURL=set_Url\\n | where RequestURL has_any (\\\".bin\\\",\\\".exe\\\",\\\".dll\\\",\\\".bin\\\",\\\".msi\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Discord CDN Risky File Download (ASIM Web Session Schema)\",\"description\":\"Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment. Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads.\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"name\":\"4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Hive_threats = dynamic([\\\"Ransom:Win64/Hive\\\", \\\"Ransom:Win32/Hive\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Hive_threats) or ThreatFamilyName in~ (Hive_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Hive Ransomware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Hive Ransomware . In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device,\\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2022-07-11T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"name\":\"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let szOperationNames = dynamic([\\\"microsoft.compute/virtualMachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2\\n| join kind=leftsemi (\\n// Last day\u0027s activity is anomalous\\nAzureActivity\\n| where TimeGenerated \u003e= startofday(ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious number of resource creation or deployment activities\",\"description\":\"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"name\":\"050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n// Uncomment below to not alert for PIM activations\\n//| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Assigned Privileged Role\",\"description\":\"Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn\u0027t the responsibility of the account holder, investigate.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\"name\":\"48607a29-a26a-4abf-8078-a06dbdd174a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet aadFunc = (tableName:string){\\nlet identityLookup = table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\\n// collect window threshold breaches\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\\n| where FailedPrincipalCount \u003e= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend LocationDetails = todynamic(LocationDetails)\\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName, Type\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\\n| join kind= inner (\\ntable(tableName) // get data on success vs. failure history for each IP\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress, Type\\n| where GlobalFailPrincipalCount \u003e GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD application\",\"description\":\"Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2022-02-16T00:00:00Z\",\"createdDateUTC\":\"2020-03-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"name\":\"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host, AccountCustomEntity=User\\n),\\n(_Im_WebSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(SigninLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known IRIDIUM IP\",\"description\":\"IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"name\":\"d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Administrative roles to look for, default is all admin roles\\nlet roles = dynamic([\\\"Administrator\\\", \\\"Admin\\\"]);\\n// The maximum distances between and invite and acceptance\\nlet maxTimeBetweenInviteAccept = 30min;\\n// The delta (minutes) between the invite being sent and the account being escalated\\nlet deltaBetweenInviteEscalation = 60;\\n// Collect external user invitations\\nlet invite = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Invite external user\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"userPrincipalName\\\"])\\n| extend InviteInitiator = tostring(InitiatedBy.[\\\"user\\\"].[\\\"userPrincipalName\\\"])\\n| where isnotempty(InviteInitiator);\\n// Collect redeem events\\nlet redeem = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Redeem external user invite\\\"\\n| where Result =~ \\\"success\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"displayName\\\"]) | extend Target = tostring(extract(@\\\"UPN\\\\:\\\\s(.+)\\\\,\\\\sEmail\\\",1,Target))\\n| where isnotempty(Target);\\n// Union the inivtation and redeem data then run the sequence_detect kusto plugin\\ninvite\\n| union redeem\\n| order by TimeGenerated\\n| project TimeGenerated, Target, InviteInitiator, OperationName, TenantId\\n| evaluate sequence_detect(TimeGenerated, maxTimeBetweenInviteAccept, maxTimeBetweenInviteAccept, invite=(OperationName has \\\"Invite external user\\\"), redeem=(OperationName has \\\"Redeem external user invite\\\"), Target)\\n| join (\\nAuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n// Limit to external accounts\\n| where TargetResources.userPrincipalName has \\\"EXT\\\"\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n// Perform check for admin roles\\n| where RoleName has_any(roles)\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by TimeGenerated, OperationName, RoleName, Target, Initiator, Result\\n) on Target\\n// Calculate delta between the invite and the account escalation\\n| extend delta = datetime_diff(\\\"minute\\\", TimeGenerated, invite_TimeGenerated)\\n| where delta \u003c= deltaBetweenInviteEscalation\\n| project InvitationTime=invite_TimeGenerated, RedeemTime=redeem_TimeGenerated, GrantTime=TimeGenerated, ExternalUser=Target, RoleGranted=RoleName, AdminInitiator=Initiator, MinsBetweenInviteAndEscalation=delta\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ExternalUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AdminInitiator\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"New External User Granted Admin\",\"description\":\"This query will detect instances where a newly invited external user is granted an administrative role. By default this query\\nwill alert on any granted administrative role, however this can be modified using the roles variable if false positives occur\\nin your environment. The maximum delta between invite and escalation to admin is 60 minues, this can be configured using the \\ndeltaBetweenInviteEscalation variable.\",\"lastUpdatedDateUTC\":\"2022-06-16T00:00:00Z\",\"createdDateUTC\":\"2022-06-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"name\":\"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory contains \u0027Adult Themes\u0027 or\\n UrlCategory contains \u0027Adware\u0027 or\\n UrlCategory contains \u0027Alcohol\u0027 or\\n UrlCategory contains \u0027Illegal Downloads\u0027 or\\n UrlCategory contains \u0027Drugs\u0027 or\\n UrlCategory contains \u0027Child Abuse Content\u0027 or\\n UrlCategory contains \u0027Hate/Discrimination\u0027 or\\n UrlCategory contains \u0027Nudity\u0027 or\\n UrlCategory contains \u0027Pornography\u0027 or\\n UrlCategory contains \u0027Proxy/Anonymizer\u0027 or\\n UrlCategory contains \u0027Sexuality\u0027 or\\n UrlCategory contains \u0027Tasteless\u0027 or\\n UrlCategory contains \u0027Terrorism\u0027 or\\n UrlCategory contains \u0027Web Spam\u0027 or\\n UrlCategory contains \u0027German Youth Protection\u0027 or\\n UrlCategory contains \u0027Illegal Activities\u0027 or\\n UrlCategory contains \u0027Lingerie/Bikini\u0027 or\\n UrlCategory contains \u0027Weapons\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request Allowed to harmful/malicious URI category\",\"description\":\"It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"name\":\"ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// Add the environments expected username format regex below before deploying\\n let user_regex = \\\"\\\";\\n AuditLogs\\n | where OperationName =~ \\\"Add user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userAgent = tostring(AdditionalDetails[0].value)\\n | extend addingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend addingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend AddedBy = iif(isnotempty(addingUser), addingUser, addingApp)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend AddedUser = tostring(TargetResources[0].userPrincipalName)\\n | where AddedUser matches regex user_regex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Account Created Using Incorrect Naming Format\",\"description\":\"This query looks for accounts being created where the name does not match a defined pattern.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n The user_regex field in the query needs to be populated with the expected pattern for the environment before deployment.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"name\":\"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nlet ReasontoSubStatus = datatable(SubStatus:string,Reason:string) [\\n\\\"0xC000005E\\\", \\\"There are currently no logon servers available to service the logon request.\\\",\\n\\\"0xC0000064\\\", \\\"User logon with misspelled or bad user account\\\", \\n\\\"0xC000006A\\\", \\\"User logon with misspelled or bad password\\\",\\n\\\"0xC000006D\\\", \\\"Bad user name or password\\\",\\n\\\"0xC000006E\\\", \\\"Unknown user name or bad password\\\",\\n\\\"0xC000006F\\\", \\\"User logon outside authorized hours\\\",\\n\\\"0xC0000070\\\", \\\"User logon from unauthorized workstation\\\",\\n\\\"0xC0000071\\\", \\\"User logon with expired password\\\",\\n\\\"0xC0000072\\\", \\\"User logon to account disabled by administrator\\\",\\n\\\"0xC00000DC\\\", \\\"Indicates the Sam Server was in the wrong state to perform the desired operation\\\",\\n\\\"0xC0000133\\\", \\\"Clocks between DC and other computer too far out of sync\\\",\\n\\\"0xC000015B\\\", \\\"The user has not been granted the requested logon type (aka logon right) at this machine\\\",\\n\\\"0xC000018C\\\", \\\"The logon request failed because the trust relationship between the primary domain and the trusted domain failed\\\",\\n\\\"0xC0000192\\\", \\\"An attempt was made to logon, but the Netlogon service was not started\\\",\\n\\\"0xC0000193\\\", \\\"User logon with expired account\\\",\\n\\\"0xC0000224\\\", \\\"User is required to change password at next logon\\\",\\n\\\"0xC0000225\\\", \\\"Evidently a bug in Windows and not a risk\\\",\\n\\\"0xC0000234\\\", \\\"User logon with account locked\\\",\\n\\\"0xC00002EE\\\", \\\"Failure Reason: An Error occurred during Logon\\\",\\n\\\"0xC0000413\\\", \\\"Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\\\"\\n];\\n(union isfuzzy=true\\n(SecurityEvent \\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where SubStatus !=\u00270xc0000064\u0027 and Account !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId)\\n| lookup ReasontoSubStatus on SubStatus\\n| extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(\\n(WindowsEvent \\n| where EventID == 4625 and not(EventData has \u00270xc0000064\u0027)\\n| extend TargetAccount = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(EventData.TargetUserName endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubStatus = tostring(EventData.SubStatus)\\n| where SubStatus !=\u00270xc0000064\u0027 and TargetAccount !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"\\\")\\n| lookup ReasontoSubStatus on SubStatus\\n| extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend Activity=\\\"4625 - An account failed to log on.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend LogonType = tostring(EventData.LogonType)\\n| extend Status= tostring(EventData.Status)\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| extend WorkstationName = tostring(EventData.WorkstationName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend LogonTypeName=case(LogonType==2,\\\"2 - Interactive\\\", LogonType==3,\\\"3 - Network\\\", LogonType==4, \\\"4 - Batch\\\",LogonType==5, \\\"5 - Service\\\", LogonType==7, \\\"7 - Unlock\\\", LogonType==8, \\\"8 - NetworkCleartext\\\", LogonType==9, \\\"9 - NewCredentials\\\", LogonType==10, \\\"10 - RemoteInteractive\\\", LogonType==11, \\\"11 - CachedInteractive\\\",tostring(LogonType))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n)))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts by valid accounts within 10 mins\",\"description\":\"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"name\":\"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Build Variable Modified by New User.\",\"description\":\"Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify \\nor add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, \\njust detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed \\nmodifying them before.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\"name\":\"f8127962-7739-4211-a4a9-390a7a00e91f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet lbperiod = 14d;\\nlet knownrecipients = ProofpointPOD\\n| where TimeGenerated \u003e ago(lbperiod)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where SrcUserUpn != \u0027\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated between (ago(lbtime) .. now())\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend isProtected = todynamic(MsgParts)[0][\u0027isProtected\u0027]\\n| extend mimePgp = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where isProtected == \u0027true\u0027 or mimePgp == \u0027application/pgp-encrypted\u0027\\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple protected emails to unknown recipient\",\"description\":\"Detects when multiple protected messages where sent to early not seen recipient.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"name\":\"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlOriginal matches regex @\u0027\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - URI contains IP address\",\"description\":\"Malware can use IP address to communicate with C2.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\"name\":\"23005e87-2d3a-482b-b03d-edbebd1ae151\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated \u003e ago(14d)\\n| where sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| where TimeGenerated \u003e ago(1d)\\n| where Computer in (exchange_servers)\\n| where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious Exchange Request\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac9e233e-44d4-45eb-b522-6e47445f6582\",\"name\":\"ac9e233e-44d4-45eb-b522-6e47445f6582\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"imRegistry\\n | where EventType in (\\\"RegistryValueSet\\\", \\\"RegistryKeyCreated\\\")\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (imProcess\\n | where Process endswith \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass (ASIM Version)\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"name\":\"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Office 365 Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Office 365 alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Office 365\",\"lastUpdatedDateUTC\":\"2020-09-01T00:00:00Z\",\"createdDateUTC\":\"2020-04-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"name\":\"a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let mde_threats = dynamic([\\\"Behavior:Win32/SuspAzureRequest.A\\\", \\\"Behavior:Win32/SuspAzureRequest.B\\\", \\\"Behavior:Win32/SuspAzureRequest.C\\\", \\\"Behavior:Win32/LaunchingSuspCMD.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (mde_threats) or ThreatFamilyName in~ (mde_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory\",\"description\":\"This query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR. \\nIn Microsoft Sentinel, the SecurityAlerts table includes the name of the impacted device. Additionally, this query joins the DeviceInfo table to connect other information such as device group, \\nIP address, signed in users, and others allowing analysts using Microsoft Sentinel to have more context related to the alert. \\nReference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 , \\nhttps://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5db427b2-f406-4274-b413-e9fcb29412f8\",\"name\":\"5db427b2-f406-4274-b413-e9fcb29412f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NRT PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"name\":\"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^\u0027]*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"name\":\"d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\",\\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\",\\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\",\\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\",\\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\",\\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\",\\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\",\\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\",\\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\"name\":\"de58ee9e-b229-4252-8537-41a4c2f4045e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| extend file_ext = extract(@\u0027.*(\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| extend Filename = extract(@\u0027.*\\\\/*\\\\/(.*\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, SrcIpAddr, Identities, Filename\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request to blocklisted file type\",\"description\":\"Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"name\":\"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet aadFunc = (tableName:string){\\nlet GitHubFailedSSOLogins = (table(tableName) \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType != 0); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n) on UserPrincipalName \\n| where FailedLoginsCountInRunTime \u003e LearningThreshold\\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute Force Attack against GitHub Account\",\"description\":\"Attackers who are trying to guess your users\u0027 passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\"name\":\"12dcea64-bec2-41c9-9df2-9f28461b1295\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where NewProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service Control Services and Schedule Control Services\\n| union (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\"lastUpdatedDateUTC\":\"2022-01-30T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\"name\":\"155f40c6-610d-497d-85fc-3cf06ec13256\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Phosphorus group domains/IP\",\"description\":\"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"name\":\"a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let error403_count_threshold=200;\\n_Im_WebSession(eventresultdetails_in=\\\"403\\\")\\n| extend ParsedUrl=parse_url(Url)\\n| extend UrlHost=tostring(ParsedUrl[\\\"Host\\\"]), UrlSchema=tostring(ParsedUrl[\\\"Schema\\\"])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr\\n| where NumberOfErrors \u003e error403_count_threshold\\n| sort by NumberOfErrors desc\\n| extend Url=tostring(Urls[0])\",\"customDetails\":{\"NumberOfErrors\":\"NumberOfErrors\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of HTTP authentication failures from {{SrcIpAddr}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Persistence\",\"CredentialAccess\"],\"displayName\":\"Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)\",\"description\":\"This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\u003cbr\u003e\u003cbr\u003e\\nThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM. \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"name\":\"2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where OperationName in (\\\"Add eligible member (permanent)\\\", \\\"Add eligible member (eligible)\\\")\\n | extend Role = tostring(TargetResources[0].displayName)\\n | where Role contains \\\"admin\\\"\\n | extend AddedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedUser = tostring(TargetResources[2].userPrincipalName)\\n | project-reorder TimeGenerated, AddedUser, Role, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"User Added to Admin Role\",\"description\":\"Detects a user being added to a new privileged role. Monitor these additions to ensure the users are made eligible for these roles are intended to have these levels of access.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"name\":\"dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 10;\\n let default_ad_attributes = dynamic([\\\"LastDirSyncTime\\\", \\\"StsRefreshTokensValidFrom\\\", \\\"Included Updated Properties\\\", \\\"AccountEnabled\\\", \\\"Action Client Name\\\", \\\"SourceAnchor\\\"]);\\n AuditLogs\\n | where OperationName =~ \\\"Add user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend properties = TargetResources[0].modifiedProperties\\n | mv-expand properties\\n | evaluate bag_unpack(properties)\\n | summarize count() by displayName, TenantId\\n | where displayName !in (default_ad_attributes)\\n | top threshold by count_ desc\\n | summarize make_set(displayName) by TenantId\\n | join kind=inner (AuditLogs\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \\\"Add user\\\"\\n | extend CreatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend AccountProperties = TargetResources[0].modifiedProperties\\n | mv-expand AccountProperties\\n | extend PropName = tostring(AccountProperties.displayName)) on TenantId\\n | summarize makeset(PropName) by TimeGenerated, CorrelationId, CreatedUserPrincipalName, CreatingUserPrincipalName, tostring(set_displayName)\\n | extend missing_props = set_difference(todynamic(set_displayName), set_PropName)\\n | where array_length(missing_props) \u003e 0\\n | join kind=innerunique (AuditLogs\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \\\"Add user\\\"\\n | extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)) on CorrelationId, CreatedUserPrincipalName\\n | extend ExpectedProperties = set_displayName\\n | project-away set_displayName, set_PropName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatingUserPrincipalName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatedUserPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User account created without expected attributes defined\",\"description\":\"This query looks for accounts being created that do not have attributes populated that are commonly populated in the tenant.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"name\":\"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Low\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4720\\n| where AccountType == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n),\\n(WindowsEvent\\n| where EventID == 4720\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Activity=\\\"4720 - A user account was created.\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n))\\n| join ((union isfuzzy=true\\n(SecurityEvent \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732\\n// TargetSid is the builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid\\n),\\n( WindowsEvent \\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732 and EventData has \\\"S-1-5-32-544\\\"\\n//TargetSid is the builin Admins group: S-1-5-32-544\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Activity=\\\"4732 - A member was added to a security-enabled local group.\\\"\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid)\\n))\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \\n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"CreatedUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"New user created and added to the built-in administrators group\",\"description\":\"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"name\":\"d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DuoSecurityAuthentication_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(access_device_ip_s)\\n // renaming time column so it is clear the log this came from\\n | extend Duo_TimeGenerated = isotimestamp_t\\n)\\non $left.TI_ipEntity == $right.access_device_ip_s\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\\n| extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Duo Security\",\"description\":\"Identifies a match in DuoSecurity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"name\":\"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectServer = column_ifexists(\u0027ObjectServer\u0027, \\\"\\\"), ObjectType = column_ifexists(\u0027ObjectType\u0027, \\\"\\\"), ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\")\\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\\n| where ObjectServer =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Starting or Stopping HealthService to Avoid Detection\",\"description\":\"This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\\n The query requires a SACL to audit for access request to the service.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-03-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n| join (\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberRemoved\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n) on UPN\\n| where TimeDeleted \u003e TimeAdded\\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"External user added and removed in short timeframe\",\"description\":\"This detection flags the occurances of external user accounts that are added to a Team and then removed within\\none hour.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9367dff0-941d-44e2-8875-cb48570c7add\",\"name\":\"9367dff0-941d-44e2-8875-cb48570c7add\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has \\\"\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_DLLs\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppInit DLLs Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows or HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library.\\nRef: https://attack.mitre.org/techniques/T1546/010/\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\"name\":\"8d537f3c-094f-430c-a588-8a87da36ee3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nlet user_agents=dynamic([\\n \u0027(hydra)\u0027,\\n \u0027 arachni/\u0027,\\n \u0027 BFAC \u0027,\\n \u0027 brutus \u0027,\\n \u0027 cgichk \u0027,\\n \u0027core-project/1.0\u0027,\\n \u0027 crimscanner/\u0027,\\n \u0027datacha0s\u0027,\\n \u0027dirbuster\u0027,\\n \u0027domino hunter\u0027,\\n \u0027dotdotpwn\u0027,\\n \u0027FHScan Core\u0027,\\n \u0027floodgate\u0027,\\n \u0027get-minimal\u0027,\\n \u0027gootkit auto-rooter scanner\u0027,\\n \u0027grendel-scan\u0027,\\n \u0027 inspath \u0027,\\n \u0027internet ninja\u0027,\\n \u0027jaascois\u0027,\\n \u0027 zmeu \u0027,\\n \u0027masscan\u0027,\\n \u0027 metis \u0027,\\n \u0027morfeus fucking scanner\u0027,\\n \u0027n-stealth\u0027,\\n \u0027nsauditor\u0027,\\n \u0027pmafind\u0027,\\n \u0027security scan\u0027,\\n \u0027springenwerk\u0027,\\n \u0027teh forest lobster\u0027,\\n \u0027toata dragostea\u0027,\\n \u0027 vega/\u0027,\\n \u0027voideye\u0027,\\n \u0027webshag\u0027,\\n \u0027webvulnscan\u0027,\\n \u0027 whcc/\u0027,\\n \u0027 Havij\u0027,\\n \u0027absinthe\u0027,\\n \u0027bsqlbf\u0027,\\n \u0027mysqloit\u0027,\\n \u0027pangolin\u0027,\\n \u0027sql power injector\u0027,\\n \u0027sqlmap\u0027,\\n \u0027sqlninja\u0027,\\n \u0027uil2pn\u0027,\\n \u0027ruler\u0027,\\n \u0027Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)\u0027\\n ]);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Hack Tool User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by known hack tools\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"name\":\"30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process endswith \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, ActingProcessId, Dvc\\n | join kind=inner (imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ActingProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively (ASIM Version)\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\\n This query uses the Advanced Security Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"name\":\"84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has_all (\\\"member to role\\\", \\\"add\\\")\\n | where Result =~ \\\"Success\\\"\\n | extend type_ = tostring(TargetResources[0].type)\\n | where type_ =~ \\\"ServicePrincipal\\\"\\n | where isnotempty(TargetResources)\\n | extend ServicePrincipal = tostring(TargetResources[0].displayName)\\n | extend SPID = tostring(TargetResources[0].id)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"Role.DisplayName\\\"\\n | extend TargetRole = parse_json(tostring(TargetResources_0_modifiedProperties.newValue))\\n | where TargetRole contains \\\"admin\\\"\\n | extend AddedByApp = iif(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)),\\n tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName),\\n tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n )\\n | extend AddedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedBy = iif(isnotempty(AddedByApp), AddedByApp, AddedByUser)\\n | extend IpAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, ServicePrincipal, SPID, TargetRole, AddedBy, IpAddress\\n | project-away AddedByApp, AddedByUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"SPID\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned Privileged Role\",\"description\":\"Detects a privileged role being added to a Service Principal.\\n Ensure that any assignment to a Service Principal is valid and appropriate - Service Principals should not be assigned to very highly privileged roles such as Global Admin.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"name\":\"8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = ago(5m);\\nDuoSecurityTrustMonitor_CL\\n| where TimeGenerated \u003e= timeframe\\n| extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Trust Monitor Event\",\"description\":\"This query identifies when a new trust monitor event is detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"name\":\"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 6d;\\n// Adjust this to adjust the key export detection timeframe\\n//let timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer);\\n// Look for ADFS servers where Named Pipes event are present\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"),\\n TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\\n TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\"),\\n Image = column_ifexists(\\\"Image\\\", \\\"\\\"),\\n PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\"),\\n EventType = column_ifexists(\\\"EventType\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n// Look for Pipe related to querying the WID\\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Exclude expected processes\\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS Database Named Pipe Connection\",\"description\":\"This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\"lastUpdatedDateUTC\":\"2021-11-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3617d76d-b15e-4c6f-985e-a1dac73c592d\",\"name\":\"3617d76d-b15e-4c6f-985e-a1dac73c592d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"NRT MFA Rejected by User\",\"description\":\"Identifies occurrences where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\"name\":\"5436f471-b03d-41cb-b333-65891f887c43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"GitHubRepo\\n| where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\",\"entityMappings\":[],\"displayName\":\"GitHub Security Vulnerability in Repository\",\"description\":\"This alerts when there is a new security vulnerability in a GitHub repository.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-10T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"name\":\"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent\\n| where EventID == 4688\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n),\\n(WindowsEvent\\n| where EventID == 4688 and EventData has \u0027rundll32.exe\u0027 and EventData has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n) )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/961b6a81-5c53-40b6-9800-4f661a8faea7\",\"name\":\"961b6a81-5c53-40b6-9800-4f661a8faea7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet Command_Line = (iocs | where Type =~ \\\"CommandLine\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and InitiatingProcessCommandLine has_any (Command_Line))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (@\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and ActingProcessCommandLine has_any (Command_Line))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or ( CommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DEV-0586 Actor IOC - January 2022\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as DEV-0586\\n Refrence: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"name\":\"66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MessageIP = extract(IPRegex, 0, Message)\\n | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)\\n | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CS_ipEntity\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity\\n| project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"name\":\"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P3D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some columns to make output clearer\\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some things to make the output clearer\\n| project-rename TimeDeleted = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, IPCustomEntity = CreatingIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeletingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletingIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Azure DevOps Pipeline Created and Deleted on the Same Day\",\"description\":\"An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \\nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \\nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \\ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"name\":\"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed. \\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated \u003e= ago(auditLookback) and TimeGenerated \u003c ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName has \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount \u003e threshold\\n;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated \u003e= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| extend IpAddress = case(\\nisnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\nisnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n\u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Rare application consent\",\"description\":\"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\"name\":\"69b7723c-2889-469f-8b55-a2d355ed9c87\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | mv-expand SingleIP = split(IPAddresses, \\\", \\\") to typeof(string)\\n // renaming time column so it is clear the log this came from\\n | extend DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, SingleIP\\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-27T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"name\":\"c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nDeviceProcessEvents\\n//looks for execution from a shell\\n| where InitiatingProcessFileName in (parentProcesses)\\n// main filter\\n| where FileName =~ \\\"AdFind.exe\\\" or SHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or ProcessCommandLine has_any (args)\\n| extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, CommandLineCustomEntity = ProcessCommandLine, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLineCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-04-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"name\":\"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url\\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to Syslog data\",\"description\":\"Identifies a match in Syslog data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/af435ca1-fb70-4de1-92c1-7435c48482a9\",\"name\":\"af435ca1-fb70-4de1-92c1-7435c48482a9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let admin_asn = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by AutonomousSystemNumber);\\n let admin_locations = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by Location);\\n let admin_devices = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where isnotempty(deviceId)\\n | summarize by deviceId);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where AutonomousSystemNumber !in (admin_asn) and deviceId !in (admin_devices) and Location !in (admin_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentications of Privileged Accounts Outside of Expected Controls\",\"description\":\"Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days.\\n Privileged accounts are a key target for threat actors, monitoring for logins from these accounts that deviate from normal activity can help identify compromised accounts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\"name\":\"a357535e-f722-4afe-b375-cff362b2b376\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation\\n| parse ExtendedProperties with * \u0027User-Agent\\\\\\\\\\\":\\\\\\\\\\\"\u0027 UserAgent2 \u0027\\\\\\\\\u0027 *\\n| parse ExtendedProperties with * \u0027UserAgent\\\", \\\"Value\\\": \\\"\u0027 UserAgent1 \u0027\\\"\u0027 *\\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == \u0027AzureActiveDirectoryStsLogon\u0027, UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != \u0027-\u0027\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \u0027\\\\\\\"\u0027\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"Malformed user agent\",\"description\":\"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\\nMalformed user agents can be an indication of such malware.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"name\":\"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount \u003e triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated \u003e ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Name\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Possible contact with a domain generated by a DGA\",\"description\":\"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\"name\":\"aac495a9-feb1-446d-b08e-a1164a539452\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"ThreatIntelligenceIndicator\\n| where Action == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n GitHubAudit\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to GitHub_CL\",\"description\":\"Identifies a match in GitHub_CL table from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"name\":\"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-11T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"name\":\"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"ThreatIntelligence\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"Persistence\",\"LateralMovement\"],\"displayName\":\"(Preview) Microsoft Threat Intelligence Analytics\",\"description\":\"This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity.\\n\\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.\",\"lastUpdatedDateUTC\":\"2021-07-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\"name\":\"074ce265-f684-41cd-af07-613c5f3e6d0d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP\\n ),\\n (_Im_Dns(domain_has_any=DomainNames)\\n | extend IPAddress = SrcIpAddr, DNSName = DnsQuery, Host = Dvc),\\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | extend IPAddress = RemoteIp, Host = Computer\\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ),\\n (\\n _Im_WebSession(url_has_any=DomainNames)\\n | extend IPCustomEntity=IpAddr, HostCustomEntity=Hostname, AccoutCustomEntity=User\\n )\\n)\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known STRONTIUM group domains - July 2019\",\"description\":\"Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"name\":\"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n WireData | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n // renaming time column so it is clear the log this came from\\n | extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where WireData_TimeGenerated \u003c ExpirationDateTime\\n| summarize WireData_TimeGenerated = arg_max(WireData_TimeGenerated, *) by IndicatorId, RemoteIP\\n| project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to WireData\",\"description\":\"Identifies a match in WireData from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"name\":\"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let match_window = 3m;\\nAzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\") \\n| where ActivityStatusValue == \\\"Success\\\"\\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\\n| join kind = inner\\n(AzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/write\\\") \\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\\n) on Caller, TimeKey\\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, \u0027 , \u0027, OperationNameValue1)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UserIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New CloudShell User\",\"description\":\"Identifies when a user creates an Azure CloudShell for the first time.\\nMonitor this activity to ensure only expected user are using CloudShell\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5170c3c4-b8c9-485c-910d-a21d965ee181\",\"name\":\"5170c3c4-b8c9-485c-910d-a21d965ee181\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 30m;\\nlet accountthreshold = 10;\\nlet successCodes = dynamic([0, 50144]);\\nADFSSignInLogs\\n| extend IngestionTime = ingestion_time()\\n| where IngestionTime \u003e ago(queryfrequency)\\n| where not(todynamic(AuthenticationDetails)[0].authenticationMethod == \\\"Integrated Windows Authentication\\\")\\n| summarize\\n DistinctFailureCount = dcountif(UserPrincipalName, ResultType !in (successCodes)),\\n DistinctSuccessCount = dcountif(UserPrincipalName, ResultType in (successCodes)),\\n SuccessAccounts = make_set_if(UserPrincipalName, ResultType in (successCodes), 250),\\n arg_min(TimeGenerated, *)\\n by IPAddress\\n| where DistinctFailureCount \u003e DistinctSuccessCount and DistinctFailureCount \u003e= accountthreshold\\n//| extend SuccessAccounts = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic([\\\"null\\\"]))\\n//| mv-expand SuccessAccounts\\n| project TimeGenerated, Category, OperationName, IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against ADFSSignInLogs\",\"description\":\"Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window.\\nReference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference\",\"lastUpdatedDateUTC\":\"2022-05-04T00:00:00Z\",\"createdDateUTC\":\"2022-03-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"ADFSSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"name\":\"6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Add non-approved user principal names to the list below to search for their account creation/deletion activity\\n// ex: dynamic([\\\"UPN1\\\", \\\"upn123\\\"])\\nlet nonapproved_users = dynamic([]);\\nAuditLogs\\n| where OperationName == \\\"Add user\\\" or OperationName == \\\"Delete user\\\"\\n| where Result == \\\"success\\\"\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| where InitiatingUser has_any (nonapproved_users)\\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\\n| extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account created or deleted by non-approved user\",\"description\":\"Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\"name\":\"11b4c19d-2a79-4da3-af38-b067e1273dee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID in (17,18)\\n| where EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\")\\n| extend Account = UserName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00275145\u0027\\n// %%4418 looks for presence of CreatePipeInstance value \\n| where AccessList has \u0027%%4418\u0027 \\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00275145\u0027 and EventData has \u0027%%4418\u0027 and EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027 \\n// %%4418 looks for presence of CreatePipeInstance value \\n| extend AccessList= tostring(EventData.AccessList)\\n| where AccessList has \u0027%%4418\u0027 \\n| extend RelativeTargetName= tostring(EventData.RelativeTargetName)\\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\"],\"displayName\":\"Solorigate Named Pipe\",\"description\":\"Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2020-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"name\":\"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain\\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to Syslog\",\"description\":\"Identifies a match in Syslog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\"name\":\"19e01883-15d8-4eb6-a7a5-3276cd668388\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed attempts from same client IP\",\"description\":\"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \\npotentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \\nthat is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd78a122-d377-415a-afe9-f22e08d2112c\",\"name\":\"dd78a122-d377-415a-afe9-f22e08d2112c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Add other permissions to this list as needed\\n let permissions = dynamic([\\\"Mail.Read\\\", \\\"offline_access\\\", \\\"Files.Read\\\", \\\"Notes.Read\\\", \\\"ChannelMessage.Read\\\", \\\"Chat.Read\\\", \\\"TeamsActivity.Read\\\",\\n \\\"Group.Read\\\", \\\"EWS.AccessAsUser.All\\\", \\\"EAS.AccessAsUser.All\\\"]);\\n AuditLogs\\n | where OperationName =~ \\\"Add app role assignment to service principal\\\"\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"AppRole.Value\\\" or TargetResources_0_modifiedProperties.displayName =~ \\\"DelegatedPermissionGrant.Scope\\\"\\n | extend Permissions = split((parse_json(tostring(TargetResources_0_modifiedProperties.newValue))), \\\" \\\")\\n | where Permissions has_any (permissions)\\n | summarize AddedPermissions=make_set(Permissions) by CorrelationId\\n | join kind=inner (AuditLogs\\n | where OperationName =~ \\\"Add app role assignment to service principal\\\") on CorrelationId\\n | extend InitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n | extend ServicePrincipal = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[4].newValue)))\\n | extend SPID = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[6].newValue)))\\n | extend InitiatedBy = pack(\\\"User\\\", InitiatedBy, \\\"UA\\\", UserAgent, \\\"IPAddress\\\", IpAddress)\\n | mv-expand kind=array AddedPermissions\\n | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(InitiatedBy), make_set(AddedPermissions) by SPID, ServicePrincipal\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipal\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"SPID\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned App Role With Sensitive Access\",\"description\":\"Detects a Service Principal being assigned an app role that has sensitive access such as Mail.Read.\\n A threat actor who compromises a Service Principal may assign it an app role to allow it to access sensitive data, or to perform other actions.\\n Ensure that any assignment to a Service Principal is valid and appropriate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"name\":\"d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, NewProcessId, Computer\\n | join kind=inner (SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ParentProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend newProcess = Process\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.NewProcessId == $right.ProcessId, timekey, Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"name\":\"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where TimeGenerated \u003e ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 5 downloads/uploads from a new user agent today\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e ago(endtime) \\n| where RecordType =~ szSharePointFileOperation \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via devices with previously unseen user agents\",\"description\":\"Identifies if the number of documents uploaded or downloaded from device(s) associated\\nwith a previously unseen user agent exceeds a threshold (default is 5).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"name\":\"f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where AADOperationType =~ \\\"Assign\\\"\\n| where ActivityDisplayName =~ \\\"Add app role assignment to service principal\\\"\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"AppRole.Value\\\"\\n| extend AppRole = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where AppRole has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\\n| extend TargetId = tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue)))\\n| project TimeGenerated, OperationName, Initiator, Target, TargetId, Result\\n| join kind=innerunique (\\n AuditLogs\\n | where LoggedByService =~ \\\"Core Directory\\\"\\n | where Category =~ \\\"RoleManagement\\\"\\n | where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n | where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n | where displayName_ =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n | where RoleName contains \\\"Admin\\\"\\n | extend Initiator = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend InitiatorId = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend TargetUser = tostring(TargetResources.userPrincipalName)\\n | extend Target = iif(isnotempty(TargetUser), TargetUser, tostring(TargetResources.displayName))\\n | extend TargetType = tostring(TargetResources.type)\\n | extend TargetId = tostring(TargetResources.id)\\n | project TimeGenerated, OperationName, RoleName, Initiator, InitiatorId, Target, TargetId, TargetType, Result\\n) on $left.TargetId == $right.InitiatorId\\n| extend TimeRoleMgGrant = TimeGenerated, TimeAdminPromo = TimeGenerated1, ServicePrincipal = Initiator1, ServicePrincipalId = InitiatorId,\\n TargetObject = Target1, TargetObjectId = TargetId1, TargetObjectType = TargetType\\n| where TimeRoleMgGrant \u003c TimeAdminPromo\\n| project TimeRoleMgGrant, TimeAdminPromo, RoleName, ServicePrincipal, ServicePrincipalId, TargetObject, TargetObjectId, TargetObjectType\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ServicePrincipal\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetObject\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"Persistence\"],\"displayName\":\"Admin promotion after Role Management Application Permission Grant\",\"description\":\"This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).\\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission Allows an app to manage permission grants for application permissions to any API.\\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"name\":\"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated \u003e= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal \u003e 2*prev6hAvgCumTotal or last1hAvgRatePerSec \u003e 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec \u003e 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - average attack detection rate increase\",\"description\":\"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"name\":\"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Full Admin policy created and then attached to Roles, Users or Groups\",\"description\":\"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"name\":\"34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\n IdentityInfo\\n | where TimeGenerated \u003e ago(starttime)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | mv-expand AssignedRoles\\n | where AssignedRoles matches regex \u0027Admin\u0027\\n | summarize Roles = make_list(AssignedRoles) by AccountUPN = tolower(AccountUPN)\\n | join kind=inner (\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultType != 0\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n ) on $left.AccountUPN == $right.UserPrincipalName\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, Roles = tostring(Roles)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\n allSignins\\n | make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1h by UserPrincipalName, Roles\\n | extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n | mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n // Filtering low count events per baselinethreshold\\n | where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n | extend AnomalyHour = TimeGenerated\\n | project UserPrincipalName, Roles, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, Roles, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Privileged Accounts - Sign in Failure Spikes\",\"description\":\" Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\",\"lastUpdatedDateUTC\":\"2022-01-25T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\"name\":\"106813db-679e-4382-a51b-1bfc463befc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to PaloAlto data\",\"description\":\"Identifies a match in PaloAlto data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"name\":\"884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in~ (SensitiveOperationList)\\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPMax\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup.\\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"name\":\"95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\\n| mv-expand AdditionalDetails\\n),\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| where NewDomainValue has \\\"Federated\\\"\\n)\\n)\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\"name\":\"ac891683-53c3-4f86-86b4-c361708e2b2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"// Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)[\u0027foo@bar.com\u0027, \u0027test@foo.com\u0027];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist = datatable(OperationNamePart:string)[\u0027Security.\u0027,\u0027Project.\u0027,\u0027AuditLog.\u0027,\u0027Extension.\u0027];\\n// Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)[\u0027Group.UpdateGroupMembership.Add\u0027,\u0027Library.ServiceConnectionExecuted\u0027,\u0027Pipelines.PipelineModified\u0027,\\n\u0027Release.ReleasePipelineModified\u0027, \u0027Git.RefUpdatePoliciesBypassed\u0027];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Impact\"],\"displayName\":\"Azure DevOps Personal Access Token (PAT) misuse\",\"description\":\"This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=preview-page\\nUse this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"name\":\"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Agent Pool Created Then Deleted\",\"description\":\"As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this \\ndetection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), \\nas an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\"name\":\"26a3b261-b997-4374-94ea-6c37f67f4f39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n( _Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA1=\u0027 SHA1 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known GALLIUM domains and hashes\",\"description\":\"GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \\n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-12-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/52aec824-96c1-4a03-8e44-bb70532e6cea\",\"name\":\"52aec824-96c1-4a03-8e44-bb70532e6cea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 5136 and EventData contains \\\"\u003cData Name=\\\\\\\"ObjectDN\\\\\\\"\u003eCN=AdminSDHolder,CN=System\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AdminSDHolder Modifications\",\"description\":\"This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence. \\nAdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory.\\nThis query searches for the event id 5136 where the Object DN is AdminSDHolder.\\nRef: https://attack.stealthbits.com/adminsdholder-modification-ad-persistence\",\"lastUpdatedDateUTC\":\"2022-01-20T00:00:00Z\",\"createdDateUTC\":\"2021-12-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"name\":\"8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\" or OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| extend Federated = iif(OperationName =~ \\\"Set domain authentication\\\", iif(NewDomainValue has \\\"Federated\\\", True, False), True)\\n| where Federated == True\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserOrApp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"NRT Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\"name\":\"327cd4ed-ca42-454b-887c-54e1c91363c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Defender Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Endpoint alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Endpoint\",\"lastUpdatedDateUTC\":\"2019-10-24T00:00:00Z\",\"createdDateUTC\":\"2019-10-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"name\":\"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"Low\",\"query\":\"let PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nWindowsEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \\\"success\\\"\\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \\nTargetUserName = tolower(tostring(TargetResources[0].displayName))\\n| project TimeGenerated, AccountType, Account, Computer = \\\"\\\", Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| where SyslogMessage matches regex \\\".*password changed for.*\\\"\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\\n(union isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\\n| where Total \u003e PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\\n| where Total \u003e TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Multiple Password Reset by user\",\"description\":\"This query will determine multiple password resets by user across multiple data sources. \\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \\nand certain permission levels within an environment.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-09-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\"name\":\"d804b39c-03a4-417c-a949-bdbf21fa3305\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.7.2\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet sha256s = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet ips = (iocs | where Type =~ \\\"ip\\\" | project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\" | project IoC);\\nlet dyndomains = todynamic(toscalar((domains | summarize make_set(IoC))));\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has_any (file_paths)\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName in (file_paths)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(imFileEvent\\n| where TargetFileName in (file_paths)\\n or\\n TargetFileSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n (CommonSecurityLog\\n| where FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event // File iocs\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 *\\n| where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nWindowsFirewall\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(\\n _Im_NetworkSession(srcipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n (\\n _Im_NetworkSession(dstipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = DstIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n(_Im_Dns(domain_has_any=dyndomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\\n)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange Server Vulnerabilities Disclosed March 2021 IoC Match\",\"description\":\"This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog (F5)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"name\":\"09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nimAuthentication\\n| where TimeGenerated \u003e timeframe\\n| where EventType==\u0027Logon\u0027 and EventResult==\u0027Success\u0027\\n| where isnotempty(SrcGeoCountry)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)\\n , NumOfCountries = dcount(SrcGeoCountry)\\n by TargetUserId, TargetUsername, TargetUserType\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetUsername\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User login from different countries within 3 hours (Uses Authentication Normalization)\",\"description\":\"This query searches for successful user logins from different countries within 3 hours.\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/67775878-7f8b-4380-ac54-115e1e828901\",\"name\":\"67775878-7f8b-4380-ac54-115e1e828901\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX=10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = (ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"\\\")\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true);\\nlet TI_IP_List=IP_TI | summarize NIPs=dcount(TI_ipEntity), IP_List=make_set( TI_ipEntity) \\n| project IP_List=iff(NIPs \u003e HAS_ANY_MAX, dynamic([]), IP_List);\\n_Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(TI_IP_List)))\\n | extend tilist = toscalar(TI_IP_List)\\n | mv-expand tilist\\n | extend SingleIP=tostring(tilist)\\n | project-away tilist\\n | where has_ipv4(DnsResponseName, SingleIP)\\n | extend DNS_TimeGenerated = TimeGenerated\\n| join IP_TI\\n on $left.SingleIP == $right.TI_ipEntity\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"SubType\":\"EventSubType\",\"DnsQuery\":\"DnsQuery\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any IP IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"name\":\"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has \\\"TVqQAAMAAAAEAAA\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName));\\nprocessEvents};\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"name\":\"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center\",\"severitiesFilter\":[\"Low\",\"Medium\",\"High\"],\"displayName\":\"Create incidents based on Microsoft Defender for Cloud\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud\",\"lastUpdatedDateUTC\":\"2021-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"name\":\"d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// Filter out other servers in the AD FS farm\\nlet ADFSServersList = dynamic([\\\"ADFS02.domain.com\\\",\\\"ADFS03.domain.com\\\"]);\\n// Start by identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer !in (ADFSServersList)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer\\n);\\n// Look for ADFS servers receiving connections over port 80\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n| where EventID == 3\\n// Look for endpoints connecting to the AD FS server over port 80\\n| extend DestinationPort = column_ifexists(\\\"DestinationPort\\\", \\\"\\\"), Image = column_ifexists(\\\"Image\\\", \\\"\\\"), Initiated = column_ifexists(\\\"Initiated\\\", \\\"\\\"), SourceIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\"), DestinationIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\")\\n| where DestinationPort == 80\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Look for the System process receiving connections\\n| where process == \u0027System\u0027 and Initiated == \u0027false\u0027\\n| where DestinationIp !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027)\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName, IPCustomEntity = SourceIp\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote HTTP Network Connection\",\"description\":\"This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor\\ntrying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1faf5e8-6958-11ec-90d6-0242ac120003\",\"name\":\"c1faf5e8-6958-11ec-90d6-0242ac120003\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4720 and TargetUserName endswith \\\"$\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectUserName, SubjectUserSid, SubjectLogonId, TargetUserName, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Fake computer account created\",\"description\":\"This query detects domain user accounts creation (event ID 4720) where the username ends with $. \\nAccounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights.html\",\"lastUpdatedDateUTC\":\"2022-01-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\"name\":\"04384937-e927-4595-8f3c-89ff58ed231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Sept 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"name\":\"7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"name\":\"6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let queryfrequency = 1h;\\nlet wait_for_deletion = 10m;\\nlet account_created =\\n AuditLogs \\n | where ActivityDisplayName == \\\"Add service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend creationTime = ActivityDateTime\\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_activity =\\n AADServicePrincipalSignInLogs\\n | extend Activities = pack(\\\"ActivityTime\\\", TimeGenerated ,\\\"IpAddress\\\", IPAddress, \\\"ResourceDisplayName\\\", ResourceDisplayName)\\n | extend AppID = AppId\\n | summarize make_list(Activities) by AppID;\\nlet account_deleted =\\n AuditLogs \\n | where OperationName == \\\"Remove service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend deletionTime = ActivityDateTime\\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_credentials =\\n AuditLogs\\n | where OperationName has_all (\\\"Update application\\\", \\\"Certificates and secrets management\\\")\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend credentialCreationTime = ActivityDateTime;\\nlet roles_assigned =\\n AuditLogs\\n | where ActivityDisplayName == \\\"Add app role assignment to service principal\\\"\\n | extend AppID = tostring(TargetResources[1].displayName)\\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\\\"AppRole.Value\\\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\\\"\\\")\\n | extend AssignedRoles = pack(\\\"Role\\\", AssignedRole)\\n | summarize make_list(AssignedRoles) by AppID;\\naccount_created\\n| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))\\n| join kind= inner (account_activity) on AppID\\n| join kind= inner (account_deleted) on AppID\\n| join kind= inner (account_credentials) on AppID\\n| join kind= inner (roles_assigned) on AppID\\n| where deletionTime - creationTime between (time(0s)..wait_for_deletion)\\n| extend AliveTime = deletionTime - creationTime\\n| project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_creator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_deleter\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_creator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_deleter\"}]}],\"tactics\":[\"CredentialAccess\",\"PrivilegeEscalation\",\"InitialAccess\"],\"displayName\":\"Suspicious Service Principal creation activity\",\"description\":\"This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\",\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\"name\":\"ec21493c-2684-4acd-9bc2-696dbad72426\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceVendor =~ \u0027Palo Alto Networks\u0027\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain\\n | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, \\n DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to PaloAlto\",\"description\":\"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"name\":\"caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Tarrask malware IOC - April 2022\",\"description\":\"Identifies a hash match related to Tarrask malware across various data sources.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\"name\":\"2560515c-07d1-434e-87fb-ebe3af267760\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\\n| mv-expand props\\n| extend UserAgent = tostring(AdditionalDetails[0].value)\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| extend DisplayName = tostring(props.displayName)\\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\\n| extend Type = tostring(TargetResources[0].type)\\n| project-away props\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName has \\\"Consent to application\\\"\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | extend AppId = tostring(TargetResources[0].id)\\n | project AppName, AppId, CorrelationId) on CorrelationId\\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Mail.Read Permissions Granted to Application\",\"description\":\"This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"name\":\"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Active Directory Identity Protection\",\"displayName\":\"Create incidents based on Azure Active Directory Identity Protection alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"name\":\"bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where OperationName =~ \\\"Delete user\\\"\\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n| extend UserPrincipalName = extract(@\u0027([a-f0-9]{32})?(.*)\u0027, 2, tostring(TargetResources[0].userPrincipalName))\\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\\n| join kind=inner (\\n AuditLogs\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where OperationName =~ \\\"Add user\\\"\\n | extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | project-rename Creation_TimeGenerated = TimeGenerated\\n) on UserPrincipalName\\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\\n| where TimeDelta between (time(0s) .. queryperiod)\\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\\n| extend timestamp = Deletion_TimeGenerated, CustomAccountEntity = UserPrincipalName, IPCustomEntity = DeletedByIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CustomAccountEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account Created and Deleted in Short Timeframe\",\"description\":\"Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"name\":\"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated \u003e ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\\n| where dcount_sld \u003e threshold\\n// Filter out previously seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld \u003e threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"name\":\"ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_locations =\\n union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location;\\n union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend LocationDetails_dynamic = column_ifexists(\\\"LocationDetails_dynamic\\\", \\\"\\\")\\n | extend DeviceDetail_dynamic = column_ifexists(\\\"DeviceDetail_dynamic\\\", \\\"\\\")\\n | extend LocationDetails = iif(isnotempty(LocationDetails_dynamic), LocationDetails_dynamic, parse_json(LocationDetails_string))\\n | extend DeviceDetail = iif(isnotempty(DeviceDetail_dynamic), DeviceDetail_dynamic, parse_json(DeviceDetail_string))\\n | extend City = tostring(LocationDetails.city)\\n | extend State = tostring(LocationDetails.state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend DeviceId = tostring(DeviceDetail.deviceId)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(UserAgent), make_set(Place), make_set(DeviceId) by UserPrincipalName, Location, Category\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentication Attempt from New Country\",\"description\":\"Detects when there is a log in attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\"name\":\"9713e3c0-1410-468d-b79e-383448434b2d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n VMConnection\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| where VMConnection_TimeGenerated \u003c ExpirationDateTime\\n| summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId, RemoteIp\\n| project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to VMConnection\",\"description\":\"Identifies a match in VMConnection from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/017e095a-94d8-430c-a047-e51a11fb737b\",\"name\":\"017e095a-94d8-430c-a047-e51a11fb737b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let domains =\\n SigninLogs\\n | where ResultType == 0\\n | extend domain = split(UserPrincipalName, \\\"@\\\")[1]\\n | extend domain = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tolower(tostring(domain));\\n AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend AddingUser = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), \\\"\\\")\\n | extend AddingApp = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)) , tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName), \\\"\\\")\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingApp)\\n | project-away AddingApp, AddingUser\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | where isnotempty(AddedUrls)\\n | mv-expand AddedUrls\\n | extend Domain = extract(\\\"^(?:https?:\\\\\\\\/\\\\\\\\/)?(?:[^@\\\\\\\\/\\\\\\\\n]+@)?(?:www\\\\\\\\.)?([^:\\\\\\\\/?\\\\\\\\n]+)/\\\", 1, replace_string(tolower(tostring(AddedUrls)), \u0027\\\"\u0027, \\\"\\\"))\\n | where isnotempty(Domain)\\n | extend Domain = strcat(split(Domain, \\\".\\\")[-2], \\\".\\\", split(Domain, \\\".\\\")[-1])\\n | where Domain !in (domains)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, AddedBy, UserAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"URL Added to Application from Unknown Domain\",\"description\":\"Detects a URL being added to an application where the domain is not one that is associated with the tenant.\\n The query uses domains seen in sign in logs to determine if the domain is associated with the tenant.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"name\":\"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Collect the alert events\\nlet alertData = SecurityAlert \\n| where DisplayName has \\\"Potential malware uploaded to\\\" \\n| extend Entities = parse_json(Entities) \\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"ip\\\" \\n| extend AttackerIP = tostring(Entities[\u0027Address\u0027]), AttackerCountry = tostring(Entities[\u0027Location\u0027][\u0027CountryName\u0027]);\\n//Parse the file data\\nlet FileData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"file\\\" \\n| extend MaliciousFileDirectory = tostring(Entities[\u0027Directory\u0027]), MaliciousFileName = tostring(Entities[\u0027Name\u0027]), MaliciousFileHashes = tostring(Entities[\u0027FileHashes\u0027]);\\n//Combine the File and IP data together\\nipData \\n| join (FileData) on VendorOriginalId \\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create a type column so we can track if it was a File storage or blobl storage upload \\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\") \\n| join (\\n union\\n StorageFileLogs, \\n StorageBlobLogs \\n //File upload operations \\n | where OperationName =~ \\\"PutBlob\\\" or OperationName =~ \\\"PutRange\\\"\\n //Parse out the uploader IP \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename from the Uri \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don\u0027t work\\n //We can work around this by making it an array then converting it to hex from an int \\n | extend base64Char = base64_decode_toarray(ResponseMd5) \\n | mv-expand base64Char \\n | extend hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) \u003c 2, strcat(\\\"0\\\", hexChar), hexChar) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable \\n | extend Md5Hash = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the summarise into a ClientIP row \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize UploadedFileInfo=make_list(p), FilesUploaded=count() by ClientIP \\n | join kind=leftouter (\\n union\\n StorageFileLogs,\\n StorageBlobLogs \\n | where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\" \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0]) \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize DeletedFileInfo=make_list(p), FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP == $right.ClientIP \\n| mvexpand UploadedFileInfo \\n| extend LinkedMaliciousFileName = UploadedFileInfo.FileName \\n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash \\n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo \\n| extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = \\\"MD5\\\", IPCustomEntity = AttackerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Linked Malicious Storage Artifacts\",\"description\":\"An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"name\":\"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| where FilterModulesSpamScoresOverall == \u0027100\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - High risk message not discarded\",\"description\":\"Detects when email with high risk score was not rejected or discarded by filters.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"name\":\"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n (_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession(url_has_any=DomainNames) \\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Account=User\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known CERIUM domains and hashes\",\"description\":\"CERIUM malicious webserver and hash values for maldocs and malware. \\n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"name\":\"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AuditLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| where Audit_TimeGenerated \u003c ExpirationDateTime\\n| summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url\\n| project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nOperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to AuditLogs\",\"description\":\"Identifies a match in AuditLogs from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\"name\":\"ab4b6944-a20d-42ab-8b63-238426525801\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated \u003e= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = VMProcess\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n | project-away exePathArr;\\nlet computers = VMComputer\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind = inner (processes) on AgentId, Machine, Process\\n | join kind = inner (computers) on AgentId, Machine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"FirstPid\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Directory\",\"columnName\":\"DirectoryName\"},{\"identifier\":\"Name\",\"columnName\":\"Filename\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Domains Found in VM Insights\",\"description\":\"Identifies connections to Solorigate-related DNS records based on VM insights data\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMProcess\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMComputer\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"name\":\"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\nlet wef_fails =\\nWindowsEvent\\n| where EventID == 4625\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains \u0027auth\u0027 and ProcessName != \u0027sudo\u0027\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails) or IPAddress in (wef_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, Type = Type\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed host logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"name\":\"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let timeRange = 24h;\\nlet failureCountThreshold = 5;\\nlet authenticationWindow = 20m;\\nlet aadFunc = (tableName:string){\\n table(tableName)\\n| where AppDisplayName has \\\"Azure Portal\\\"\\n| extend\\n DeviceDetail = todynamic(DeviceDetail),\\n //Status = todynamic(Status),\\n LocationDetails = todynamic(LocationDetails)\\n| extend\\n OS = tostring(DeviceDetail.operatingSystem),\\n Browser = tostring(DeviceDetail.browser),\\n //StatusCode = tostring(Status.errorCode),\\n //StatusDetails = tostring(Status.additionalDetails),\\n State = tostring(LocationDetails.state),\\n City = tostring(LocationDetails.city),\\n Region = tostring(LocationDetails.countryOrRegion)\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\") \\n// bin outcomes based on authenticationWindow\\n| summarize take_anyif(UserPrincipalName, not(UserPrincipalName matches regex @\\\"[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\")),\\n take_anyif(UserDisplayName, isnotempty(UserDisplayName)), FailureOrSuccessCount = count() by FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, authenticationWindow), ResultType\\n// sort for sessionizing - by UserPrincipalName and time of the authentication outcome\\n| sort by UserPrincipalName asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName != prev(UserPrincipalName) or prev(FailureOrSuccess) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(FailureOrSuccessCount, FailureOrSuccess == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(FailureOrSuccess), IPAddress = make_set(IPAddress), make_set(Browser), make_set(City), make_set(State), make_set(Region), make_set(ResultType) by SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, Type\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_FailureOrSuccess, \\\"Success\\\") != 0\\n| where array_index_of(list_FailureOrSuccess, \\\"Success\\\") == array_length(list_FailureOrSuccess) - 1\\n| project-away SessionStartedUtc, list_FailureOrSuccess\\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= failureCountThreshold \\n// expand out ip for entity assignment\\n| mv-expand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n};\\n let aadSignin = aadFunc(\\\"SigninLogs\\\");\\n let aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\n union isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against Azure Portal\",\"description\":\"Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\nDefault Failure count is 5 and default Time Window is 20 minutes.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\"name\":\"23de46ea-c425-4a77-b456-511ae4855d69\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic([\\\"microsoft.compute/snapshots/write\\\", \\\"microsoft.network/networksecuritygroups/write\\\", \\\"microsoft.storage/storageaccounts/listkeys/action\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \\\"listkeys/action\\\"\\n| where ActivityStatusValue =~ \\\"Success\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on CallerIpAddress, Caller, OperationNameValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Rare subscription-level operations in Azure\",\"description\":\"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \\n For example this monitors for the operation name \u0027Create or Update Snapshot\u0027 which is used for creating backups but could be misused by attackers \\n to dump hashes or extract sensitive information from the disk.\",\"lastUpdatedDateUTC\":\"2022-03-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\"name\":\"84cf1d59-f620-4fee-b569-68daf7008b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"name\":\"bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nimFileEvent\\n| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = User, \\n HostCustomEntity = DvcHostname,\\n FileHashCustomEntity = TargetFileMD5,\\n AlgorithmCustomEntity = \\\"MD5\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimFileEvent)\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"name\":\"8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Cryptominer\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| summarize N_Events=count() by SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The host {{SrcIpAddr}} is potentially running a crypto miner\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by crypto miners and indicates crypto mining activity on the client.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"A host is potentially running a crypto miner (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.\u003cbr\u003eYou can add custom crypto mining indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"name\":\"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let EventCountThreshold = 25;\\n// To avoid any False Positives, filtering using AppId is recommended.\\n// For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\n// The AppId 8cae6e77-e04e-42ce-b5cb-50d82bce26b1 has been added as it correspond to Microsoft Policy Insights Provider Data Plane performing VaultGet operations for policies checks.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\",\\\"8cae6e77-e04e-42ce-b5cb-50d82bce26b1\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\\n| where count_ \u003e EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Mass secret retrieval from Azure Key Vault\",\"description\":\"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment \\nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\"lastUpdatedDateUTC\":\"2022-07-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"name\":\"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Crypto Miner User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by crypto miners in proxy logs.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"name\":\"dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\",\\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\",\\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\",\\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\",\\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\",\\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage),\\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage),\\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage),\\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NRT Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used.\\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\"name\":\"2b701288-b428-4fb8-805e-e4372c574786\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 95]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60m;\\nlet queryfrequency = 1d;\\nlet queryperiod = 14d;\\nlet aadFunc = (tableName: string) {\\n // Get successful signins to Teams\\n let signinData =\\n table(tableName)\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where AppDisplayName has \\\"Teams\\\" and ConditionalAccessStatus =~ \\\"success\\\"\\n | extend Country = tostring(todynamic(LocationDetails)[\u0027countryOrRegion\u0027])\\n | where isnotempty(Country) and isnotempty(IPAddress);\\n // Calculate prevalence of countries\\n let countryPrevalence =\\n signinData\\n | summarize CountCountrySignin = count() by Country\\n | extend TotalSignin = toscalar(signinData | summarize count())\\n | extend CountryPrevalence = toreal(CountCountrySignin) / toreal(TotalSignin) * 100;\\n // Count signins by user and IP address\\n let userIpSignin =\\n signinData\\n | summarize CountIPSignin = count(), Country = any(Country), ListSigninTimeGenerated = make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n // Calculate delta between the IP addresses with the most and minimum activity by user\\n let userIpDelta =\\n userIpSignin\\n | summarize MaxIPSignin = max(CountIPSignin), MinIPSignin = min(CountIPSignin), DistinctCountries = dcount(Country), make_set(Country) by UserPrincipalName\\n | extend UserIPDelta = toreal(MaxIPSignin - MinIPSignin) / toreal(MaxIPSignin) * 100;\\n // Collect Team operations the user account has performed within a time range of the suspicious signins\\n OfficeActivity\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | project OperationTimeGenerated = TimeGenerated, UserId = tolower(UserId), Operation\\n | join kind = inner(\\n userIpDelta\\n // Check users with activity from distinct countries\\n | where DistinctCountries \u003e= minimumCountries\\n // Check users with high IP delta\\n | where UserIPDelta \u003e= deltaThreshold\\n // Add information about signins and countries\\n | join kind = leftouter userIpSignin on UserPrincipalName\\n | join kind = leftouter countryPrevalence on Country\\n // Check activity that comes from nonprevalent countries\\n | where CountryPrevalence \u003c countryPrevalenceThreshold\\n | project\\n UserPrincipalName,\\n SuspiciousIP = IPAddress,\\n UserIPDelta,\\n SuspiciousSigninCountry = Country,\\n SuspiciousCountryPrevalence = CountryPrevalence,\\n EventTimes = ListSigninTimeGenerated\\n ) on $left.UserId == $right.UserPrincipalName\\n // Check the signins occured 60 min before the Teams operations\\n | mv-expand SigninTimeGenerated = EventTimes\\n | extend SigninTimeGenerated = todatetime(SigninTimeGenerated)\\n | where OperationTimeGenerated between (SigninTimeGenerated .. (SigninTimeGenerated + projectedEndTime))\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize arg_max(SigninTimeGenerated, *) by UserPrincipalName, SuspiciousIP, OperationTimeGenerated\\n| summarize\\n ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(\\\"Operation\\\", tostring(Operation), \\\"OperationTime\\\", OperationTimeGenerated)))\\n by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence\\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Anomalous login followed by Teams action\",\"description\":\"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta \u003e= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP\u0027s country, only keeping IP\u0027s where the country is unusual for the tenant (dynamic ranges)\\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2020-06-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"name\":\"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous SSH Login Detection\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c094384d-7ea7-4091-83be-18706ecca981\",\"name\":\"c094384d-7ea7-4091-83be-18706ecca981\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Low\",\"query\":\"let minersDomains=dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\"]);\\n_Im_Dns(domain_has_any=minersDomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"name\":\"99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let core_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where ResultType == 0\\n | extend domain = tolower(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n let alternative_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where isnotempty(AlternateSignInName)\\n | where ResultType == 0\\n | extend domain = tolower(split(AlternateSignInName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add User\\\"\\n | extend AddingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddingSPN = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingSPN)\\n | extend UserAdded = tostring(TargetResources[0].userPrincipalName)\\n | extend Domain = tolower(split(UserAdded, \\\"@\\\")[1])\\n | where Domain !in (core_domains) and Domain !in (alternative_domains)\\n | project-away AddingUser\\n | project-reorder TimeGenerated, UserAdded, Domain, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserAdded\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account created from non-approved sources\",\"description\":\"This query looks for account being created from a domain that is not regularly seen in a tenant.\\n Attackers may attempt to add accounts from these sources as a means of establishing persistant access to an environment.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"name\":\"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| where TimeGenerated \u003e ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\\n| where dcount_Name \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name \u003e threshold\\n | project ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Rare client observed with high reverse DNS lookup count\",\"description\":\"Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"name\":\"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\n let ioc_lookBack = 14d;\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n | where isnotempty(FileHashValue)\\n | extend FileHashValue = toupper(FileHashValue)\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique ( union isfuzzy=true \\n (SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(FileHash)\\n ),\\n (WindowsEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(EventData.FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(EventData.FileHash)\\n )\\n )\\n on $left.FileHashValue == $right.FileHash\\n | where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n | summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, FileHash\\n | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n Process, FileHash, Computer, Account, Event, FileHashValue, FileHashType\\n | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to Security Event\",\"description\":\"Identifies a match in Security Event data from any File Hash IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"name\":\"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n| where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, DeviceName\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=DeviceName, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise - MDE\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\"name\":\"957cb240-f45d-4491-9ba5-93430a3c08be\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\", \\\"Set-TransportRule\\\")\\nand not(UserId has_any (\u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\u0027, \u0027NT AUTHORITY\\\\\\\\SYSTEM (w3wp)\u0027, \u0027devilfish-applicationaccount\u0027) and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend ClientIPOnly = tostring(extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?\u0027, dynamic([\\\"IPAddress\\\"]), ClientIP)[0][0])\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIPOnly\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"Collection\"],\"displayName\":\"Rare and potentially high-risk Office operations\",\"description\":\"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\"lastUpdatedDateUTC\":\"2022-05-24T00:00:00Z\",\"createdDateUTC\":\"2019-02-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\"name\":\"2fc5d810-c9cc-491a-b564-841427ae0e50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique ( \\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) \\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| where isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n))\\n)\\non $left.EmailSenderAddress == $right.TargetUserName\\n| where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, TargetUserName\\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend\\ntimestamp = SecurityEvent_TimeGenerated,\\nAccountCustomEntity = TargetUserName,\\nIPCustomEntity = IpAddress,\\nHostCustomEntity = Computer,\\nURLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityEvent\",\"description\":\"Identifies a match in SecurityEvent table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"name\":\"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let endpointData = \\n(union isfuzzy=true\\n(SecurityEvent\\n | where EventID == 4688\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n ),\\n (WindowsEvent\\n | where EventID == 4688\\n | extend NewProcessName = tostring(EventData.NewProcessName)\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n | extend TargetUserName = tostring(EventData.TargetUserName)\\n ));\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, \u0027/\u0027)[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Network endpoint to host executable correlation\",\"description\":\"Correlates blocked URLs hosting [malicious] executables with host endpoint data\\nto identify potential instances of executables of the same name having been recently run.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicro\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\"name\":\"5efb0cfd-063d-417a-803b-562eae5b0301\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need to exhibit execution of more \\\"new\\\" connections than this number.\\nlet NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)) \\n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iff(\\nType == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\nstrcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| where CurrentCount \u003e= HistoricCount + NewConnectionThreshold\\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \\n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend timestamp = StartTime, AccountCustomEntity = ActorUPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Addition/Abuse - Historic allow list\",\"description\":\"This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and \\nnot historically included in the allow list Build/Release runs. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"name\":\"3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let SpringShell_threats = dynamic([\\\"Trojan:Python/SpringShellExpl\\\", \\\"Exploit:Python/SpringShell\\\", \\\"Backdoor:PHP/Remoteshell.V\\\", \\\"SpringShell\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (SpringShell_threats) or ThreatFamilyName in~ (SpringShell_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"AV detections related to SpringShell Vulnerability\",\"description\":\"This query looks for Microsoft Defender AV detections related to SpringShell Vulnerability. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, \\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"name\":\"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project TimeGenerated, Total, baseline, anomalies, score;\\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e ago(2d)\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) \\n | where HourlyCount \u003e 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\\n | order by HourlyCount desc \\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100 \\n| where PercentofTotal \u003e percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\\n| order by PercentofTotal desc \\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Exchange workflow MailItemsAccessed operation anomaly\",\"description\":\"Identifies anomalous increases in Exchange mail items accessed operations.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"name\":\"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let cmdTokens0 = dynamic([\u0027vbscript\u0027,\u0027jscript\u0027]);\\nlet cmdTokens1 = dynamic([\u0027mshtml\u0027,\u0027RunHTMLApplication\u0027]);\\nlet cmdTokens2 = dynamic([\u0027Execute\u0027,\u0027CreateObject\u0027,\u0027RegRead\u0027,\u0027window.close\u0027]);\\n(union isfuzzy=true \\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688 and EventData has_all(cmdTokens2) and EventData has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(EventData has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"NOBELIUM - Script payload stored in Registry\",\"description\":\"This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"name\":\"3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let OMIVulnerabilityPatchVersion = \\\"OMIVulnerabilityPatchVersion:1.13.40-0\\\";\\nHeartbeat\\n| where Category == \\\"Direct Agent\\\"\\n| summarize arg_max(TimeGenerated,*) by Computer\\n| parse strcat(\\\"Version:\\\" , Version) with * \\\"Version:\\\" Major:long \\\".\\\"\\nMinor:long \\\".\\\" Patch:long \\\"-\\\" *\\n| parse OMIVulnerabilityPatchVersion with * \\\"OMIVulnerabilityPatchVersion:\\\"\\nOMIVersionMajor:long \\\".\\\" OMIVersionMinor:long \\\".\\\" OMIVersionPatch:long \\\"-\\\" *\\n| where Major \u003cOMIVersionMajor or (Major==OMIVersionMajor and Minor\\n\u003cOMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and\\nPatch\u003cOMIVersionPatch) \\n| project Version, Major,Minor,Patch,\\nComputer,ComputerIP,OSType,OSName,ResourceId\",\"customDetails\":{\"HostIp\":\"ComputerIP\",\"OSType\":\"OSType\",\"OSName\":\"OSName\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"OMI Vulnerability Exploitation\",\"description\":\"Following the September 14th, 2021 release of three Elevation of Privilege\\n(EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one\\nunauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in\\nthe Open Management Infrastructure (OMI) Framework.\\nThis detection validates that any OMS-agent that is reporting to the Microsoft\\nSentinel workspace is updated with the patch. The detection will go over the\\nheartbeats received from all agents over the last day and will create alert\\nfor those agents who are not updated.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-09-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"name\":\"c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n | where Result =~ \\\"success\\\"\\n | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)\\n | extend displayName = tostring(TargetResources[0].displayName)\\n | extend displayName2 = tostring(TargetResources[3].displayName)\\n | extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n | join kind = rightanti (AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n | where Result =~ \\\"success\\\"\\n | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)\\n | extend displayName = tostring(TargetResources[0].displayName)\\n | extend displayName2 = tostring(TargetResources[3].displayName)\\n | extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n | extend ElevatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) on ElevatedRole, ElevatedUser\\n | project-reorder ElevatedUser, ElevatedRole, ResultReason,ElevatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ElevatedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ElevatedBy\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account Elevated to New Role\",\"description\":\"Detects an account that is elevated to a new role where that account has not had that role in the last 14 days.\\n Role elevations are a key mechanism for gaining permissions, monitoring which users have which roles, and for anomalies in those roles is useful for finding suspicious activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"name\":\"d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let threshold = 3;\\nPulseConnectSecure\\n| where Messages contains \\\"Unauthenticated request url /dana-na/\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Source_IP\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, IPCustomEntity = Source_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack\",\"description\":\"This query identifies exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893) to the VPN server\",\"lastUpdatedDateUTC\":\"2022-05-11T00:00:00Z\",\"createdDateUTC\":\"2022-05-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"name\":\"bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"AWSGuardDuty | extend tokens = split(ActivityType,\\\":\\\") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\\\"/\\\") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),\\\"High\\\",iff(Severity between (4.0..6.9), \\\"Medium\\\", iff(Severity between (1.0..3.9),\\\"Low\\\",\\\"Unknown\\\")))\",\"customDetails\":{\"ThreatPurpose\":\"ThreatPurpose\",\"ResourceTypeAffected\":\"ResourceTypeAffected\",\"UniqueFindingId\":\"UniqueFindingId\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Arn\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"AWSAcoundId\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"{{Title}}\",\"alertDescriptionFormat\":\"{{Description}}\",\"alertTacticsColumnName\":\"ThreatPurpose\",\"alertSeverityColumnName\":\"Severity\"},\"displayName\":\"AWS Guard Duty Alert\",\"description\":\"Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"name\":\"b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let UA_threats = dynamic([\\\"FoxBlade\\\", \\\"WhisperGate\\\", \\\"Lasainraw\\\", \\\"SonicVote\\\"]);\\n SecurityAlert\\n | where ProviderName == \\\"MDATP\\\"\\n | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n | where ThreatFamilyName in (UA_threats)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Ukraine threats\",\"description\":\"This query looks for Microsoft Defender AV detections for malware observed in relation to the war in Ukraine.\\n Ref: https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/ \",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\"name\":\"cf3ede88-a429-493b-9108-3e46d3c741f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let timeRange = 6h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeRange)\\n| where EventID == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SecurityEvent - Multiple authentication failures followed by a success\",\"description\":\"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\\npossible mis-configuration of a service account within an environment.\\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by a success for an account within 1 hour to surface an alert.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"name\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(_Im_Dns (domain_has_any=domains)\\n | extend DNSName = DnsQuery\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\"name\":\"2790795b-7dba-483e-853f-44aa0bc9c985\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors \u003e 400\\n| sort by NumberOfErrors desc\\n| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Wazuh - Large Number of Web errors from an IP\",\"description\":\"Identifies instances where Wazuh logged over 400 \u0027403\u0027 Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-21T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\"name\":\"78979d32-e63f-4740-b206-cfb300c735e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcIpAddr)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientIP = SrcIpAddr\\n )\\non $left.TI_ipEntity == $right.ClientIP\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientIP\\n| project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUserUpn\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender IP in TI list\",\"description\":\"Email sender IP in TI list.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\"name\":\"2b328487-162d-4034-b472-59f1d53684a1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal == \u0027\u0027\\n| extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Empty User Agent Detected\",\"description\":\"Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"name\":\"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == 500121\\n| where Status has \\\"MFA Denied; user declined the authentication\\\" or Status has \\\"MFA denied; Phone App Reported Fraud\\\"\\n| extend Type = Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Explicit MFA Deny\",\"description\":\"User explicitly denies MFA push, indicating that login was not expected and the account\u0027s password may be compromised.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\"name\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.3\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName: string) {\\nlet failed_signins = table(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\";\\nlet disabled_users = failed_signins | summarize by UserPrincipalName;\\ntable(tableName)\\n | where ResultType == 0\\n | where isnotempty(UserPrincipalName)\\n | where UserPrincipalName !in (disabled_users)\\n| summarize\\n successfulAccountsTargettedCount = dcount(UserPrincipalName),\\n successfulAccountSigninSet = make_set(UserPrincipalName, 100),\\n successfulApplicationSet = make_set(AppDisplayName, 100)\\n by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountsTargettedCount \u003c 50\\n | where isnotempty(successfulAccountsTargettedCount)\\n | join kind=inner (failed_signins\\n| summarize\\n StartTime = min(TimeGenerated),\\n EndTime = max(TimeGenerated),\\n totalDisabledAccountLoginAttempts = count(),\\n disabledAccountsTargettedCount = dcount(UserPrincipalName),\\n applicationsTargeted = dcount(AppDisplayName),\\n disabledAccountSet = make_set(UserPrincipalName, 100),\\n disabledApplicationSet = make_set(AppDisplayName, 100)\\nby IPAddress, Type\\n| order by totalDisabledAccountLoginAttempts desc) on IPAddress\\n| project StartTime, EndTime, IPAddress, totalDisabledAccountLoginAttempts, disabledAccountsTargettedCount, disabledAccountSet, disabledApplicationSet, successfulApplicationSet, successfulAccountsTargettedCount, successfulAccountSigninSet, Type\\n| order by totalDisabledAccountLoginAttempts};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| join kind=leftouter (\\n BehaviorAnalytics\\n | where ActivityType in (\\\"FailedLogOn\\\", \\\"LogOn\\\")\\n | where EventSource =~ \\\"Azure AD\\\"\\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress, UserPrincipalName\\n | project-rename IPAddress = SourceIPAddress\\n | summarize\\n Users = make_set(UserPrincipalName, 100),\\n UsersInsights = make_set(UsersInsights, 100),\\n DevicesInsights = make_set(DevicesInsights, 100),\\n IPInvestigationPriority = sum(InvestigationPriority)\\n by IPAddress\\n) on IPAddress\\n| extend SFRatio = toreal(toreal(disabledAccountsTargettedCount)/toreal(successfulAccountsTargettedCount))\\n| where SFRatio \u003e= 0.5\\n| sort by IPInvestigationPriority desc\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts using the IP through which successful signins from other accounts have happened.\\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.\",\"lastUpdatedDateUTC\":\"2023-11-23T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e147e4dc-849c-49e9-9e8b-db4581951ff4\",\"name\":\"e147e4dc-849c-49e9-9e8b-db4581951ff4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let baseline_time = 14d;\\nlet detection_time = 1h;\\nDynamics365Activity\\n| where TimeGenerated between(ago(baseline_time)..ago(detection_time))\\n| where UserType =~ \u0027admin\u0027\\n| extend Message = tostring(split(OriginalObjectId, \u0027 \u0027)[0])\\n| summarize by UserId\\n| join kind=rightanti\\n(Dynamics365Activity\\n| where TimeGenerated \u003e ago(detection_time)\\n| where UserType =~ \u0027admin\u0027)\\non UserId\\n| summarize Actions = make_set(Message), MostRecentAction = max(TimeGenerated), IPs=make_set(ClientIP), UserAgents = make_set(UserAgent) by UserId\\n| extend timestamp = MostRecentAction, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New Dynamics 365 Admin Activity\",\"description\":\"Detects users conducting administrative activity in Dynamics 365 where they have not had admin rights before.\",\"lastUpdatedDateUTC\":\"2022-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Dynamics365\",\"dataTypes\":[\"Dynamics365Activity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\"name\":\"ba144bf8-75b8-406f-9420-ed74397f9479\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins = \\n table(tableName)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize count() by IPAddress\\n | where count_ \u003e signin_threshold\\n | summarize make_set(IPAddress);\\n suspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\u0027User name: ([^,]+)\u0027, 1, Message) \\n | extend ClientOS = extract(\u0027Client OS version: ([^,\\\\\\\"]+)\u0027, 1, Message)\\n | extend Location = extract(\u0027Source region: ([^,]{2})\u0027,1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"User\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"IP with multiple failed Microsoft Entra ID logins successfully logs in to Palo Alto VPN\",\"description\":\"This query creates a list of IP addresses with the number of failed login attempts to Entra ID \\nabove a set threshold ( default of 5 ). It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"name\":\"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.8\",\"severity\":\"Low\",\"query\":\"let DistinctSecretsThreshold = 10;\\nlet EventCountThreshold = 50;\\n// To avoid any False Positives, filtering using AppId is recommended.\\n// The AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\n// The AppId 8cae6e77-e04e-42ce-b5cb-50d82bce26b1 has been added as it correspond to Microsoft Policy Insights Provider Data Plane performing VaultGet operations for policies checks.\\nlet AllowedAppId = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\",\\\"8cae6e77-e04e-42ce-b5cb-50d82bce26b1\\\"]);\\nlet OperationList = dynamic([\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where OperationName in (OperationList) and ResourceType =~ \\\"VAULTS\\\"\\n| where not(identity_claim_appid_g in (AllowedAppId) and OperationName == \u0027VaultGet\u0027)\\n| extend\\n ResourceId,\\n ResultType = column_ifexists(\\\"ResultType\\\", \\\"\\\"),\\n identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = column_ifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"\\\"),\\n identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s = column_ifexists(\\\"identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s\\\", \\\"\\\"),\\n identity_claim_oid_g = column_ifexists(\\\"identity_claim_oid_g\\\", \\\"\\\"),\\n identity_claim_upn_s = column_ifexists(\\\"identity_claim_upn_s\\\", \\\"\\\")\\n| extend\\n CallerObjectId = iff(isempty(identity_claim_oid_g), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g),\\n CallerObjectUPN = iff(isempty(identity_claim_upn_s), identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s, identity_claim_upn_s)\\n| as _Retrievals\\n| where CallerObjectId in (toscalar(\\n _Retrievals\\n | where ResultType == \\\"Success\\\"\\n | summarize Count = dcount(requestUri_s) by OperationName, CallerObjectId\\n | where Count \u003e DistinctSecretsThreshold\\n | summarize make_set(CallerObjectId,10000)\\n))\\n| extend\\n requestUri_s = column_ifexists(\\\"requestUri_s\\\", \\\"\\\"),\\n id_s = column_ifexists(\\\"id_s\\\", \\\"\\\"),\\n CallerIPAddress = column_ifexists(\\\"CallerIPAddress\\\", \\\"\\\"),\\n clientInfo_s = column_ifexists(\\\"clientInfo_s\\\", \\\"\\\")\\n| summarize\\n EventCount = count(),\\n StartTime = min(TimeGenerated),\\n EndTime = max(TimeGenerated),\\n ResourceList = make_set(Resource, 50),\\n OperationNameList = make_set(OperationName, 50),\\n RequestURLList = make_set(requestUri_s, 50),\\n ResourceId = max(ResourceId),\\n CallerIPList = make_set(CallerIPAddress, 50),\\n clientInfo_sList = make_set(clientInfo_s, 50),\\n CallerIPMax = max(CallerIPAddress)\\n by ResourceType, ResultType, identity_claim_appid_g, CallerObjectId, CallerObjectUPN\\n | where EventCount \u003e EventCountThreshold\\n| project-reorder StartTime, EndTime, EventCount, ResourceId,ResourceType,identity_claim_appid_g, CallerObjectId, CallerObjectUPN, ResultType, ResourceList, OperationNameList, RequestURLList, CallerIPList, clientInfo_sList\\n| extend timestamp = EndTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"CallerObjectId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPMax\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Mass secret retrieval from Azure Key Vault\",\"description\":\"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment and also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"name\":\"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.7\",\"severity\":\"Medium\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = (union isfuzzy=true \\n(SecurityEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\")\\n| where AccountType =~ \\\"User\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, \\nGroupAddTargetAccount = TargetAccount, GroupAddTargetUserName = TargetUserName, GroupAddTargetDomainName = TargetDomainName, GroupAddTargetSid = TargetSid, \\nGroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserName = SubjectUserName, GroupAddSubjectDomainName = SubjectDomainName, GroupAddSubjectUserSid = SubjectUserSid, \\nGroupSid = MemberSid\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n| where AccountType =~ \\\"User\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, \\nGroupAddTargetAccount = TargetAccount, GroupAddTargetUserName = tostring(EventData.TargetUserName), GroupAddTargetDomainName = tostring(EventData.TargetDomainName), GroupAddTargetSid = TargetSid, \\nGroupAddSubjectAccount = Account, GroupAddSubjectUserName = tostring(EventData.SubjectUserName), GroupAddSubjectDomainName = tostring(EventData.SubjectDomainName), GroupAddSubjectUserSid = SubjectUserSid, \\nGroupSid = MemberSid\\n));\\nlet GroupCreated = (union isfuzzy=true \\n(SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, \\nGroupCreateTargetAccount = TargetAccount, GroupCreateTargetUserName = TargetUserName, GroupCreateTargetDomainName = TargetDomainName,\\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserName = SubjectUserName, GroupCreateSubjectDomainName = SubjectDomainName, GroupCreateSubjectUserSid = SubjectUserSid, \\nGroupSid = TargetSid\\n),\\n(WindowsEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\", \\\"Machine\\\", iff(SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", iff(isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")))\\n| where AccountType =~ \\\"User\\\"\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName) \\n| extend TargetSid = tostring(EventData.TargetSid) \\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, \\nGroupCreateTargetAccount = TargetAccount, GroupCreateTargetUserName = tostring(EventData.TargetUserName), GroupCreateTargetDomainName = tostring(EventData.TargetDomainName), \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserName = tostring(EventData.SubjectUserName), GroupCreateSubjectDomainName = tostring(EventData.SubjectDomainName),GroupCreateSubjectUserSid = SubjectUserSid, \\nGroupSid = TargetSid\\n));\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid\\n| extend GroupCreateHostName = tostring(split(GroupCreateComputer , \\\".\\\")[0]), DomainIndex = toint(indexof(GroupCreateComputer , \u0027.\u0027))\\n| extend GroupCreateHostNameDomain = iff(DomainIndex != -1, substring(GroupCreateComputer , DomainIndex + 1), GroupCreateComputer)\\n| extend GroupAddHostName = tostring(split(GroupAddComputer , \\\".\\\")[0]), DomainIndex = toint(indexof(GroupAddComputer , \u0027.\u0027))\\n| extend GroupAddHostNameDomain = iff(DomainIndex != -1, substring(GroupAddComputer , DomainIndex + 1), GroupAddComputer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GroupCreateSubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"GroupCreateSubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"GroupCreateSubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GroupCreateTargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"GroupAddSubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"GroupAddSubjectDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GroupCreateComputer\"},{\"identifier\":\"HostName\",\"columnName\":\"GroupCreateHostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"GroupCreateHostNameDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GroupAddComputer\"},{\"identifier\":\"HostName\",\"columnName\":\"GroupAddHostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"GroupAddHostNameDomain\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Group created then added to built in domain local or global group\",\"description\":\"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"name\":\"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"union isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has \\\"vmware-vmdmp.log\\\"\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(imFileEvent\\n| where TargetFileName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\\n)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"[Deprecated] - SUNSPOT log file creation\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/972c89fa-c969-4d12-932f-04d55d145299\",\"name\":\"972c89fa-c969-4d12-932f-04d55d145299\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"( union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| extend FileName = Process, ProcessCommandLine = CommandLine\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(DeviceProcessEvents\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\nor ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1 \\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\"), ProcessCommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend FileName = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"[Deprecated] - MSHTML vulnerability CVE-2021-40444 attack\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"name\":\"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let lbtime = 1h;\\nlet tls_ciphers = dynamic([\u0027RC4-SHA\u0027, \u0027DES-CBC3-SHA\u0027]);\\nProofpointPOD\\n| where EventType == \u0027message\u0027\\n| where TlsCipher in (tls_ciphers)\\n| extend IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"ProofpointPOD - Weak ciphers\",\"description\":\"Detects when weak TLS ciphers are used.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5239248b-abfb-4c6a-8177-b104ade5db56\",\"name\":\"5239248b-abfb-4c6a-8177-b104ade5db56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.8\",\"severity\":\"Medium\",\"query\":\"let RunCommandData = materialize ( AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue =~ \\\"Microsoft.Compute/virtualMachines/runCommand/action\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has_any (\\\"Succeeded\\\", \\\"Success\\\")\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress, Scope\\n| join kind=leftouter (\\n DeviceFileEvents\\n | where InitiatingProcessFileName == \\\"RunCommandExtension.exe\\\"\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\\n) on VirtualMachineName\\n// We need to filter by time sadly, this is the only way to link events\\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, Scope\\n| join kind=inner(\\n DeviceEvents\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | where InitiatingProcessCommandLine has \\\"-File\\\"\\n // Extract the script name based on the structure used by the RunCommand extension\\n | extend PowershellFileName = extract(@\\\"\\\\-File\\\\s(script[0-9]{1,9}\\\\.ps1)\\\", 1, InitiatingProcessCommandLine)\\n // Discard results that didn\u0027t successfully extract, these are not run command related\\n | where isnotempty(PowershellFileName)\\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\\n | where PSCommand != PowershellFileName \\n // Now we normalise the cmdlets, we\u0027re aiming to hash them to find scripts using rare combinations\\n | extend PSCommand = toupper(PSCommand)\\n | order by PSCommand asc\\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\\n) on $left.FileName == $right.PowershellFileName\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName, Scope\\n| order by StartTime asc \\n// We generate the hash based on the cmdlets called and the size of the powershell script\\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\\nlet totals = toscalar (RunCommandData\\n| summarize count());\\nlet hashTotals = RunCommandData\\n| summarize HashCount=count() by ScriptFingerprintHash;\\nRunCommandData\\n| join kind=leftouter (\\nhashTotals\\n) on ScriptFingerprintHash\\n// Calculate prevalence, while we don\u0027t need this, it may be useful for responders to know how rare this script is in relation to normal activity\\n| extend Prevalence = toreal(HashCount) / toreal(totals) * 100\\n// Where the hash was only ever seen once.\\n| where HashCount == 1\\n| extend timestamp = StartTime\\n| extend CallerName = tostring(split(Caller, \\\"@\\\")[0]), CallerUPNSuffix = tostring(split(Caller, \\\"@\\\")[1])\\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerName, CallerUPNSuffix, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, Scope\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"CallerName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"CallerUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"VirtualMachineName\"},{\"identifier\":\"AzureID\",\"columnName\":\"Scope\"}]}],\"tactics\":[\"LateralMovement\",\"Execution\"],\"displayName\":\"Azure VM Run Command operations executing a unique PowerShell script\",\"description\":\"Identifies when Azure Run command is used to execute a PowerShell script on a VM that is unique.\\nThe uniqueness of the PowerShell script is determined by taking a combined hash of the cmdLets it imports and the file size of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed in your environment.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"name\":\"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (DomainNames) \\n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n (_Im_Dns (domain_has_any=DomainNames)\\n | extend DNSName = DnsQuery \\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (_Im_WebSession (url_has_any=DomainNames)\\n | extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer = DeviceName \\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (DomainNames) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ),\\n (AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallNetworkRule\\\"\\n | where msg_s has_any (DomainNames)\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" to \\\" TargetIP \\\":\\\" TargetPortInt:int *\\n | parse kind=regex flags=U msg_s with * \\\". Action\\\\\\\\: \\\" Action1a \\\"\\\\\\\\.\\\"\\n | parse msg_s with * \\\". Policy: \\\" Policy \\\". Rule Collection Group: \\\" RuleCollectionGroup \\\".\\\" *\\n | parse msg_s with * \\\" Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule \\n | extend IPCustomEntity = SourceIP\\n ),\\n (AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | where msg_s has_any (DomainNames)\\n | parse msg_s with \\\"DNS Request: \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" - \\\" QueryID:int \\\" \\\" RequestType \\\" \\\" RequestClass \\\" \\\" hostname \\\". \\\" protocol \\\" \\\" details\\n | extend\\n ResponseDuration = extract(\\\"[0-9]*.?[0-9]+s$\\\", 0, msg_s),\\n SourcePort = tostring(SourcePortInt),\\n QueryID = tostring(QueryID)\\n | project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\\n | order by TimeGenerated\\n | extend IPCustomEntity = SourceIP\\n ),\\n (AZFWApplicationRule\\n | where Fqdn has_any (DomainNames)\\n | extend IPCustomEntity = SourceIp\\n ),\\n (AZFWDnsQuery\\n | where isnotempty(QueryName)\\n | where QueryName has_any (DomainNames)\\n | extend DNSName = QueryName\\n | extend IPCustomEntity = SourceIp\\n )\\n ) \\n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Known Barium domains\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"name\":\"c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.3\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where ScanStatus == \\\"Failed\\\"\\n| extend timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"AzureID\",\"columnName\":\"_ResourceId\"}]}],\"displayName\":\"AppServices AV Scan Failure\",\"description\":\"Identifies if an AV scan fails in Azure App Services.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\"name\":\"65c78944-930b-4cae-bd79-c3664ae30ba7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(AuditLogs\\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend _parsedIntiatedByUser = parse_json(tostring(InitiatedBy.user))\\n| extend _parsedIntiatedByApp = parse_json(tostring(InitiatedBy.app))\\n| extend IPAddress = tostring(_parsedIntiatedByUser.ipAddress)\\n| extend InitiatedByUser = iff(isnotempty(tostring(_parsedIntiatedByUser.userPrincipalName)),\\n tostring(_parsedIntiatedByUser.userPrincipalName), tostring(_parsedIntiatedByApp.displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\")\\n| extend _parsedRequestParameters = parse_json(RequestParameters)\\n| extend InstanceProfileName = tostring(_parsedRequestParameters.InstanceProfileName)\\n| extend TargetUser = tostring(_parsedRequestParameters.userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, UserName = tostring(split(User, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(User, \u0027@\u0027, 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Multi-Factor Authentication Disabled for a User\",\"description\":\"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to deactivate MFA for a user.\",\"lastUpdatedDateUTC\":\"2024-01-16T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"name\":\"f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog =~ \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject=~\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\SecurityProviders\\\\\\\\WDigest\\\\\\\\UseLogonCredential\\\" and Details !=\\\"DWORD (0x00000000)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"WDigest downgrade attack\",\"description\":\"When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory.\\nRef: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"name\":\"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@\u0027\\\\A(.*?)@\u0027, 1, SrcUserUpn)\\n| extend sender_domain = extract(@\u0027@(.*)$\u0027, 1, SrcUserUpn)\\n| extend recipient = extract(@\u0027\\\\A(.*?)@\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| extend recipient_domain = extract(@\u0027@(.*)$\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Possible data exfiltration to private email\",\"description\":\"Detects when sender sent email to the non-corporate domain and recipient\u0027s username is the same as sender\u0027s username.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"name\":\"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = column_ifexists(\\\"ResultType\\\", \\\"NoResultType\\\"), \\nrequestUri_s = column_ifexists(\\\"requestUri_s\\\", \\\"None\\\"), \\nidentity_claim_oid_g = column_ifexists(\\\"identity_claim_oid_g\\\", \\\"None\\\"), CallerIPAddress = column_ifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), \\nclientInfo_s = column_ifexists(\\\"clientInfo_s\\\", \\\"None\\\"), \\nidentity_claim_upn_s = column_ifexists(\\\"identity_claim_upn_s\\\", \\\"None\\\"),\\nidentity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = column_ifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in~ (SensitiveOperationList)\\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=make_list(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, identity_claim_upn_s, clientInfo_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = StartTimeUtc\\n| extend Name = tostring(split(identity_claim_upn_s,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(identity_claim_upn_s,\u0027@\u0027,1)[0]), AadUserId = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AadUserId\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPMax\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup.\\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7\",\"name\":\"58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Filter GCP Audit Logs to exclude service accounts\\nGCPAuditLogs \\n| where PrincipalEmail !endswith \\\"gserviceaccount.com\\\"\\n// Exclude system-related authentication information\\n| where AuthenticationInfo !has (\\\"system:\\\")\\n// Extract GCP request name and relevant attributes\\n| extend GCPRequestName= parse_json(Request).name\\n| extend\\n GCPAccoutType= tostring(split(GCPRequestName, \\\"/\\\")[2]),\\n GCPUserIdentity = iff(isempty(tostring(split(GCPRequestName, \\\"/\\\")[3])), tostring(parse_json(AuthenticationInfo).principalEmail), \\\"na\\\"), \\n GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),\\n GCPCallerUA = tostring(parse_json(RequestMetadata).callerSuppliedUserAgent)\\n// Filter out empty or service account identities\\n| where isnotempty(GCPUserIdentity) and GCPUserIdentity !endswith \\\"gserviceaccount.com\\\"\\n// Select relevant attributes for further analysis\\n| project\\n PrincipalEmail,\\n GCPUserIdentity,\\n GCPAccoutType,\\n GCPRequestName,\\n GCPCallerUA,\\n Request,\\n RequestMetadata,\\n GCPUserIp,\\n MethodName,\\n ServiceName,\\n GCPEventTime= TimeGenerated,\\n ProjectId\\n// Join GCP Audit Logs with SecurityAlert data based on user identity and IP\\n| join kind=inner ( \\n SecurityAlert \\n // Exclude alerts from Azure Sentinel\\n | where ProductName !in (\\\"Azure Sentinel\\\")\\n // Extract IP entities from alert data\\n | extend AlertIPEntity= tostring(extract(@\\\"\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\", 0, Entities))\\n | extend\\n AlertUserUPN = tostring(extract(@\u0027\\\\b[\\\\w\\\\.\\\\-]+@[\\\\w\\\\.\\\\-]+\\\\b\u0027, 0, Entities)),\\n AlertTime= TimeGenerated\\n // Filter out empty user identities and IP entities\\n | where isnotempty(AlertIPEntity) and isnotempty(AlertUserUPN)\\n )\\n on $left.GCPUserIdentity == $right.AlertUserUPN and $left.GCPUserIp == $right.AlertIPEntity\\n// Summarize the data, calculating time differences and aggregating attributes\\n| summarize\\n FirstAlert=min(AlertTime),\\n LastAlert=max(AlertTime),\\n TimeDiff=datetime_diff(\u0027minute\u0027, min(AlertTime), min(GCPEventTime)),\\n MethodName=make_set(MethodName),\\n ServiceName= make_set(ServiceName),\\n GCPProjctId=make_set(ProjectId),\\n Request=make_set(Request),\\n GCPCallerUA=make_set(GCPCallerUA)\\n by\\n AlertUserUPN,\\n AlertIPEntity,\\n GCPUserIp,\\n GCPUserIdentity,\\n AlertSeverity,\\n AlertName,\\n AlertLink,\\n Description,\\n Tactics,\\n ProductName,\\n SystemAlertId,\\n GCPAccoutType\\n// Extend the data with additional attributes\\n| extend\\n Name = tostring(split(GCPUserIdentity, \\\"@\\\")[0]),\\n UPNSuffix = tostring(split(GCPUserIdentity, \\\"@\\\")[1])\",\"customDetails\":{\"AlertName\":\"AlertName\",\"FirstAlert\":\"FirstAlert\",\"LastAlert\":\"LastAlert\",\"TimeDiff\":\"TimeDiff\",\"MethodName\":\"MethodName\",\"GCPProjctId\":\"GCPProjctId\",\"GCPCallerUA\":\"GCPCallerUA\",\"ServiceName\":\"ServiceName\",\"AlertUserUPN\":\"AlertUserUPN\",\"SystemAlertId\":\"SystemAlertId\",\"Tactics\":\"Tactics\",\"Request\":\"Request\",\"CorrelationWith\":\"GCPAuditLogs\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"GCPUserIp\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A user {{GCPUserUPN}} has been linked to {{AlertName}}, and has potentially suspicious behavior within the GCP environment from, originating from the IP address {{GCPUserIp}}.\",\"alertDescriptionFormat\":\" This detection compiles and correlates unauthorized user access alerts originating from {{ProductName}} With Alert Description \u0027{{Description}}\u0027 observed activity in GCP environmeny. It focuses on Microsoft Security, specifically targeting user bhaviour and network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint users suspicious activity to access both Azure and GCP resources. \\n\\n Microsoft Security ALert Link : \u0027{{AlertLink}}\u0027\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":\"AlertSeverity\"},\"tactics\":[\"InitialAccess\",\"Execution\",\"Persistence\",\"PrivilegeEscalation\",\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Cross-Cloud Suspicious user activity observed in GCP Envourment\",\"description\":\"\\nThis detection query aims to correlate potentially suspicious user activities logged in Google Cloud Platform (GCP) Audit Logs with security alerts originating from Microsoft Security products. This correlation facilitates the identification of potential cross-cloud security incidents. By summarizing these findings, the query provides valuable insights into cross-cloud identity threats and their associated details, enabling organizations to respond promptly and mitigate potential risks effectively.\\n\",\"lastUpdatedDateUTC\":\"2023-10-06T00:00:00Z\",\"createdDateUTC\":\"2023-10-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"GCPAuditLogsDefinition\",\"dataTypes\":[\"GCPAuditLogs\"]},{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"name\":\"8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let timeframe = ago(5m);\\nDuoSecurityTrustMonitor_CL\\n| where TimeGenerated \u003e= timeframe\\n| extend AccountName = tostring(split(surfaced_auth_user_name_s, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(surfaced_auth_user_name_s, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"surfaced_auth_user_name_s\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"surfaced_auth_access_device_ip_s\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Trust Monitor Event\",\"description\":\"This query identifies when a new trust monitor event is detected.\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2021-02-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\"name\":\"d804b39c-03a4-417c-a949-bdbf21fa3305\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet sha256s = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet ips = (iocs | where Type =~ \\\"ip\\\" | project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\" | project IoC);\\nlet dyndomains = todynamic(toscalar((domains | summarize make_set(IoC))));\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has_any (file_paths)\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName in (file_paths)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(imFileEvent\\n| where TargetFileName in (file_paths)\\n or\\n TargetFileSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n (CommonSecurityLog\\n| where FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event // File iocs\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 *\\n| where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nWindowsFirewall\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(\\n _Im_NetworkSession(srcipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n (\\n _Im_NetworkSession(dstipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = DstIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n(_Im_Dns(domain_has_any=dyndomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\\n)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"[Deprecated] - Exchange Server Vulnerabilities Disclosed March 2021 IoC Match\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-03-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog (F5)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"name\":\"ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let CombinedSignInLogs = union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs;\\n // Combine AADNonInteractiveUserSignInLogs and SigninLogs into a single table\\n // Fetch Azure IP address ranges data from a JSON file hosted on GitHub\\n let AzureRanges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n [\\\"https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/MSFTIPRanges/ServiceTags_Public.json\\\"] with(format=\u0027multijson\u0027)\\n // Load Azure IP address ranges from the JSON file hosted on GitHub\\n | mv-expand values\\n // Expand the values column into separate rows\\n | extend Name = values.name, AddressPrefixes = tostring(values.properties.addressPrefixes);\\n // Create additional columns for the name and address prefixes\\n // Identify known locations to be excluded from analysis\\n let ExcludedKnownLocations = CombinedSignInLogs\\n // Filter the combined logs based on the specified time range\\n | where TimeGenerated between (ago(14d)..ago(1d))\\n // Filter by specific ResultType\\n | where ResultType == 0\\n // Summarize the logs by location\\n | summarize by Location;\\n // Find sign-in locations matching specific criteria\\n let MatchedLocations = materialize(CombinedSignInLogs\\n // Filter the combined logs based on the specified time range\\n | where TimeGenerated \u003e ago(1d)\\n // Exclude specific ResultTypes\\n | where ResultType !in (50126, 50053, 50074, 70044)\\n // Exclude known locations\\n | where Location !in (ExcludedKnownLocations));\\n // Match IP addresses of matched locations with Azure IP address ranges\\n let MatchedIPs = MatchedLocations\\n // Use the \u0027ipv4_lookup\u0027 function to match IP addresses with Azure IP address ranges\\n | evaluate ipv4_lookup(AzureRanges, IPAddress, AddressPrefixes)\\n // Project only the IPAddress column\\n | project IPAddress;\\n // Exclude IP addresses that are already matched with Azure IP address ranges\\n let MaxSetSize = 5; // Set the maximum size limit for make_set\\n let ExcludedIPs = MatchedLocations\\n // Filter out IP addresses that are already matched\\n | where not (IPAddress in (MatchedIPs))\\n // Exclude empty or null Location values\\n | where isnotempty(Location)\\n // Handle dynamic and string column values for LocationDetails and DeviceDetail\\n | extend LocationDetails_dynamic = column_ifexists(\\\"LocationDetails_dynamic\\\", \\\"\\\")\\n | extend DeviceDetail_dynamic = column_ifexists(\\\"DeviceDetail_dynamic\\\", \\\"\\\")\\n | extend LocationDetails = iif(isnotempty(LocationDetails_dynamic), LocationDetails_dynamic, parse_json(LocationDetails_string))\\n | extend DeviceDetail = iif(isnotempty(DeviceDetail_dynamic), DeviceDetail_dynamic, parse_json(DeviceDetail_string))\\n // Extract location details (city and state)\\n | extend City = tostring(LocationDetails.city)\\n | extend State = tostring(LocationDetails.state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend DeviceId = tostring(DeviceDetail.deviceId)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n // Summarize the data based on UserPrincipalName, Location, and Category\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated),\\n make_set(Result, MaxSetSize), make_set(IPAddress, MaxSetSize),\\n make_set(UserAgent, MaxSetSize), make_set(Place, MaxSetSize),\\n make_set(DeviceId, MaxSetSize) by UserPrincipalName, Location, Category\\n // Extract the username prefix and suffix from UserPrincipalName\\n | extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0]);\\n ExcludedIPs // Output the final result set\\n | extend IP = set_IPAddress[0]\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentication Attempt from New Country\",\"description\":\"Detects when there is a login attempt from a country that has not seen a successful login in the previous 14 days.\\nThreat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\nAuthentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\nRef: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"name\":\"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin), indexId = indexof(tostring(UserIdentityPrincipalid),\\\":\\\")\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| where SessionIssuerUserName !contains \\\"AWSReservedSSO\\\"\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, indexId\\n| extend timestamp = StartTimeUtc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used and the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"name\":\"6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let queryfrequency = 1h;\\nlet wait_for_deletion = 10m;\\nlet account_created =\\n AuditLogs \\n | where ActivityDisplayName == \\\"Add service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend creationTime = ActivityDateTime\\n | extend CreatorUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CreatorIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_activity =\\n AADServicePrincipalSignInLogs\\n | extend Activities = pack(\\\"ActivityTime\\\", TimeGenerated ,\\\"IpAddress\\\", IPAddress, \\\"ResourceDisplayName\\\", ResourceDisplayName)\\n | extend AppID = AppId\\n | summarize make_list(Activities) by AppID;\\nlet account_deleted =\\n AuditLogs \\n | where OperationName == \\\"Remove service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend deletionTime = ActivityDateTime\\n | extend DeleterUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend DeleterIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_credentials =\\n AuditLogs\\n | where OperationName has_all (\\\"Update application\\\", \\\"Certificates and secrets management\\\")\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend credentialCreationTime = ActivityDateTime;\\nlet roles_assigned =\\n AuditLogs\\n | where ActivityDisplayName == \\\"Add app role assignment to service principal\\\"\\n | extend AppID = tostring(TargetResources[1].displayName)\\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\\\"AppRole.Value\\\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\\\"\\\")\\n | extend AssignedRoles = pack(\\\"Role\\\", AssignedRole)\\n | summarize make_list(AssignedRoles) by AppID;\\naccount_created\\n| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))\\n| join kind= inner (account_activity) on AppID\\n| join kind= inner (account_deleted) on AppID\\n| join kind= inner (account_credentials) on AppID\\n| join kind= inner (roles_assigned) on AppID\\n| where deletionTime - creationTime between (time(0s)..wait_for_deletion)\\n| extend AliveTime = deletionTime - creationTime\\n| project AADTenantId, AppID, creationTime, deletionTime, CreatorUserPrincipalName, DeleterUserPrincipalName, CreatorIPAddress, DeleterIPAddress, list_Activities, list_AssignedRoles, AliveTime\\n| extend CreatorName = tostring(split(CreatorUserPrincipalName, \\\"@\\\")[0]), CreatorUPNSuffix = tostring(split(CreatorUserPrincipalName, \\\"@\\\")[1])\\n| extend DeleterName = tostring(split(DeleterUserPrincipalName, \\\"@\\\")[0]), DeleterSuffix = tostring(split(DeleterUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatorUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"CreatorName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"CreatorUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeleterUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"DeleterName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"DeleterSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CreatorIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeleterIPAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"PrivilegeEscalation\",\"InitialAccess\"],\"displayName\":\"Suspicious Service Principal creation activity\",\"description\":\"This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2021-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\",\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"name\":\"c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nDeviceProcessEvents\\n//looks for execution from a shell\\n| where InitiatingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where FileName =~ \\\"AdFind.exe\\\" or SHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or ProcessCommandLine has_any (args)\\n| extend HostName = split(DeviceName, \u0027.\u0027, 0)[0], DnsDomain = strcat_array(array_slice(split(DeviceName, \u0027.\u0027), 1, -1), \u0027.\u0027), FileHashAlgorithm = \\\"SHA256\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"InitiatingProcessFileName\"},{\"identifier\":\"CommandLine\",\"columnName\":\"ProcessCommandLine\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"SHA256\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage\",\"description\":\"This query identifies the host and account that executed AdFind, by hash and filename, in addition to the flags commonly utilized by various threat actors during the reconnaissance phase.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-04-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11bda520-a965-4654-9a45-d09f372f71aa\",\"name\":\"11bda520-a965-4654-9a45-d09f372f71aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.10\",\"severity\":\"High\",\"query\":\"AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has_any (\\\"Success\\\", \\\"Succeeded\\\")\\n// Extract data from the Authorization field\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n// Create a join key using the Caller (UPN)\\n| extend joinkey = tolower(Caller)\\n// Join the Run Command actions to UEBA data\\n| join kind = inner (\\n BehaviorAnalytics\\n // We are specifically interested in unusual logins\\n | where EventSource == \\\"Azure AD\\\" and ActivityInsights.ActionUncommonlyPerformedByUser == \\\"True\\\"\\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\\n | extend joinkey = tolower(UserPrincipalName)\\n) on joinkey\\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\\n| extend UEBAWindowStart = UEBAEventTime - 1h, UEBAWindowEnd = UEBAEventTime + 6h\\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n| extend AccountName = tostring(split(Caller, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(Caller, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operation executed during suspicious login window\",\"description\":\"Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address that has resulted in a recent user entity behaviour alert.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\"name\":\"738702fd-0a66-42c7-8586-e30f0583f8fe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"High\",\"query\":\"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName has \\\"svchost.exe\\\" and FileName has \\\"NetSetupSvc.dll\\\"\\n| extend HashAlgorithm = \\\"SHA1\\\"\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingProcessAccountDomain\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"InitiatingProcessSHA1\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"TEARDROP memory-only dropper\",\"description\":\"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window\u0027s defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\"name\":\"5ef06767-b37c-4818-b035-47de950d0046\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.4\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688\\n| where Process has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688 and EventData has_any (build_processes)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (build_processes)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663 and EventData has_any (\\\"0x6\\\", \\\"0x4\\\", \\\"0X100\\\") and EventData has_any (\\\".cs\\\", \\\".cpp\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| extend AccessMask = tostring(EventData.AccessMask) \\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n))\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"name\":\"1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"PIM\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has \\\"Disable PIM Alert\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n \u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\\n| extend AccountName = tostring(split(InitiatedBy, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(InitiatedBy, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatedBy\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Detect PIM Alert Disabling activity\",\"description\":\"Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Microsoft Entra ID (Azure AD) organization. \\nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"name\":\"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 1;\\nunion isfuzzy=true(\\nAZFWApplicationRule\\n| where Action == \\\"Deny\\\"\\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\\n| where count_ \u003e= [\\\"threshold\\\"]),\\n(AZFWNetworkRule\\n| where Action == \\\"Deny\\\"\\n| extend Fqdn = DestinationIp\\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\\n| where count_ \u003e= [\\\"threshold\\\"]),\\n(AZFWFlowTrace\\n| where Action == \\\"Deny\\\"\\n| extend Fqdn = DestinationIp\\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\\n| where count_ \u003e= [\\\"threshold\\\"]),\\n(AZFWIdpsSignature\\n| where Action == \\\"Deny\\\"\\n| extend Fqdn = DestinationIp\\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\\n| where count_ \u003e= [\\\"threshold\\\"]),\\n(AzureDiagnostics\\n| where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n| extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n| extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n| extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n| extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n| extend Protocol = tostring(msg_a[0]), SourceIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), DestinationIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), Action = tostring(msg_a[7])\\n| where Action == \\\"Deny\\\"\\n| extend Fqdn = iff(DestinationIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",DestinationIp)\\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\\n| where count_ \u003e= [\\\"threshold\\\"])\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIp\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Fqdn\"}]}],\"tactics\":[\"Discovery\",\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Several deny actions registered\",\"description\":\"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2020-10-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWNetworkRule\",\"AZFWFlowTrace\",\"AZFWIdpsSignature\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\"name\":\"ec21493c-2684-4acd-9bc2-696dbad72426\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Duration to look back for recent logs (1 hour)\\nlet ioc_lookBack = 14d; // Duration to look back for recent threat intelligence indicators (14 days)\\n// Create a list of top-level domains (TLDs) in our threat feed for later validation of extracted domains\\nlet list_tlds = \\n ThreatIntelligenceIndicator\\n | where isnotempty(DomainName)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now()\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\nlet Domain_Indicators = \\n ThreatIntelligenceIndicator\\n // Filter to pick up only IOC\u0027s that contain the entities we want (in this case, DomainName)\\n | where isnotempty(DomainName)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now()\\n | extend TI_DomainEntity = DomainName;\\nDomain_Indicators\\n // Join with CommonSecurityLog to find potential malicious activity\\n | join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceVendor =~ \u0027Palo Alto Networks\u0027\\n | where DeviceEventClassID =~ \u0027url\u0027\\n // Uncomment the line below to only alert on allowed connections\\n // | where DeviceAction !~ \\\"block-url\\\"\\n // Extract domain from RequestURL, if not present, extract it from AdditionalExtensions\\n | extend PA_Url = coalesce(RequestURL, \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !in~ (\u0027None\u0027, \u0027http://None\u0027, \u0027https://None\u0027) and PA_Url !startswith \\\"http://\\\" and PA_Url !startswith \\\"https://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), PA_Url)\\n | extend PA_Url = iif(PA_Url !in~ (\u0027None\u0027, \u0027http://None\u0027, \u0027https://None\u0027) and PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url)\\n | extend Domain = trim(@\\\"\\\"\\\"\\\", tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n // Split out the top-level domain (TLD) for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n // Validate parsed domain by checking TLD against TLDs from the threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.TI_DomainEntity == $right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and Domain and keep only the latest CommonSecurityLog_TimeGenerated\\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain\\n // Select the desired fields for the final result set\\n | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod, Type, TI_DomainEntity\\n // Add a new field \u0027timestamp\u0027 for convenience, using the CommonSecurityLog_TimeGenerated as its value\\n | extend timestamp = CommonSecurityLog_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"PA_Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map Domain entity to PaloAlto\",\"description\":\"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"name\":\"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\",\\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\",\\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\",\\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage),\\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage),\\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage),\\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend AccountName = tostring(split(User, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(User, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events for ToR proxies\",\"description\":\"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2024-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"SyslogAma\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"name\":\"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.4\",\"severity\":\"Low\",\"query\":\"// Replace these with the username or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic([\u0027vip1@email.com\u0027,\u0027vip2@email.com\u0027]);\\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\\nlet allowed_users = dynamic([]);\\nLAQueryLogs\\n| where QueryText has_any (vips) or QueryText has_any (\u0027_GetWatchlist(\\\"VIPUsers\\\")\u0027, \\\"_GetWatchlist(\u0027VIPUsers\u0027)\\\")\\n| where AADEmail !in (allowed_users)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, AccountName = tostring(split(AADEmail, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(AADEmail, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"RequestTarget\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Users searching for VIP user activity\",\"description\":\"This query monitors for users running Log Analytics queries that contain filters for specific, defined VIP user accounts or the VIPUser watchlist template.\\nUse this detection to alert for users specifically searching for activity of sensitive users.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\"name\":\"2b701288-b428-4fb8-805e-e4372c574786\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 95]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60m;\\nlet queryfrequency = 1d;\\nlet queryperiod = 14d;\\nlet aadFunc = (tableName: string) {\\n // Get successful signins to Teams\\n let signinData =\\n table(tableName)\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where AppDisplayName has \\\"Teams\\\" and ConditionalAccessStatus =~ \\\"success\\\"\\n | extend Country = tostring(todynamic(LocationDetails)[\u0027countryOrRegion\u0027])\\n | where isnotempty(Country) and isnotempty(IPAddress);\\n // Calculate prevalence of countries\\n let countryPrevalence =\\n signinData\\n | summarize CountCountrySignin = count() by Country\\n | extend TotalSignin = toscalar(signinData | summarize count())\\n | extend CountryPrevalence = toreal(CountCountrySignin) / toreal(TotalSignin) * 100;\\n // Count signins by user and IP address\\n let userIpSignin =\\n signinData\\n | summarize CountIPSignin = count(), Country = any(Country), ListSigninTimeGenerated = make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n // Calculate delta between the IP addresses with the most and minimum activity by user\\n let userIpDelta =\\n userIpSignin\\n | summarize MaxIPSignin = max(CountIPSignin), MinIPSignin = min(CountIPSignin), DistinctCountries = dcount(Country), make_set(Country) by UserPrincipalName\\n | extend UserIPDelta = toreal(MaxIPSignin - MinIPSignin) / toreal(MaxIPSignin) * 100;\\n // Collect Team operations the user account has performed within a time range of the suspicious signins\\n OfficeActivity\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | where not (Operation in~ (\\\"MemberAdded\\\", \\\"MemberRemoved\\\") and CommunicationType in~ (\\\"GroupChat\\\", \\\"OneonOne\\\")) // These events have been noisy and are related to initiaing chat conversation and not admin operations.\\n | project OperationTimeGenerated = TimeGenerated, UserId = tolower(UserId), Operation\\n | join kind = inner(\\n userIpDelta\\n // Check users with activity from distinct countries\\n | where DistinctCountries \u003e= minimumCountries\\n // Check users with high IP delta\\n | where UserIPDelta \u003e= deltaThreshold\\n // Add information about signins and countries\\n | join kind = leftouter userIpSignin on UserPrincipalName\\n | join kind = leftouter countryPrevalence on Country\\n // Check activity that comes from nonprevalent countries\\n | where CountryPrevalence \u003c countryPrevalenceThreshold\\n | project\\n UserPrincipalName,\\n SuspiciousIP = IPAddress,\\n UserIPDelta,\\n SuspiciousSigninCountry = Country,\\n SuspiciousCountryPrevalence = CountryPrevalence,\\n EventTimes = ListSigninTimeGenerated\\n ) on $left.UserId == $right.UserPrincipalName\\n // Check the signins occured 60 min before the Teams operations\\n | mv-expand SigninTimeGenerated = EventTimes\\n | extend SigninTimeGenerated = todatetime(SigninTimeGenerated)\\n | where OperationTimeGenerated between (SigninTimeGenerated .. (SigninTimeGenerated + projectedEndTime))\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize arg_max(SigninTimeGenerated, *) by UserPrincipalName, SuspiciousIP, OperationTimeGenerated\\n| summarize\\n ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(\\\"Operation\\\", tostring(Operation), \\\"OperationTime\\\", OperationTimeGenerated)))\\n by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence\\n| extend AccountName = tostring(split(UserPrincipalName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuspiciousIP\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Anomalous login followed by Teams action\",\"description\":\"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta \u003e= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP\u0027s country, only keeping IP\u0027s where the country is unusual for the tenant (dynamic ranges). \\nPlease note, if the initial logic of prevalence to find suspicious logon activity is noisy then consider adding filtering based on Location. \\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\"lastUpdatedDateUTC\":\"2024-12-17T00:00:00Z\",\"createdDateUTC\":\"2020-06-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"name\":\"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for AzureNetworkAnalytics_CL logs\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and AzureNetworkAnalytics_CL logs for NSG Flow information\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n | extend PIPs = split(PublicIPs_s, \u0027|\u0027, 0)\\n | extend PIP = tostring(PIPs[0])\\n )\\n on $left.TI_ipEntity == $right.PIP\\n // Filter out logs that occurred after the expiration of the corresponding indicator\\n | where AzureNetworkAnalytics_CL_TimeGenerated \u003c ExpirationDateTime\\n // Filter out NSG Flow logs that are not allowed (FlowStatus_s == \\\"A\\\")\\n | where FlowStatus_s == \\\"A\\\"\\n // Group the results by IndicatorId and PIP (Public IP), and keep the log entry with the latest timestamp\\n | summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId, PIP\\n // Select the desired output fields\\n | project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n // Extract hostname and DNS domain from the Computer field\\n | extend HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\\n // Rename the timestamp field\\n | extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"TI_ipEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\"description\":\"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/720d12c6-a08c-44c4-b18f-2236412d59b0\",\"name\":\"720d12c6-a08c-44c4-b18f-2236412d59b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process !~ \\\"sdelete.exe\\\"\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-r\\\", \\\"-s\\\", \\\"-q\\\", \\\"c:/\\\")\\n | where CommandLine !has (\\\"sdelete\\\")\\n | extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n | extend AccountName = tostring(split(TargetAccount, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(TargetAccount, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"name\":\"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.4\",\"severity\":\"High\",\"query\":\"let servicelist = dynamic([\u0027Services\\\\\\\\HealthService\u0027, \u0027Services\\\\\\\\Sense\u0027, \u0027Services\\\\\\\\WinDefend\u0027, \u0027Services\\\\\\\\MsSecFlt\u0027, \u0027Services\\\\\\\\DiagTrack\u0027, \u0027Services\\\\\\\\SgrmBroker\u0027, \u0027Services\\\\\\\\SgrmAgent\u0027, \u0027Services\\\\\\\\AATPSensorUpdater\u0027 , \u0027Services\\\\\\\\AATPSensor\u0027, \u0027Services\\\\\\\\mpssvc\u0027]);\\nlet filename = dynamic([\\\"subinacl.exe\\\",\u0027SetACL.exe\u0027]);\\nlet parameters = dynamic ([\u0027/deny=SYSTEM\u0027, \u0027/deny=S-1-5-18\u0027, \u0027/grant=SYSTEM=r\u0027, \u0027/grant=S-1-5-18=r\u0027, \u0027n:SYSTEM;p:READ\u0027, \u0027n1:SYSTEM;ta:remtrst;w:dacl\u0027]);\\nlet FullAccess = dynamic([\u0027A;CI;KA;;;SY\u0027, \u0027A;ID;KA;;;SY\u0027, \u0027A;CIID;KA;;;SY\u0027]);\\nlet ReadAccess = dynamic([\u0027A;CI;KR;;;SY\u0027, \u0027A;ID;KR;;;SY\u0027, \u0027A;CIID;KR;;;SY\u0027]);\\nlet DenyAccess = dynamic([\u0027D;CI;KR;;;SY\u0027, \u0027D;ID;KR;;;SY\u0027, \u0027D;CIID;KR;;;SY\u0027]);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName has_any (servicelist)\\n| parse EventData with * \u0027OldSd\\\"\u003e\u0027 OldSd \\\"\u003c\\\" *\\n| parse EventData with * \u0027NewSd\\\"\u003e\u0027 NewSd \\\"\u003c\\\" *\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename)\\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670 and EventData has_any (servicelist) and EventData has \u0027Key\u0027\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (servicelist)\\n| extend OldSd = tostring(EventData.OldSd)\\n| extend NewSd = tostring(EventData.NewSd)\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend ProcessId = tostring(EventData.ProcessId)\\n| extend Activity= \\\"4670 - Permissions on an object were changed.\\\"\\n| extend HandleId = tostring(EventData.HandleId)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688 and EventData has_any (filename) and EventData has_any (servicelist) and EventData has_any (parameters)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename)\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountDomain = tostring(EventData.AccountDomain)\\n| extend Activity=\\\"4688 - A new process has been created.\\\"\\n| extend EventSourceName=Provider\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename)\\n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend AccountName = tostring(split(Account, \\\"\\\\\\\\\\\")[0]), AccountNTDomain = tostring(split(Account, \\\"\\\\\\\\\\\")[1])\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Service Registry ACL Modification\",\"description\":\"Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified.\\n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity.\\n Reference on guidance for enabling registry auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule\\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\"lastUpdatedDateUTC\":\"2024-06-14T00:00:00Z\",\"createdDateUTC\":\"2021-01-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02f6c2e5-219d-4426-a0bf-ad67abc63d53\",\"name\":\"02f6c2e5-219d-4426-a0bf-ad67abc63d53\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let lookback_start = 7d;\\nlet lookback_end = 1d;\\nlet timedelta = 5s;\\n// Get a list of previously seen DLLs being loaded\\nlet known_dlls = (Event\\n| where TimeGenerated between(ago(lookback_start)..ago(lookback_end))\\n| where EventID == 7\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend LoadedItems = parse_json(tostring(parse_json(tostring(EvData.DataItem)).EventData)).[\\\"Data\\\"]\\n| mv-expand LoadedItems\\n| where tostring(LoadedItems.[\\\"@Name\\\"]) =~ \\\"ImageLoaded\\\"\\n| extend DLL = tostring(LoadedItems.[\\\"#text\\\"])\\n| summarize by DLL);\\n// Get Image Load events related to svchost.exe\\nEvent\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n// Image Load Event in Sysmon\\n| where EventID == 7\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Images = parse_json(tostring(parse_json(tostring(EvData.DataItem)).EventData)).[\\\"Data\\\"]\\n| mv-expand Images\\n// Parse out executing process\\n| where tostring(Images.[\\\"@Name\\\"]) =~ \\\"Image\\\"\\n| extend Image = tostring(Images.[\\\"#text\\\"])\\n| where Image endswith \\\"\\\\\\\\svchost.exe\\\"\\n// Parse out loaded DLLs\\n| extend LoadedItems = parse_json(tostring(parse_json(tostring(EvData.DataItem)).EventData)).[\\\"Data\\\"]\\n| mv-expand LoadedItems\\n| where tostring(LoadedItems.[\\\"@Name\\\"]) =~ \\\"ImageLoaded\\\"\\n| extend DLL = tostring(LoadedItems.[\\\"#text\\\"])\\n| extend Image = tostring(Image)\\n| extend ImageLoadTime = TimeGenerated\\n// Join with processes with a command line related to COM Event System\\n| join kind = inner(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n// Sysmon process execution events\\n| where EventID == 1\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend ParentImage = tostring(column_ifexists(\\\"ParentImage\\\", \\\"NotAvailable\\\"))\\n// Command line related to COM Event System\\n| where ParentImage endswith \\\"\\\\\\\\svchost.exe\\\"\\n//| where ParentCommandLine has_all (\\\" -k LocalService\\\",\\\" -p\\\",\\\" -s EventSystem\\\")\\n| extend ProcessExecutionTime = TimeGenerated) on $left.Image == $right.ParentImage\\n// Check timespan between DLL load and process creation\\n| extend delta = ProcessExecutionTime - ImageLoadTime\\n| where ImageLoadTime \u003c= ProcessExecutionTime and delta \u003c= timedelta\\n// Filter to only newly seen DLLs\\n| where DLL !in (known_dlls)\\n| extend ParentCommandLine = tostring(column_ifexists(\\\"ParentCommandLine\\\", \\\"NotAvailable\\\"))\\n| project-reorder ImageLoadTime, ProcessExecutionTime , Image, ParentCommandLine, DLL\\n| extend Hashes = tostring(column_ifexists(\\\"Hashes\\\", \\\"NotAvailable, NotAvailable\\\"))\\n| extend Hashes = split(Hashes, \\\",\\\")\\n| mv-apply Hashes on (summarize FileHashes = make_bag(pack(tostring(split(Hashes, \\\"=\\\")[0]), tostring(split(Hashes, \\\"=\\\")[1]))))\\n| extend SHA1 = tostring(FileHashes.SHA1)\\n| extend HashAlgo = \\\"SHA1\\\"\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend Name = tostring(split(UserName, \\\"\\\\\\\\\\\")[1]), NTDomain = tostring(split(UserName, \\\"\\\\\\\\\\\")[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"SHA1\"},{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgo\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"COM Event System Loading New DLL\",\"description\":\"This query uses Sysmon Image Load (Event ID 7) and Process Create (Event ID 1) data to look for COM Event System being used to load a newly seen DLL.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"name\":\"d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// Filter out other servers in the AD FS farm\\nlet ADFSServersList = dynamic([\\\"ADFS02.domain.com\\\",\\\"ADFS03.domain.com\\\"]);\\n// Start by identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer !in (ADFSServersList)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer\\n);\\n// Look for ADFS servers receiving connections over port 80\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n| where EventID == 3\\n// Look for endpoints connecting to the AD FS server over port 80\\n| extend DestinationPort = column_ifexists(\\\"DestinationPort\\\", \\\"\\\"), Image = column_ifexists(\\\"Image\\\", \\\"\\\"), Initiated = column_ifexists(\\\"Initiated\\\", \\\"\\\"), SourceIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\"), DestinationIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\")\\n| where DestinationPort == 80\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Look for the System process receiving connections\\n| where process == \u0027System\u0027 and Initiated == \u0027false\u0027\\n| where DestinationIp !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027)\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(UserName, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(UserName, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIp\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote HTTP Network Connection\",\"description\":\"This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f171045-88ab-4634-baae-a7b6509f483b\",\"name\":\"5f171045-88ab-4634-baae-a7b6509f483b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"let Dev0530_threats = dynamic([\\\"Trojan:Win32/SiennaPurple.A\\\", \\\"Ransom:Win32/SiennaBlue.A\\\", \\\"Ransom:Win32/SiennaBlue.B\\\"]);\\nSecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Dev0530_threats) or ThreatFamilyName in~ (Dev0530_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n| join kind=inner (DeviceInfo\\n | extend DeviceName = tolower(DeviceName)\\n) on $left.CompromisedEntity == $right.DeviceName\\n| summarize by bin(TimeGenerated, 1d), DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId, CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Dev-0530 actors\",\"description\":\"This query looks for Microsoft Defender AV detections related to Dev-0530 actors.\\nIn Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f9949656-473f-4503-bf43-a9d9890f7d08\",\"name\":\"f9949656-473f-4503-bf43-a9d9890f7d08\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for AppServiceHTTPLogs\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n // Filter out indicators without relevant IP address fields\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n // Filtering out rows where the Confidence Score is less than 50 as they would not have an Alert Priority label. \\n | where ConfidenceScore \u003e 50\\n // Select the IP entity based on availability of different IP fields\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n // Determine AlertPriority based on ConfidenceScore\\n | extend AlertPriority = case(ConfidenceScore \u003e 82, \\\"High\\\",\\n ConfidenceScore \u003e 74, \\\"Medium\\\",\\n \\\"Low\\\")\\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and AppServiceHTTPLogs to identify potential malicious activity\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n AppServiceHTTPLogs | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(CIp)\\n | extend WebApp = split(_ResourceId, \u0027/\u0027)[8]\\n | extend AppService_TimeGenerated = TimeGenerated // Rename time column for clarity\\n )\\n on $left.TI_ipEntity == $right.CIp\\n // Filter out logs that occurred after the expiration of the corresponding indicator\\n | where AppService_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and CIp, and keep the log entry with the latest timestamp\\n | summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp\\n // Select the desired output fields\\n | project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, \u0027/\u0027)[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId, Type\\n // Extract hostname and DNS domain from the CsHost field\\n | extend HostName = tostring(split(CsHost, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(CsHost, \u0027.\u0027), 1, -1), \u0027.\u0027))\\n // Rename the timestamp field\\n | extend timestamp = AppService_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"CsUsername\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CIp\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":null,\"alertDescriptionFormat\":null,\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":\"AlertPriority\"},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to AppServiceHTTPLogs\",\"description\":\"Identifies a match in AppServiceHTTPLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9a7f6651-801b-491c-a548-8b454b356eaa\",\"name\":\"9a7f6651-801b-491c-a548-8b454b356eaa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZincOctober2022IOCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_path = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet commandline = (iocs | where Type =~ \\\"commandline\\\" | project IoC);\\n(union isfuzzy=true \\n(DeviceNetworkEvents\\n| where InitiatingProcessFolderPath has_any (file_path) or InitiatingProcessCommandLine has_any (commandline)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where Image has_any (file_path) or CommandLine has_any (commandline)\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostEntity = Computer , AccountEntity = UserName, ProcessEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1])\\n), \\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path)) or ( InitiatingProcessCommandLine has_any (commandline)) or (InitiatingProcessFolderPath has_any (file_path)) or (InitiatingProcessFolderPath has_any (commandline)) or (FolderPath has_any (file_path)) or (FolderPath has_any (commandline))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName , AccountEntity = InitiatingProcessAccountName, ProcessEntity = InitiatingProcessFileName\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessFolderPath has_any (file_path)) or (InitiatingProcessFolderPath has_any (commandline)) or (FolderPath has_any (file_path)) or (FolderPath has_any (commandline)) or ( InitiatingProcessCommandLine has_any (commandline)) or ( InitiatingProcessCommandLine has_any (file_path))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName , AccountEntity = RequestAccountName, ProcessEntity = InitiatingProcessFileName, AlgorithmEntity = \\\"SHA256\\\", FileHashEntity = InitiatingProcessSHA256\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path)) or ( InitiatingProcessCommandLine has_any (commandline)) or (InitiatingProcessFolderPath has_any (file_path)) or (InitiatingProcessFolderPath has_any (commandline)) or (FolderPath has_any (file_path)) or (FolderPath has_any (commandline))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName , AccountEntity = InitiatingProcessAccountName, ProcessEntity = InitiatingProcessFileName\\n),\\n(SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path)) or ( CommandLine has_any (commandline)) or (NewProcessName has_any (file_path)) or (NewProcessName has_any (commandline)) or (ParentProcessName has_any (file_path)) or (ParentProcessName has_any (commandline))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostEntity = Computer , AccountEntity = Account, ProcessEntity = NewProcessName\\n)\\n)\\n| extend HostName = tostring(split(HostEntity, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(HostEntity, \u0027.\u0027), 1, -1), \u0027.\u0027))\\n| extend Name = tostring(split(AccountEntity, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(AccountEntity, \u0027@\u0027, 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"RemoteIP\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Zinc Actor IOCs files - October 2022\",\"description\":\"Identifies a match across filename and commandline IOC\u0027s related to an actor tracked by Microsoft as Zinc.\\nReference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-09-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\"name\":\"4b93c5af-d20b-4236-b696-a28b8c51407f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n(union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe+spanoftime)\\n // A user account was created\\n | where EventID == 4720\\n | where AccountType =~ \\\"User\\\"\\n | project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToCreate = SubjectAccount, CreatedBySubjectUserName = SubjectUserName, CreatedBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToCreate = SubjectUserSid, UserPrincipalName\\n ),\\n (\\n WindowsEvent\\n | where TimeGenerated \u003e ago(timeframe+spanoftime)\\n // A user account was created\\n | where EventID == 4720\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | where AccountType =~ \\\"User\\\"\\n | extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n | extend SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName)\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n | extend Activity = \\\"4720 - A user account was created.\\\"\\n | extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName) \\n | project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToCreate = SubjectAccount, CreatedBySubjectUserName = SubjectUserName, CreatedBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToCreate = SubjectUserSid, UserPrincipalName\\n )\\n )\\n| join kind = inner \\n(\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n | where EventID == 4726\\n | where AccountType == \\\"User\\\"\\n | project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToDelete = SubjectAccount, DeletedBySubjectUserName = SubjectUserName, DeletedBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToDelete = SubjectUserSid, UserPrincipalName\\n ),\\n (WindowsEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n | where EventID == 4726\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n | extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | where AccountType == \\\"User\\\"\\n | extend SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName)\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n | extend Activity = \\\"4726 - A user account was deleted.\\\"\\n | extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName) \\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToDelete = SubjectAccount, DeletedBySubjectUserName = SubjectUserName, DeletedBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToDelete = SubjectUserSid, UserPrincipalName\\n )\\n )\\n) on Computer, TargetAccount\\n| where deletionTime - creationTime \u003c spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete, TargetUserName, TargetDomainName, \\nCreatedBySubjectUserName, CreatedBySubjectDomainName, DeletedBySubjectUserName, DeletedBySubjectDomainName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountUsedToCreate\"},{\"identifier\":\"Name\",\"columnName\":\"CreatedBySubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"CreatedBySubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountUsedToDelete\"},{\"identifier\":\"Name\",\"columnName\":\"DeletedBySubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"DeletedBySubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"TargetDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account created and deleted within 10 mins\",\"description\":\"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a172107d-794c-48c0-bc26-d3349fe10b4d\",\"name\":\"a172107d-794c-48c0-bc26-d3349fe10b4d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Dev-0530_July2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\n(union isfuzzy=true \\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) \\nand InitiatingProcessCommandLine has (\u0027sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID, CommandLine\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and ActingProcessCommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\\n| where Hashes[0] =~ \\\"SHA256\\\"\\n| where (Hashes[1] has_any (sha256Hashes)) or ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = tostring(Hashes[1])\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(EmailEvents\\n| where SenderFromAddress == \u0027H0lyGh0st@mail2tor.com\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = SenderIPv4, AccountCustomEntity = SenderFromAddress \\n),\\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) or FileHash in (sha256Hashes)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch , FileHash\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\"), FileHashCustomEntity = FileHash\\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAZFWApplicationRule\\n| where Fqdn has_any (IPList)\\n| extend IPCustomEntity = SourceIp\\n),\\n(\\nAZFWNetworkRule\\n| where DestinationIp has_any (IPList)\\n| extend IPCustomEntity = SourceIp\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"[Deprecated] - Dev-0530 IOC - July 2022\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceProcessEvents\",\"DeviceNetworkEvents\",\"EmailEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWNetworkRule\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"name\":\"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectServer = column_ifexists(\u0027ObjectServer\u0027, \\\"\\\"), ObjectType = column_ifexists(\u0027ObjectType\u0027, \\\"\\\"), ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\")\\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\\n| where ObjectServer =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(TargetAccount, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(TargetAccount, @\u0027\\\\\u0027)[0])\\n| extend timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Starting or Stopping HealthService to Avoid Detection\",\"description\":\"This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\\n The query requires a SACL to audit for access request to the service.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2021-03-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"name\":\"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n (_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession(url_has_any=DomainNames) \\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Account=User\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| where msg_s has_any (DomainNames)\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" to \\\" TargetIP \\\":\\\" TargetPortInt:int *\\n| parse kind=regex flags=U msg_s with * \\\". Action\\\\\\\\: \\\" Action1a \\\"\\\\\\\\.\\\"\\n| parse msg_s with * \\\". Policy: \\\" Policy \\\". Rule Collection Group: \\\" RuleCollectionGroup \\\".\\\" *\\n| parse msg_s with * \\\" Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule \\n| extend IPCustomEntity = SourceIP\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| where msg_s has_any (DomainNames)\\n| parse msg_s with \\\"DNS Request: \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" - \\\" QueryID:int \\\" \\\" RequestType \\\" \\\" RequestClass \\\" \\\" hostname \\\". \\\" protocol \\\" \\\" details\\n| extend\\n ResponseDuration = extract(\\\"[0-9]*.?[0-9]+s$\\\", 0, msg_s),\\n SourcePort = tostring(SourcePortInt),\\n QueryID = tostring(QueryID)\\n| project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\\n| order by TimeGenerated\\n| extend IPCustomEntity = SourceIP\\n),\\n(AZFWApplicationRule\\n| where Fqdn has_any (DomainNames)\\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (DomainNames)\\n| extend DNSName = QueryName\\n| extend IPCustomEntity = SourceIp\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"[Deprecated] - Known Ruby Sleet domains and hashes\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"name\":\"d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\",\\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\",\\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\",\\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\",\\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\",\\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\",\\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\",\\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\",\\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend HostName = iff(Computer has \u0027.\u0027, substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer)\\n| extend DnsDomain = iff(Computer has \u0027.\u0027, substring(Computer,indexof(Computer,\u0027.\u0027)+1),\\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"name\":\"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"ThreatIntelligence\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"Persistence\",\"LateralMovement\"],\"displayName\":\"(Preview) Microsoft Defender Threat Intelligence Analytics\",\"description\":\"This rule generates an alert when a Microsoft Defender Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity.\",\"lastUpdatedDateUTC\":\"2023-03-15T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\"name\":\"a35f2c18-1b97-458f-ad26-e033af18eb99\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.8\",\"severity\":\"Low\",\"query\":\"// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nunion isfuzzy=true\\n(\\nSecurityEvent\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType == \\\"User\\\"\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = iff(MemberName == \\\"-\\\", MemberName, substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3))\\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, \\nSubjectAccount, SubjectUserName, SubjectDomainName, SubjectUserSid\\n),\\n(\\nWindowsEvent\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = iff(MemberName == \\\"-\\\", MemberName, substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3))\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName), \\nTargetAccount = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName), \\nSubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, \\nSubjectAccount, SubjectUserName, SubjectDomainName, SubjectUserSid\\n)\\n| extend GroupAddedMemberTo = TargetAccount, AddedByAccount = SubjectAccount, AddedByAccountName = SubjectUserName, AddedByAccountDomainName = SubjectDomainName, \\nAddedByAccountSid = SubjectUserSid, AddedMemberName = SimpleMemberName, AddedMemberSid = MemberSid\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"SubjectUserSid\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AddedMemberName\"},{\"identifier\":\"Sid\",\"columnName\":\"AddedMemberSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account added to built in domain local or global group\",\"description\":\"Identifies when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ff56009-db01-4615-8211-d4fda21da02d\",\"name\":\"1ff56009-db01-4615-8211-d4fda21da02d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\" and LoggedByService =~ \\\"Core Directory\\\" and OperationName in~ (\\\"Add delegated permission grant\\\", \\\"Add app role assignment to service principal\\\")\\n| mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\" and array_length(TargetResource.modifiedProperties) \u003e 0 and isnotnull(TargetResource.displayName)\\n | extend props = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = props on\\n (\\n where Property.displayName in~ (\\\"AppRole.Value\\\",\\\"DelegatedPermissionGrant.Scope\\\")\\n | extend DisplayName = tostring(Property.displayName), PermissionGrant = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where PermissionGrant has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| mv-apply Property = props on\\n (\\n where Property.displayName =~ \\\"ServicePrincipal.DisplayName\\\"\\n | extend TargetAppDisplayName = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| mv-apply Property = props on\\n (\\n where Property.displayName =~ \\\"ServicePrincipal.ObjectID\\\"\\n | extend TargetAppServicePrincipalId = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| project TimeGenerated, OperationName, Result, PermissionGrant, TargetAppDisplayName, TargetAppServicePrincipalId, InitiatingAppName, InitiatingAppServicePrincipalId,\\nInitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIpAddress, TargetResources, AdditionalDetails, CorrelationId\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetAppDisplayName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"TargetAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Microsoft Entra ID Role Management Permission Grant\",\"description\":\"Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company\u0027s directory.\\nAn adversary could use this permission to add an Microsoft Entra ID object to an Admin directory role and escalate privileges.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66276b14-32c5-4226-88e3-080dacc31ce1\",\"name\":\"66276b14-32c5-4226-88e3-080dacc31ce1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet AccountAllowList = dynamic([\u0027SYSTEM\u0027]);\\nlet SubCategoryList = dynamic([\\\"Logoff\\\", \\\"Account Lockout\\\", \\\"User Account Management\\\", \\\"Authorization Policy Change\\\"]); // Add any Category in the list to be allowed or disallowed\\nlet tokens = dynamic([\\\"clear\\\", \\\"remove\\\", \\\"success:disable\\\",\\\"failure:disable\\\"]); \\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountName = SubjectUserName, AccountDomain = SubjectDomainName, DeviceName = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n// | where InitiatingProcessFileName =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountName = tostring(split(User, @\u0027\\\\\u0027)[1]), AccountUPNSuffix = tostring(split(User, @\u0027\\\\\u0027)[0]), DeviceName = Computer\\n)\\n)\\n| extend Account = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Audit policy manipulation using auditpol utility\",\"description\":\"This detects attempts to manipulate audit policies using auditpol command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but if the results show unrelated false positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6116dc19-475a-4148-84b2-efe89c073e27\",\"name\":\"6116dc19-475a-4148-84b2-efe89c073e27\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2022-12-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\"name\":\"39198934-62a0-4781-8416-a81265c03fd6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend AppDisplayName = tostring(TargetResource.displayName),\\n AppClientId = tostring(TargetResource.id),\\n props = TargetResource.modifiedProperties\\n )\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| mv-apply ConsentFull = props on \\n (\\n where ConsentFull.displayName =~ \\\"ConsentAction.Permissions\\\"\\n )\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull has_all (\\\"user.read\\\", \\\"offline_access\\\", \\\"mail.readwrite\\\", \\\"mail.send\\\", \\\"files.read.all\\\")\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantInitiatedByAppName = tostring(InitiatedBy.app.displayName)\\n| extend GrantInitiatedByAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend GrantInitiatedByUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend GrantInitiatedByAadUserId = tostring(InitiatedBy.user.id)\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(GrantInitiatedByUserPrincipalName), GrantInitiatedByUserPrincipalName, GrantInitiatedByAppName)\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend GrantUserAgent = AdditionalDetail.value\\n )\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantInitiatedByUserPrincipalName, GrantInitiatedByAadUserId, GrantInitiatedByAppName, GrantInitiatedByAppServicePrincipalId, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n | mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend props = TargetResource.modifiedProperties,\\n AppClientId = tostring(TargetResource.id)\\n )\\n | mv-apply Property = props on \\n (\\n where Property.displayName =~ \\\"AppAddress\\\" and Property.newValue has \\\"AddressType\\\"\\n | extend AppReplyURLs = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n | mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\" and array_length(TargetResource.modifiedProperties) \u003e 0 and isnotnull(TargetResource.displayName)\\n | extend GrantAuthentication = tostring(TargetResource.displayName)\\n )\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantInitiatedByUserPrincipalName, GrantInitiatedByAadUserId, GrantInitiatedByAppName, GrantInitiatedByAppServicePrincipalId, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedByUserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(GrantInitiatedByUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GrantInitiatedByUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"GrantInitiatedByAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"GrantInitiatedByAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"GrantIpAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to PwnAuth\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"name\":\"29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nimProcessCreate\\n| where ((Process has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((Process has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\\n// Increase risk score if recent alerts for the host\\n| join kind=leftouter (\\n SecurityAlert\\n | where ProviderName =~ \\\"MDATP\\\"\\n | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n | mv-expand todynamic(Entities)\\n | extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n | where isnotempty(DvcId)\\n // Higher risk score are for Defender alerts related to threat actor\\n | extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n | project DvcId, AlertRiskScore) \\n on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend AccountName = tostring(split(ActorUsername, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(ActorUsername, @\u0027\\\\\u0027)[0])\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ActingProcessFilename\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021 (ASIM Version)\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0a3f4f4f-46ad-4562-acd6-f17730a5aef4\",\"name\":\"0a3f4f4f-46ad-4562-acd6-f17730a5aef4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where CommandLine has_any (\\\"New-Mailbox\\\",\\\"Update-RoleGroupMember\\\") and CommandLine has \\\"HealthMailbox55x2yq\\\"\\n| project TimeGenerated, DeviceName = Computer, AccountName = SubjectUserName, AccountDomain = SubjectDomainName, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n| extend InitiatingProcessAccount = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\\n),\\n(DeviceProcessEvents\\n| where ProcessCommandLine has_any (\\\"New-Mailbox\\\",\\\"Update-RoleGroupMember\\\") and ProcessCommandLine has \\\"HealthMailbox55x2yq\\\"\\n| extend timestamp = TimeGenerated, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName\\n| extend InitiatingProcessAccount = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\\n)\\n)\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Unusual identity creation using exchange powershell\",\"description\":\" The query below identifies creation of unusual identity by the Europium actor to mimic Microsoft Exchange Health Manager Service account using Exchange PowerShell commands\\n Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-09-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Microsoft Entra ID Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2023-11-02T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/757e6a79-6d23-4ae6-9845-4dac170656b5\",\"name\":\"757e6a79-6d23-4ae6-9845-4dac170656b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P2D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// Tenants IDs can be found by navigating to Azure Active Directory then from menu on the left, select External Identities, then from menu on the left, select Cross-tenant access settings and from the list shown of Tenants\\nlet ExpectedTenantIDs = dynamic([\\\"List of expected tenant IDs\\\",\\\"Tenant ID 2\\\"]);\\nAuditLogs\\n| where OperationName has \\\"Add a partner to cross-tenant access setting\\\"\\n| mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type =~ \\\"Policy\\\"\\n | extend Properties = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = Properties on\\n (\\n where Property.displayName =~ \\\"tenantId\\\"\\n | extend ExtTenantIDAdded = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where ExtTenantIDAdded !in (ExpectedTenantIDs)\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Cross-tenant Access Settings Organization Added\",\"description\":\"Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Microsoft Entra ID Cross-tenant Access Settings.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\"name\":\"45b903c5-6f56-4969-af10-ae62ac709718\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n))\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n))\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)\\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @\\\"\\\\\\\")[1]), AccountNTDomain = tostring(split(Account, @\\\"\\\\\\\")[0])\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Rare RDP Connections\",\"description\":\"Identifies when an RDP connection is new or rare related to any logon type by a given account today compared with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2020-01-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"name\":\"a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT20M\",\"queryPeriod\":\"PT20M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 10;\\nlet successCountThreshold = 1;\\n// let authenticationWindow = 20m; // Implicit in the analytic rule query period \\nimAuthentication\\n| where TargetUserType != \\\"NonInteractive\\\"\\n| summarize \\n StartTime = min(TimeGenerated), \\n EndTime = max(TimeGenerated), \\n IpAddresses = make_set (SrcDvcIpAddr, 100),\\n ReportedBy = make_set (strcat (EventVendor, \\\"/\\\", EventProduct), 100),\\n FailureCount = countif(EventResult==\u0027Failure\u0027),\\n SuccessCount = countif(EventResult==\u0027Success\u0027)\\n by \\n TargetUserId, TargetUsername, TargetUserType \\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| extend\\n IpAddresses = strcat_array(IpAddresses, \\\", \\\"), \\n ReportedBy = strcat_array(ReportedBy, \\\", \\\")\\n| extend\\n Name = iif(\\n TargetUsername contains \\\"@\\\"\\n , tostring(split(TargetUsername, \u0027@\u0027, 0)[0])\\n , TargetUsername\\n ),\\n UPNSuffix = iif(\\n TargetUsername contains \\\"@\\\"\\n , tostring(split(TargetUsername, \u0027@\u0027, 1)[0])\\n , \\\"\\\"\\n )\",\"customDetails\":{\"IpAddresses\":\"IpAddresses\",\"ReportedBy\":\"ReportedBy\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against user credentials (Uses Authentication Normalization)\",\"description\":\"Identifies evidence of brute force activity against a user based on multiple authentication failures and at least one successful authentication within a given time window.\\nNote that the query does not enforce any sequence, and does not require the successful authentication to occur last.\\nThe default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"name\":\"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 25;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds\\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n | where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| extend ResultType = column_ifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = column_ifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by CallerIPAddress;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project CallerIPAddress, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join kind = innerunique (\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(2d)\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend ResultType = column_ifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = column_ifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = column_ifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\"),identity_claim_oid_g = column_ifexists(\\\"identity_claim_oid_g\\\", \\\"\\\"),\\n identity_claim_upn_s = column_ifexists(\\\"identity_claim_upn_s\\\", \\\"\\\")\\n| extend\\n CallerObjectId = iff(isempty(identity_claim_oid_g), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g),\\n CallerObjectUPN = iff(isempty(identity_claim_upn_s), identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s, identity_claim_upn_s)\\n| extend id_s = column_ifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = column_ifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = column_ifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g, requestUri_s, clientInfo_s\\n) on CallerIPAddress\\n| extend\\n CallerObjectId = iff(isempty(identity_claim_oid_g), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g),\\n CallerObjectUPN = iff(isempty(identity_claim_upn_s), identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s, identity_claim_upn_s)\\n| summarize EventCount=count(), OperationNameList = make_set(OperationName,1000), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(CallerObjectId, 100), AccountMax = arg_max(CallerObjectId,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountMax\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure Key Vault access TimeSeries anomaly\",\"description\":\"Identifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm to find large deviations from baseline Azure Key Vault access patterns.\\nAny sudden increase in the count of Azure Key Vault accesses can be an indication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"name\":\"009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has \\\"Consent to application\\\"\\n | where Result =~ \\\"failure\\\"\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend userAgent = iif(AdditionalDetails[0].key == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))\\n | where isnotempty(TargetResources)\\n | extend TargetAppName = tostring(TargetResources[0].displayName)\\n | extend TargetAppId = tostring(TargetResources[0].id)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"MethodExecutionResult.\\\"\\n | extend TargetPropertyDisplayName = tostring(TargetResources_0_modifiedProperties.displayName)\\n | extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\\n | where FailureReason contains \\\"Risky\\\"\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, OperationName, Result, TargetAppName, TargetAppId, FailureReason, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, userAgent\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"AppId\",\"columnName\":\"TargetAppId\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAppName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"End-user consent stopped due to risk-based consent\",\"description\":\"Detects a user\u0027s consent to an OAuth application being blocked due to it being too risky.\\n These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"name\":\"95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"imAuthentication\\n| where EventResult ==\u0027Failure\u0027\\n| where EventResultDetails == \u0027User disabled\u0027\\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\\n , applicationsTargeted = dcount(TargetAppName)\\n , applicationSet = make_set(TargetAppName) \\n by SrcDvcIpAddr, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind=leftouter \\n (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n imAuthentication\\n | where EventResult==\u0027Success\u0027\\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on SrcDvcIpAddr\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcDvcIpAddr\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2023-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"name\":\"3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let SpringShell_threats = dynamic([\\\"Trojan:Python/SpringShellExpl\\\", \\\"Exploit:Python/SpringShell\\\", \\\"Backdoor:PHP/Remoteshell.V\\\", \\\"SpringShell\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (SpringShell_threats) or ThreatFamilyName in~ (SpringShell_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"AV detections related to SpringShell Vulnerability\",\"description\":\"This query looks for Microsoft Defender AV detections related to the SpringShell vulnerability. In Microsoft Sentinel, the SecurityAlerts table includes only the Device Name of the affected device.\\n This query joins the DeviceInfo table to clearly connect other information such as device group, IP, logged-on users, etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/\",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"name\":\"a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"High\",\"query\":\"let mde_threats = dynamic([\\\"Behavior:Win32/SuspAzureRequest.A\\\", \\\"Behavior:Win32/SuspAzureRequest.B\\\", \\\"Behavior:Win32/SuspAzureRequest.C\\\", \\\"Behavior:Win32/LaunchingSuspCMD.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (mde_threats) or ThreatFamilyName in~ (mde_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by bin(TimeGenerated, 1d), DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId, CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory\",\"description\":\"This query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR. \\nIn Microsoft Sentinel, the SecurityAlerts table includes the name of the impacted device. Additionally, this query joins the DeviceInfo table to connect other information such as device group, IP address, signed in users, and others allowing analysts using Microsoft Sentinel to have more context related to the alert. \\nReference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 , \\nhttps://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"name\":\"4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet parentprocess = (iocs | where Type =~ \\\"parentprocess\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (IPList), \\\"RequestUrl\\\",\\\"NoMatch\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, IPMatch == \\\"RequestUrl\\\", RequestURL, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Dev-0322 IOC match\u0027, UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = DestinationHost\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = DestinationHost, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(\\nAZFWApplicationRule\\n| where Fqdn has_any (IPList)\\n| extend IPCustomEntity = SourceIp\\n),\\n(\\nAZFWNetworkRule\\n| where DestinationIp has_any (IPList)\\n| extend IPCustomEntity = SourceIp\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ParentImage = EventDetail.[20].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceProcessEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Dev-0322 IOC match\u0027, IPCustomEntity = CommandLineIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"[Deprecated] - DEV-0322 Serv-U related IOCs - July 2021\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWNetworkRule\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f819c592-c5f9-4d5c-a79f-1e6819863533\",\"name\":\"f819c592-c5f9-4d5c-a79f-1e6819863533\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.6\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Microsoft Online\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n (\\nWindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend Name = tostring(split(Account, \\\"\\\\\\\\\\\")[1]), NTDomain = tostring(split(Account, \\\"\\\\\\\\\\\")[0])\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Microsoft Entra ID Health Monitoring Agent Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key of Microsoft Entra ID Health monitoring agent.\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent.\\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\"name\":\"7249500f-3038-4b83-8549-9cd8dfa2d498\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames))\\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames))\\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = DestinationIP\\n),\\n(DnsEvents\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ \u0027OATP\u0027\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn,\\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (DomainNames) \\n| extend timestamp = TimeGenerated),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"[Deprecated] - Known Mint Sandstorm group domains/IP - October 2020\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics (Azure Firewall)\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\"name\":\"2790795b-7dba-483e-853f-44aa0bc9c985\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors \u003e 400\\n| sort by NumberOfErrors desc\\n| extend timestamp = StartTime\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Wazuh - Large Number of Web errors from an IP\",\"description\":\"Identifies instances where Wazuh logged over 400 \u0027403\u0027 Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2020-04-21T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\"name\":\"11b4c19d-2a79-4da3-af38-b067e1273dee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID in (17,18)\\n| where EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\")\\n| extend Account = User\\n| extend AccountName = tostring(split(User, @\\\"\\\\\\\")[1]), AccountNTDomain = tostring(split(User, @\\\"\\\\\\\")[0])\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00275145\u0027\\n// %%4418 looks for presence of CreatePipeInstance value\\n| where AccessList has \u0027%%4418\u0027\\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend AccountName = SubjectUserName, AccountNTDomain = SubjectDomainName\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00275145\u0027 and EventData has \u0027%%4418\u0027 and EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n// %%4418 looks for presence of CreatePipeInstance value\\n| extend AccessList= tostring(EventData.AccessList)\\n| where AccessList has \u0027%%4418\u0027\\n| extend RelativeTargetName= tostring(EventData.RelativeTargetName)\\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountName = tostring(EventData.SubjectUserName), AccountNTDomain = tostring(EventData.SubjectDomainName)\\n)\\n)\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\"],\"displayName\":\"Solorigate Named Pipe\",\"description\":\"Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2020-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"name\":\"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet disallowed_ext = dynamic([\u0027ps1\u0027, \u0027exe\u0027, \u0027vbs\u0027, \u0027js\u0027, \u0027scr\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedExt = todynamic(MsgParts)[0][\u0027detectedExt\u0027]\\n| where tolower(attachedExt) in (disallowed_ext)\\n| project SrcUserUpn, AccountCustomEntity = parse_json(DstUserUpn)[0], attachedExt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Suspicious attachment\",\"description\":\"Detects when email contains suspicious attachment (file type).\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\"name\":\"ef88eb96-861c-43a0-ab16-f3835a97c928\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let regexEmpire = tostring(toscalar(externaldata(cmdlets:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/EmpireCommandString.txt\\\"] with (format=\\\"txt\\\")));\\n(union isfuzzy=true\\n (SecurityEvent\\n| where EventID == 4688\\n//consider filtering on filename if perf issues occur\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| project timestamp = TimeGenerated, Computer, SubjectUserName, SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend HostName = split(Computer, \u0027.\u0027, 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027)\\n),\\n(WindowsEvent\\n| where EventID == 4688\\n| where EventData has_any (\\\"-encodedCommand\\\", \\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(EventData has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n//consider filtering on filename if perf issues occur\\n//extend NewProcessName = tostring(EventData.NewProcessName)\\n//extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n//FileName = Process\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project timestamp = TimeGenerated, Computer, SubjectUserName, SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend HostName = split(Computer, \u0027.\u0027, 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027)\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Powershell Empire Cmdlets Executed in Command Line\",\"description\":\"This query identifies use of PowerShell Empire\u0027s cmdlets within the command line data of the PowerShell process, indicating potential use of the post-exploitation tool.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/61988db3-0565-49b5-b8e3-747195baac6e\",\"name\":\"61988db3-0565-49b5-b8e3-747195baac6e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]); \\nimProcessCreate\\n| where CommandLine has \\\"recycler\\\"\\n| where Process has_any (procList)\\n| extend FileName = tostring(split(Process, \u0027\\\\\\\\\u0027)[-1])\\n| where FileName in~ (procList)\\n| project TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend AccountName = tostring(split(User, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(User, @\u0027\\\\\u0027)[0])\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin (Normalized Process Events)\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-06-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"name\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(_Im_Dns (domain_has_any=domains)\\n | extend DNSName = DnsQuery\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallNetworkRule\\\"\\n | where msg_s has_any (domains)\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" to \\\" TargetIP \\\":\\\" TargetPortInt:int *\\n | parse kind=regex flags=U msg_s with * \\\". Action\\\\\\\\: \\\" Action1a \\\"\\\\\\\\.\\\"\\n | parse msg_s with * \\\". Policy: \\\" Policy \\\". Rule Collection Group: \\\" RuleCollectionGroup \\\".\\\" *\\n | parse msg_s with * \\\" Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule \\n | extend DNSName = TargetIP \\n | extend IPCustomEntity = SourceIP\\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | where msg_s has_any (domains)\\n | parse msg_s with \\\"DNS Request: \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" - \\\" QueryID:int \\\" \\\" RequestType \\\" \\\" RequestClass \\\" \\\" hostname \\\". \\\" protocol \\\" \\\" details\\n | extend\\n ResponseDuration = extract(\\\"[0-9]*.?[0-9]+s$\\\", 0, msg_s),\\n SourcePort = tostring(SourcePortInt),\\n QueryID = tostring(QueryID)\\n | extend DNSName = hostname\\n | extend IPCustomEntity = SourceIP\\n | project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\\n | order by TimeGenerated\\n ),\\n(AZFWApplicationRule\\n | where Fqdn has_any (domains)\\n | extend DNSName = Fqdn\\n | extend IPCustomEntity = SourceIp\\n ),\\n(AZFWDnsQuery\\n | where isnotempty(QueryName)\\n | where QueryName has_any (domains)\\n | extend DNSName = QueryName\\n | extend IPCustomEntity = SourceIp\\n )\\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Solorigate Network Beacon\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\"name\":\"4a3073ac-7383-48a9-90a8-eb6716183a54\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n InitiatingProcessAccountUPNSuffix = tostring(split(InitiatingProcessAccountUpn, \\\"@\\\")[1]),\\n Algorithm = \\\"MD5\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"InitiatingProcessAccountDomain\"},{\"identifier\":\"Sid\",\"columnName\":\"InitiatingProcessAccountSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"Algorithm\"},{\"identifier\":\"Value\",\"columnName\":\"MD5\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"name\":\"4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"// Enter a reference list of decoy users (usernames) \\\"Case Sensitive\\\"\\nlet MaliciousServiceArtifacts = dynamic ([\\\"fgexec\\\",\\\"cachedump\\\",\\\"mimikatz\\\",\\\"mimidrv\\\",\\\"wceservice\\\",\\\"pwdump\\\"]);\\nEvent\\n| where Source == \\\"Service Control Manager\\\" and EventID == 7045\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" * \u0027ImagePath\\\"\u003e\u0027 ImagePath \\\"\u003c\\\" *\\n| where ServiceName has_any (MaliciousServiceArtifacts) or ImagePath has_any (MaliciousServiceArtifacts)\\n| parse EventData with * \u0027AccountName\\\"\u003e\u0027 AccountName \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ServiceName, ImagePath, AccountName\\n| extend HostName = split(Computer, \u0027.\u0027, 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ImagePath\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - Service Installation\",\"description\":\"This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\"name\":\"2b328487-162d-4034-b472-59f1d53684a1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal == \u0027\u0027\\n| extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlOriginal\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Empty User Agent Detected\",\"description\":\"Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\"name\":\"8d537f3c-094f-430c-a588-8a87da36ee3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nlet user_agents=dynamic([\\n \u0027(hydra)\u0027,\\n \u0027 arachni/\u0027,\\n \u0027 BFAC \u0027,\\n \u0027 brutus \u0027,\\n \u0027 cgichk \u0027,\\n \u0027core-project/1.0\u0027,\\n \u0027 crimscanner/\u0027,\\n \u0027datacha0s\u0027,\\n \u0027dirbuster\u0027,\\n \u0027domino hunter\u0027,\\n \u0027dotdotpwn\u0027,\\n \u0027FHScan Core\u0027,\\n \u0027floodgate\u0027,\\n \u0027get-minimal\u0027,\\n \u0027gootkit auto-rooter scanner\u0027,\\n \u0027grendel-scan\u0027,\\n \u0027 inspath \u0027,\\n \u0027internet ninja\u0027,\\n \u0027jaascois\u0027,\\n \u0027 zmeu \u0027,\\n \u0027masscan\u0027,\\n \u0027 metis \u0027,\\n \u0027morfeus fucking scanner\u0027,\\n \u0027n-stealth\u0027,\\n \u0027nsauditor\u0027,\\n \u0027pmafind\u0027,\\n \u0027security scan\u0027,\\n \u0027springenwerk\u0027,\\n \u0027teh forest lobster\u0027,\\n \u0027toata dragostea\u0027,\\n \u0027 vega/\u0027,\\n \u0027voideye\u0027,\\n \u0027webshag\u0027,\\n \u0027webvulnscan\u0027,\\n \u0027 whcc/\u0027,\\n \u0027 Havij\u0027,\\n \u0027absinthe\u0027,\\n \u0027bsqlbf\u0027,\\n \u0027mysqloit\u0027,\\n \u0027pangolin\u0027,\\n \u0027sql power injector\u0027,\\n \u0027sqlmap\u0027,\\n \u0027sqlninja\u0027,\\n \u0027uil2pn\u0027,\\n \u0027ruler\u0027,\\n \u0027Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)\u0027\\n ]);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlOriginal\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Hack Tool User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by known hack tools\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"name\":\"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents\\n// ResultCode 3 =\u003e \u0027NXDOMAIN\u0027\\n| where ResultCode == 3\\n| where QueryType in~ (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !has \\\"/\\\"\\n| where Name has \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated \u003e ago(endtime)\\n// sld = Second Level Domain\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld), sampleNXDomainList=make_set(Name, 100) by ClientIP\\n| where dcount_sld \u003e threshold\\n// Filter out previously seen IPs\\n// Returns all the records from the left side that don\u0027t have matches from the right\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP, bin(TimeGenerated,1d)\\n | where dcount_sld \u003e threshold\\n ) on ClientIP\\n | order by dcount_sld desc\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected\",\"description\":\"Identifies clients with a high NXDomain count, which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live).\\nAlerts are generated when a new IP address is seen (based on not being associated with NXDomain records in the prior 10-day baseline period).\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/492fbe35-cbac-4a8c-9059-826782e6915a\",\"name\":\"492fbe35-cbac-4a8c-9059-826782e6915a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend TargetAppName = tostring(TargetResources[0].displayName)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | mv-expand mod_props\\n | extend Action = tostring(mod_props.displayName)\\n | where Action contains \\\"Url\\\"\\n | extend UpdatedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)\\n | extend OldURL = tostring(mod_props.oldValue)\\n | extend NewURL = tostring(mod_props.newValue)\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingAadUserId, InitiatingUserPrincipalName, InitiatingIPAddress, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"OldURL\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURL\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Logout URL\",\"description\":\"Detects changes to an applications sign out URL.\\n Look for any modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#logout-url-modified-or-removed\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/122fbc6a-57ab-4aa7-b9a9-51ac4970cac1\",\"name\":\"122fbc6a-57ab-4aa7-b9a9-51ac4970cac1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Define variable \u0027AwsAlert\u0027 to collect AWS GuardDuty CredentialAccess alerts related to Amazon Relational Database Service (RDS) activity\\nlet AwsAlert = materialize (\\n AWSGuardDuty\\n | where ActivityType has_any (\\n \\\"CredentialAccess:RDS/TorIPCaller.SuccessfulLogin\\\",\\n \\\"CredentialAccess:RDS/TorIPCaller.FailedLogin\\\",\\n \\\"CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteForce\\\",\\n \\\"CredentialAccess:RDS/AnomalousBehavior.SuccessfulLogin\\\",\\n \\\"CredentialAccess:RDS/MaliciousIPCaller.SuccessfulLogin\\\",\\n \\\"CredentialAccess:RDS/MaliciousIPCaller.FailedLogin\\\"\\n )\\n | extend\\n AWSAlertId = Id, \\n AWSAlertTitle = Title,\\n AWSAlertDescription = Description,\\n AWSresourceType = tostring(parse_json(ResourceDetails).resourceType),\\n AWSNetworkEntity = tostring(parse_json(ServiceDetails).action.rdsLoginAttemptAction.remoteIpDetails.ipAddressV4),\\n RDSInstanceId = tostring(parse_json(ResourceDetails).rdsDbInstanceDetails.dbInstanceIdentifier),\\n RDSUser = tostring(parse_json(ResourceDetails).rdsDbUserDetails.user),\\n RDSApplication = tostring(parse_json(ResourceDetails).rdsDbUserDetails.application),\\n RDSactionType = tostring(parse_json(ServiceDetails).action.actionType),\\n AWSAlertTime = TimeCreated,\\n AWSAlertLink= tostring(strcat(\u0027https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current\u0026fId=\u0027,Id)),\\n Severity = \\n case (\\n Severity \u003e= 7.0, \\\"High\\\",\\n Severity between (4.0 .. 6.9), \\\"Medium\\\",\\n Severity between (1.0 .. 3.9), \\\"Low\\\",\\n \\\"Unknown\\\")\\n | distinct\\n AWSAlertTime,\\n ActivityType,\\n AWSAlertId,\\n AWSAlertLink,\\n AWSAlertTitle,\\n AWSAlertDescription,\\n AWSresourceType,\\n Arn,\\n Severity,\\n RDSactionType,\\n RDSApplication,\\n RDSInstanceId,\\n RDSUser,\\n AWSNetworkEntity\\n );\\n // Define variable \u0027Azure_sigin\u0027 to collect Azure portal sign-in activities\\n let Azure_sigin = materialize (\\n SigninLogs\\n | where AppDisplayName == \\\"Azure Portal\\\"\\n | where isnotempty(OriginalRequestId)\\n | summarize \\n AzureSuccessfulEvent = countif(ResultType == 0), \\n AzureFailedEvent = countif(ResultType != 0), \\n totalAzureLoginEventId = dcount(OriginalRequestId), \\n AzureFailedEventsCount = dcountif(OriginalRequestId, ResultType != 0), \\n AzureSuccessfuleventsCount = dcountif(OriginalRequestId, ResultType == 0),\\n AzureSetOfFailedevents = makeset(iff(ResultType != 0, OriginalRequestId, \\\"\\\"), 5), \\n AzureSetOfSuccessfulEvents = makeset(iff(ResultType == 0, OriginalRequestId, \\\"\\\"), 5) \\n by \\n IPAddress, \\n UserPrincipalName, \\n bin(TimeGenerated, 1min), \\n UserAgent,\\n ConditionalAccessStatus,\\n OperationName,\\n RiskDetail,\\n AuthenticationRequirement,\\n ClientAppUsed\\n // Extracting the name and UPN suffix from UserPrincipalName\\n | extend\\n Name = tostring(split(UserPrincipalName, \u0027@\u0027)[0]),\\n UPNSuffix = tostring(split(UserPrincipalName, \u0027@\u0027)[1])\\n );\\n // Join \u0027AwsAlert\u0027 and \u0027Azure_sigin\u0027 on the AWS Network Entity and Azure IP Address\\n AwsAlert\\n | join kind=inner Azure_sigin on $left.AWSNetworkEntity == $right.IPAddress\",\"customDetails\":{\"AWSAlertUserName\":\"RDSUser\",\"AWSArn\":\"Arn\",\"AWSresourceType\":\"AWSresourceType\",\"AWSInstanceType\":\"RDSactionType\",\"AWSAplicationName\":\"RDSApplication\",\"AWSInstanceId\":\"RDSInstanceId\",\"AzureUserAgent\":\"UserAgent\",\"AzureUser\":\"UserPrincipalName\",\"AzureClientAppUsed\":\"ClientAppUsed\",\"AzConditionalAccess\":\"ConditionalAccessStatus\",\"AzureOperationName\":\"OperationName\",\"AzureRiskDetail\":\"RiskDetail\",\"AzAuthRequirement\":\"AuthenticationRequirement\",\"alertSeverity\":\"Severity\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"IP address {{IPAddress}} in {{AWSAlertTitle}} seen in Azure Signin Logs with {{UserPrincipalName}}\",\"alertDescriptionFormat\":\"This detection correlates AWS GuardDuty Credential Access alert described \u0027{{AWSAlertDescription}}\u0027 related to Amazon Relational Database Service (RDS) activity with Azure portal sign-in activities. It identifies successful and failed logins, anomalous behavior, and malicious IP access. By joining these datasets on network entities and IP addresses, it detects unauthorized credential access attempts across AWS and Azure resources, enhancing cross-cloud security monitoring. \\n\\n AWS ALert Link : \u0027{{AWSAlertLink}}\u0027 \\n\\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":\"Severity\"},\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login\",\"description\":\"\\nThis detection correlates AWS GuardDuty Credential Access alerts related to Amazon Relational Database Service (RDS) activity with Azure portal sign-in activities. It identifies successful and failed logins, anomalous behavior, and malicious IP access. By joining these datasets on network entities and IP addresses, it detects unauthorized credential access attempts across AWS and Azure resources, enhancing cross-cloud security monitoring.\\n\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2023-09-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"name\":\"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\n// Configure the list with sensitive process names \\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll32.exe\\\"]);\\nlet TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in~ (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total \u003e TotalEventsThreshold);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, NTDomain = split(Account, \u0027\\\\\\\\\u0027, 0)[0], Name = split(Account, \u0027\\\\\\\\\u0027, 1)[0], HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Process Execution Frequency Anomaly\",\"description\":\"This detection identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\\nThe query leverages KQL\u0027s built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/961b6a81-5c53-40b6-9800-4f661a8faea7\",\"name\":\"961b6a81-5c53-40b6-9800-4f661a8faea7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet Command_Line = (iocs | where Type =~ \\\"CommandLine\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and InitiatingProcessCommandLine has_any (Command_Line))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\"), AlgorithmCustomEntity = \\\"SHA256\\\"\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (@\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, Account = SourceUserID, AlgorithmCustomEntity = \\\"SHA256\\\"\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and ActingProcessCommandLine has_any (Command_Line))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash, AlgorithmCustomEntity = \\\"SHA256\\\"\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\\n| where (Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes)) or ( CommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = tostring(Hashes[1]), AlgorithmCustomEntity = \\\"SHA256\\\"\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"[Deprecated] - Cadet Blizzard Actor IOC - January 2022\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ab1f7b2-61b8-442f-bc81-96afe7ad8c53\",\"name\":\"6ab1f7b2-61b8-442f-bc81-96afe7ad8c53\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"// OBJECT ID of AAD Groups can be found by navigating to Azure Active Directory then from menu on the left, select Groups and from the list shown of AAD Groups, the Second Column shows the ObjectID of each\\nlet GroupIDs = dynamic([\\\"List with Custom AAD GROUP OBJECT ID 1\\\",\\\"Custom AAD GROUP OBJECT ID 2\\\"]);\\nAuditLogs\\n| where OperationName in (\u0027Add member to group\u0027, \u0027Add owner to group\u0027)\\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress \\n// Uncomment the following line to filter events where the inviting user was a guest user\\n//| where InitiatedBy has_any (\\\"CUSTOM DOMAIN NAME#\\\", \\\"#EXT#\\\")\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend InvitedUser = trim(@\u0027\\\"\u0027,tostring(TargetResource.userPrincipalName)),\\n Properties = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = Properties on \\n (\\n where Property.displayName =~ \\\"Group.DisplayName\\\"\\n | extend AADGroup = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where InvitedUser has_any (\\\"CUSTOM DOMAIN NAME#\\\", \\\"#EXT#\\\")\\n| mv-apply Property = Properties on\\n (\\n where Property.displayName =~ \\\"Group.ObjectID\\\"\\n | extend AADGroupId = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where AADGroupId !in (GroupIDs)\\n| extend Name = tostring(split(InitiatedByActionUserInformation,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InvitedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatedByIPAdress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Guest accounts added in AAD Groups other than the ones specified\",\"description\":\"Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Azure AD Groups other than the ones specified and poses a risk to gain access to sensitive apps or data.\",\"lastUpdatedDateUTC\":\"2023-10-27T00:00:00Z\",\"createdDateUTC\":\"2022-10-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"name\":\"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nSyslog\\n| where Facility =~ \\\"authpriv\\\"\\n| where SyslogMessage has \\\"authentication failure\\\" and SyslogMessage has \\\" uid=0\\\"\\n| extend RemoteIP = extract(@\\\".*?rhost=([\\\\d.]+).*?\\\", 1,SyslogMessage)\\n| project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID\\n| join kind=innerunique (\\n // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\n Syslog \\n | where Facility =~ \\\"authpriv\\\"\\n | where SyslogMessage has \\\"user unknown\\\"\\n | project Computer, HostIP, ProcessID\\n ) on Computer, HostIP, ProcessID\\n// Count the number of failed logon attempts by External IP and internal machine\\n| summarize FirstLogonAttempt = min(TimeGenerated), LatestLogonAttempt = max(TimeGenerated), TotalLogonAttempts = count() by Computer, HostIP, RemoteIP\\n// Calculate the time between first and last logon attempt (AttemptPeriodLength)\\n| extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt\\n| where TotalLogonAttempts \u003e= threshold\\n| project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, Computer, HostIP\\n| sort by Computer asc nulls last\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"HostIP\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts in authpriv\",\"description\":\"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in isn\u0027t provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren\u0027t authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"SyslogAma\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57c7e832-64eb-411f-8928-4133f01f4a25\",\"name\":\"57c7e832-64eb-411f-8928-4133f01f4a25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.4\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and AzureDiagnostics logs for Key Vault events\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n AzureDiagnostics\\n | where ResourceType =~ \\\"VAULTS\\\"\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\\n )\\n on $left.TI_ipEntity == $right.ClientIP\\n // Filter out logs that occurred after the expiration of the corresponding indicator\\n | where KeyVaultEvents_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and ClientIP, and keep the log entry with the latest timestamp\\n | summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n // Select the desired output fields\\n | project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d,\\n identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, Type\\n // Rename the timestamp field\\n | extend timestamp = KeyVaultEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to Azure Key Vault logs\",\"description\":\"Identifies a match in Azure Key Vault logs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"name\":\"050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"High\",\"query\":\"// Define the start and end times based on input values\\nlet starttime = now()-1h;\\nlet endtime = now();\\n// Set a lookback period of 14 days\\nlet lookback = starttime - 14d;\\n// Define a reusable function to query audit logs\\nlet awsFunc = (start:datetime, end:datetime) {\\n AuditLogs\\n | where TimeGenerated between (start..end)\\n | where Category =~ \\\"RoleManagement\\\"\\n | where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n | where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n | mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type in~ (\\\"User\\\", \\\"ServicePrincipal\\\")\\n | extend Target = iff(TargetResource.type =~ \\\"ServicePrincipal\\\", tostring(TargetResource.displayName), tostring(TargetResource.userPrincipalName)),\\n props = TargetResource.modifiedProperties\\n )\\n | mv-apply Property = props on\\n (\\n where Property.displayName =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = trim(\u0027\\\"\u0027, tostring(Property.newValue))\\n )\\n | where RoleName contains \\\"Admin\\\" and Result == \\\"success\\\"\\n};\\n// Query for audit events in the current day\\nlet EventInfo_CurrentDay = awsFunc(starttime, endtime);\\n// Query for audit events in the historical period (lookback)\\nlet EventInfo_historical = awsFunc(lookback, starttime);\\n// Find unseen events by performing a left anti-join\\nlet EventInfo_Unseen = (EventInfo_CurrentDay\\n | join kind=leftanti(EventInfo_historical) on Target, RoleName, OperationName\\n);\\n// Extend and clean up the results\\nEventInfo_Unseen\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend Initiator = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)\\n// You can uncomment the lines below to filter out PIM activations\\n// | where Initiator != \\\"MS-PIM\\\"\\n// | summarize StartTime=min(TimeGenerated), EndTime=min(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result\\n// Project specific columns and split them for further analysis\\n| project TimeGenerated, OperationName, RoleName, Target, Initiator, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, Result\\n| extend TargetName = tostring(split(Target,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(Target,\u0027@\u0027,1)[0]), InitiatorName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatorUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Target\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatorName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatorUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"New User Assigned to Privileged Role\",\"description\":\"Identifies when a privileged role is assigned to a new user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn\u0027t the responsibility of the account holder, investigate.\",\"lastUpdatedDateUTC\":\"2024-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/968358d6-6af8-49bb-aaa4-187b3067fb95\",\"name\":\"968358d6-6af8-49bb-aaa4-187b3067fb95\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let successCodes = dynamic([200, 302, 401]);\\nW3CIISLog\\n| where scStatus has_any (successCodes)\\n| where ipv4_is_private(cIP) == False\\n| where csUriStem hasprefix \\\"/autodiscover/autodiscover.json\\\"\\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\\n| where (csUriQuery !has \\\"Protocol\\\" and isnotempty(csUriQuery))\\nor (csUriQuery has_any(\\\"/mapi/\\\", \\\"powershell\\\"))\\nor (csUriQuery contains \\\"@\\\" and csUriQuery matches regex @\\\"\\\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\\\/)\\\")\\nor (csUriQuery contains \\\":\\\" and csUriQuery matches regex @\\\"\\\\:[0-9]{2,4}\\\\/\\\")\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(csUserName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(csUserName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"csUserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"cIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange SSRF Autodiscover ProxyShell - Detection\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit patterns recently blogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange which eventually allows the attacker to execute arbitrary Powershell on the server.\\nIn the example powershell can be used to write an email to disk with an encoded attachment containing a shell.\\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"name\":\"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for W3CIISLog events\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and W3CIISLog events\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n W3CIISLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n | where ipv4_is_private(cIP) == false and cIP !startswith \\\"fe80\\\" and cIP !startswith \\\"::\\\" and cIP !startswith \\\"127.\\\"\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n )\\n on $left.TI_ipEntity == $right.cIP\\n // Filter out W3CIISLog events that occurred after the expiration of the corresponding indicator\\n | where W3CIISLog_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and keep the W3CIISLog event with the latest timestamp\\n | summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId, cIP\\n // Select the desired output fields\\n | project timestamp = W3CIISLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\n NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"csUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"cIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to W3CIISLog\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in W3CIISLog.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"name\":\"cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nEvent\\n| where EventLog =~ \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where OriginalFileName has_any (procList) and not (Image has_any (procList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"User\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Lolbins Renamed\",\"description\":\"This query detects the execution of renamed Windows binaries (Lolbins). This is a common technique used by adversaries to evade detection. \\nRef: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/execution-of-renamed-lolbin.html\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"name\":\"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.8\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend Alert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.EntityEmail\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend Name = tostring(split(EntityEmail, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(EntityEmail, \u0027@\u0027, 1)[0])\\n| extend timestamp = Alert_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"EntityEmail\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"TI map Email entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\"lastUpdatedDateUTC\":\"2024-07-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"name\":\"fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let account_threshold = 5;\\nAADNonInteractiveUserSignInLogs\\n//| where ResultType == \\\"81016\\\"\\n| where ResultType startswith \\\"81\\\"\\n| summarize DistinctAccounts = dcount(UserPrincipalName), DistinctAddresses = make_set(IPAddress,100) by ResultType\\n| where DistinctAccounts \u003e account_threshold\\n| mv-expand IPAddress = DistinctAddresses\\n| extend IPAddress = tostring(IPAddress)\\n| join kind=leftouter (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs) on IPAddress\\n| summarize\\n StartTime = min(TimeGenerated),\\n EndTime = max(TimeGenerated),\\n UserPrincipalName = make_set(UserPrincipalName,100),\\n UserAgent = make_set(UserAgent,100),\\n ResultDescription = take_any(ResultDescription),\\n ResultSignature = take_any(ResultSignature)\\n by IPAddress, Type, ResultType\\n| project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent)\\n| extend Name = tostring(split(UserPrincipalName[0],\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName[0],\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Microsoft Entra ID Seamless SSO\",\"description\":\"This query detects when there is a spike in Microsoft Entra ID Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\\nMicrosoft Entra ID only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.\",\"lastUpdatedDateUTC\":\"2024-01-04T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"name\":\"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Medium\",\"query\":\"let szOperationNames = dynamic([\\\"microsoft.compute/virtualMachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nlet timeframe = 1d;\\nlet TimeSeriesData =\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(now()))\\n| where OperationNameValue in~ (szOperationNames)\\n| project TimeGenerated, Caller \\n| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Caller; \\nTimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long) \\n| where TimeGenerated \u003e= startofday(ago(endtime))\\n| where anomalies \u003e 0 and baseline \u003e 0\\n| project Caller, TimeGenerated, Total, baseline, anomalies, score\\n| join (AzureActivity\\n| where TimeGenerated \u003e startofday(ago(endtime)) \\n| where OperationNameValue in~ (szOperationNames)\\n| summarize make_set(OperationNameValue,100), make_set(_ResourceId,100), make_set(CallerIpAddress,100) by bin(TimeGenerated, timeframe), Caller\\n) on TimeGenerated, Caller\\n| mv-expand CallerIpAddress=set_CallerIpAddress\\n| project-away Caller1\\n| extend Name = iif(Caller has \u0027@\u0027,tostring(split(Caller,\u0027@\u0027,0)[0]),\\\"\\\")\\n| extend UPNSuffix = iif(Caller has \u0027@\u0027,tostring(split(Caller,\u0027@\u0027,1)[0]),\\\"\\\")\\n| extend AadUserId = iif(Caller !has \u0027@\u0027,Caller,\\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious number of resource creation or deployment activities\",\"description\":\"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log. This query generates the baseline pattern of cloud resource creation by an individual and generates an anomaly when any unusual spike is detected. These anomalies from unusual or privileged users could be an indication of a cloud infrastructure takedown by an adversary.\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/baedfdf4-7cc8-45a1-81a9-065821628b83\",\"name\":\"baedfdf4-7cc8-45a1-81a9-065821628b83\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let runningRAT_parameters = dynamic([\u0027/ui/chk\u0027, \u0027mactok=\u0027, \u0027UsRnMe=\u0027, \u0027IlocalP=\u0027, \u0027kMnD=\u0027]);\\nCommonSecurityLog\\n| where RequestMethod == \\\"GET\\\"\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\\n| where RequestURL has_any (runningRAT_parameters)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"RunningRAT request parameters\",\"description\":\"This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request.\\nId the device blocked this communication presence of this alert means the RunningRAT implant is likely still executing on the source host.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/42436753-9944-4d70-801c-daaa4d19ddd2\",\"name\":\"42436753-9944-4d70-801c-daaa4d19ddd2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.4\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Powershell\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"]\\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername\\n| extend AccountName = tostring(split(SrcUsername, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(SrcUsername, \\\"@\\\")[1])\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running PowerShell\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by PoerShell and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\",\"Execution\"],\"displayName\":\"A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong PowerShell. \u003cbr\u003eYou can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/631d02df-ab51-46c1-8d72-32d0cfec0720\",\"name\":\"631d02df-ab51-46c1-8d72-32d0cfec0720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.6\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nimProcessCreate\\n| where Process hassuffix \u0027solarwinds.businesslayerhost.exe\u0027\\n| where not(Process has_any (excludeProcs))\\n| extend AccountName = tostring(split(ActorUsername, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(ActorUsername, @\u0027\\\\\u0027)[0])\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmType\"},{\"identifier\":\"Value\",\"columnName\":\"TargetFileMD5\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes (Normalized Process Events)\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48602a24-67cf-4362-b258-3f4249e55def\",\"name\":\"48602a24-67cf-4362-b258-3f4249e55def\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let query_frequency = 1h;\\nlet query_period = 14d;\\nIdentityInfo\\n| where TimeGenerated \u003e ago(query_period)\\n| where set_has_element(AssignedRoles, \\\"Global Administrator\\\")\\n| distinct AccountUPN, AccountObjectId\\n| join kind=inner (\\n AuditLogs\\n | where TimeGenerated \u003e ago(query_frequency)\\n | where OperationName=~ \\\"Update user\\\" and Result =~ \\\"success\\\"\\n // | where isnotempty(InitiatedBy[\\\"user\\\"])\\n | mv-expand TargetResource = TargetResources\\n | where TargetResource[\\\"type\\\"] == \\\"User\\\"\\n | extend AccountObjectId = tostring(TargetResource[\\\"id\\\"])\\n | where tostring(TargetResource[\\\"modifiedProperties\\\"]) != \\\"[]\\\"\\n | mv-apply modifiedProperty = TargetResource[\\\"modifiedProperties\\\"] on (\\n summarize modifiedProperties = make_bag(\\n bag_pack(tostring(modifiedProperty[\\\"displayName\\\"]),\\n bag_pack(\\\"oldValue\\\", trim(@\u0027[\\\\\\\"\\\\s]+\u0027, tostring(modifiedProperty[\\\"oldValue\\\"])),\\n \\\"newValue\\\", trim(@\u0027[\\\\\\\"\\\\s]+\u0027, tostring(modifiedProperty[\\\"newValue\\\"])))))\\n )\\n | where not(tostring(modifiedProperties[\\\"Included Updated Properties\\\"][\\\"newValue\\\"]) in (\\\"LastDirSyncTime\\\", \\\"\\\"))\\n | where not(tostring(modifiedProperties[\\\"Included Updated Properties\\\"][\\\"newValue\\\"]) == \\\"StrongAuthenticationPhoneAppDetail\\\" and isnotempty(modifiedProperties[\\\"StrongAuthenticationPhoneAppDetail\\\"]) and tostring(array_sort_asc(extract_all(@\u0027\\\\\\\"Id\\\\\\\"\\\\:\\\\\\\"([^\\\\\\\"]+)\\\\\\\"\u0027, tostring(modifiedProperties[\\\"StrongAuthenticationPhoneAppDetail\\\"][\\\"newValue\\\"])))) == tostring(array_sort_asc(extract_all(@\u0027\\\\\\\"Id\\\\\\\"\\\\:\\\\\\\"([^\\\\\\\"]+)\\\\\\\"\u0027, tostring(modifiedProperties[\\\"StrongAuthenticationPhoneAppDetail\\\"][\\\"oldValue\\\"])))))\\n | extend\\n Initiator = iif(isnotempty(InitiatedBy[\\\"app\\\"]), tostring(InitiatedBy[\\\"app\\\"][\\\"displayName\\\"]), tostring(InitiatedBy[\\\"user\\\"][\\\"userPrincipalName\\\"])),\\n InitiatorId = iif(isnotempty(InitiatedBy[\\\"app\\\"]), tostring(InitiatedBy[\\\"app\\\"][\\\"servicePrincipalId\\\"]), tostring(InitiatedBy[\\\"user\\\"][\\\"id\\\"])),\\n IPAddress = tostring(InitiatedBy[tostring(bag_keys(InitiatedBy)[0])][\\\"ipAddress\\\"])\\n) on AccountObjectId\\n| project TimeGenerated, Category, Identity, Initiator, IPAddress, OperationName, Result, AccountUPN, InitiatedBy, AdditionalDetails, TargetResources, AccountObjectId, InitiatorId, CorrelationId\\n| extend\\n InitiatorName = tostring(split(Initiator, \\\"@\\\")[0]),\\n InitiatorUPNSuffix = tostring(split(Initiator, \\\"@\\\")[1]),\\n AccountName = tostring(split(AccountUPN, \\\"@\\\")[0]),\\n AccountUPNSuffix = tostring(split(AccountUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatorName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatorUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Suspicious modification of Global Administrator user properties\",\"description\":\"This query will detect if user properties of Global Administrator are updated by an existing user. Usually only user administrator or other global administrator can update such properties.\\nInvestigate if such user change is an attempt to elevate an existing low privileged identity or rogue administrator activity\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"name\":\"30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"imProcess\\n| where EventType =~ \\\"ProcessCreated\\\"\\n| where Process endswith \\\"svchost.exe\\\"\\n| where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n| extend timekey = bin(TimeGenerated, 1m)\\n| project timekey, ActingProcessId, Dvc\\n| join kind=inner (\\n imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ActingProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) \\n on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc\\n| extend AccountName = tostring(split(ActorUsername, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(ActorUsername, @\u0027\\\\\u0027)[0])\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively (ASIM Version)\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\\n This query uses the Advanced Security Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"name\":\"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe+spanoftime)\\n // A user account was enabled\\n | where EventID == 4722\\n | where AccountType =~ \\\"User\\\"\\n | where TargetAccount !endswith \\\"$\\\"\\n | project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToEnable = SubjectAccount, EnabledBySubjectUserName = SubjectUserName, EnabledBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToEnable = SubjectUserSid, UserPrincipalName\\n ),\\n (\\n WindowsEvent\\n | where TimeGenerated \u003e ago(timeframe+spanoftime)\\n // A user account was enabled\\n | where EventID == 4722\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | where AccountType =~ \\\"User\\\"\\n | extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n | extend SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName)\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | where TargetAccount !endswith \\\"$\\\"\\n | extend Activity=\\\"4722 - A user account was enabled.\\\"\\n | extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName) \\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n | project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToEnable = SubjectAccount, EnabledBySubjectUserName = SubjectUserName, EnabledBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToEnable = SubjectUserSid, UserPrincipalName\\n )\\n )\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n | where AccountType =~ \\\"User\\\"\\n | project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToDisable = SubjectAccount, DisabledBySubjectUserName = SubjectUserName, DisabledBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToDisable = SubjectUserSid, UserPrincipalName\\n ),\\n (WindowsEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | where AccountType =~ \\\"User\\\"\\n | extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n | extend SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName)\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName) \\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n | extend Activity = \\\"4725 - A user account was disabled.\\\"\\n | project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToDisable = SubjectAccount, DisabledBySubjectUserName = SubjectUserName, DisabledBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToDisable = SubjectUserSid, UserPrincipalName\\n )\\n )\\n) on Computer, TargetAccount\\n| where DisableTime - EnableTime \u003c spanoftime\\n| extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, TargetUserName, TargetDomainName, UserPrincipalName, \\nAccountUsedToEnable, SIDofAccountUsedToEnable, DisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable, \\nEnabledBySubjectUserName, EnabledBySubjectDomainName, DisabledBySubjectUserName, DisabledBySubjectDomainName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountUsedToEnable\"},{\"identifier\":\"Name\",\"columnName\":\"EnabledBySubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"EnabledBySubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountUsedToDisable\"},{\"identifier\":\"Name\",\"columnName\":\"DisabledBySubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"DisabledBySubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"TargetDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account enabled and disabled within 10 mins\",\"description\":\"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/779731f7-8ba0-4198-8524-5701b7defddc\",\"name\":\"779731f7-8ba0-4198-8524-5701b7defddc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let Alert_List= dynamic([\\n\\\"Phishing link click observed in Network Traffic\\\",\\n\\\"Phish delivered due to an IP allow policy\\\",\\n\\\"A potentially malicious URL click was detected\\\",\\n\\\"High Risk Sign-in Observed in Network Traffic\\\",\\n\\\"A user clicked through to a potentially malicious URL\\\",\\n\\\"Suspicious network connection to AitM phishing site\\\",\\n\\\"Messages containing malicious entity not removed after delivery\\\",\\n\\\"Email messages containing malicious URL removed after delivery\\\",\\n\\\"Email reported by user as malware or phish\\\",\\n\\\"Phish delivered due to an ETR override\\\",\\n\\\"Phish not zapped because ZAP is disabled\\\"]);\\nSecurityAlert\\n| where AlertName in~ (Alert_List)\\n//Findling Alerts which has the URL\\n| where Entities has \\\"url\\\"\\n//extracting Entities\\n| extend Entities = parse_json(Entities)\\n| mv-apply Entity = Entities on\\n (\\n where Entity.Type == \u0027url\u0027\\n | extend EntityUrl = tostring(Entity.Url)\\n )\\n| summarize\\n Url=tostring(tolower(take_any(EntityUrl))),\\n AlertTime= min(TimeGenerated),\\n make_set(SystemAlertId, 100)\\n by ProductName, AlertName\\n// matching with 3rd party network logs and 3p Alerts\\n| join kind= inner (CommonSecurityLog\\n | where DeviceVendor has_any (\\\"Palo Alto Networks\\\", \\\"Fortinet\\\", \\\"Check Point\\\", \\\"Zscaler\\\")\\n | where DeviceProduct startswith \\\"FortiGate\\\" or DeviceProduct startswith \\\"PAN\\\" or DeviceProduct startswith \\\"VPN\\\" or DeviceProduct startswith \\\"FireWall\\\" or DeviceProduct startswith \\\"NSSWeblog\\\" or DeviceProduct startswith \\\"URL\\\"\\n | where DeviceAction != \\\"Block\\\"\\n | where isnotempty(RequestURL)\\n | project\\n 3plogTime=TimeGenerated,\\n DeviceVendor,\\n DeviceProduct,\\n Activity,\\n DestinationHostName,\\n DestinationIP,\\n RequestURL=tostring(tolower(RequestURL)),\\n MaliciousIP,\\n SourceUserName=tostring(tolower(SourceUserName)),\\n IndicatorThreatType,\\n ThreatSeverity,\\n ThreatConfidence,\\n SourceUserID,\\n SourceHostName)\\n on $left.Url == $right.RequestURL\\n// matching successful Login from suspicious IP\\n| join kind=inner (SigninLogs\\n //filtering the Successful Login\\n | where ResultType == 0\\n | project\\n IPAddress,\\n SourceSystem,\\n SigniningTime= TimeGenerated,\\n OperationName,\\n ResultType,\\n ResultDescription,\\n AlternateSignInName,\\n AppDisplayName,\\n AuthenticationRequirement,\\n ClientAppUsed,\\n RiskState,\\n RiskLevelDuringSignIn,\\n UserPrincipalName=tostring(tolower(UserPrincipalName)),\\n Name = tostring(split(UserPrincipalName, \\\"@\\\")[0]),\\n UPNSuffix =tostring(split(UserPrincipalName, \\\"@\\\")[1]))\\n on $left.DestinationIP == $right.IPAddress and $left.SourceUserName == $right.UserPrincipalName\\n| where SigniningTime between ((AlertTime - 6h) .. (AlertTime + 6h)) and 3plogTime between ((AlertTime - 6h) .. (AlertTime + 6h))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DestinationHostName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceSystem\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"M365D Alerts Correlation to non-Microsoft Network device network activity involved in successful sign-in Activity\",\"description\":\"This content is employed to correlate with Microsoft Defender XDR phishing-related alerts. It focuses on instances where a user successfully connects to a phishing URL from a non-Microsoft network device and subsequently makes successful sign-in attempts from the phishing IP address.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2023-05-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"name\":\"2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where OperationName in (\\\"Add eligible member (permanent)\\\", \\\"Add eligible member (eligible)\\\", \\\"Add member to role\\\")\\n | mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend Target = tostring(TargetResource.userPrincipalName),\\n props = TargetResource.modifiedProperties\\n )\\n | mv-apply Property = props on \\n (\\n where Property.displayName =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n | where RoleName contains \\\"admin\\\"\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend InitiatedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)\\n | extend TargetUserPrincipalName = iff(OperationName==\\\"Add member to role\\\",tostring(TargetResources[0].userPrincipalName),tostring(TargetResources[2].userPrincipalName))\\n | extend TargetAadUserId = iff(OperationName==\\\"Add member to role\\\", tostring(TargetResources[0].id), tostring(TargetResources[2].id))\\n | extend AddedUser = TargetUserPrincipalName\\n | extend TargetAccountName = tostring(split(TargetUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \\\"@\\\")[1])\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, AddedUser, RoleName, InitiatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"TargetAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"User Added to Admin Role\",\"description\":\"Detects a user being added to a new privileged role. Monitor these additions to ensure the users are made eligible for these roles are intended to have these levels of access.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2024-03-27T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"name\":\"979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027ProcessId\\\"\u003e\u0027 ProcessId \\\"\u003c\\\"* \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \\n| where TargetObject has (\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\DsrmAdminLogonBehavior\\\") and Details == \\\"DWORD (0x00000002)\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ProcessId, Image, TargetObject, Details, _ResourceId\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(User, \\\"\\\\\\\\\\\")[1]), AccountNTDomain = tostring(split(User, \\\"\\\\\\\\\\\")[0])\\n| extend ImageFileName = tostring(split(Image, \\\"\\\\\\\\\\\")[-1])\\n| extend ImageDirectory = replace_string(Image, ImageFileName, \\\"\\\")\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessId\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ImageFileName\"},{\"identifier\":\"Directory\",\"columnName\":\"ImageDirectory\"}]},{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"DSRM Account Abuse\",\"description\":\"This query detects an abuse of the DSRM account in order to maintain persistence and access to the organization\u0027s Active Directory.\\nRef: https://adsecurity.org/?p=1785\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"name\":\"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Low\",\"query\":\"union isfuzzy=true\\n(\\n SecurityEvent\\n | where EventID == 4738\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | where UserAccountControl has \\\"%%2089\\\"\\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event.\\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event.\\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, \\n AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount, SubjectUserName, SubjectDomainName, SubjectUserSid\\n ),\\n (\\n WindowsEvent\\n | where EventID == 4738 and EventData has \u00272089\u0027\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | extend UserAccountControl = tostring(EventData.UserAccountControl)\\n | where UserAccountControl has \\\"%%2089\\\"\\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event.\\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event.\\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | extend Activity=\\\"4738 - A user account was changed.\\\"\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName), TargetSid, \\n AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount, SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName), SubjectUserSid = tostring(EventData.SubjectUserSid)\\n )\\n | extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n | project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"TargetDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"SubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD account with Don\u0027t Expire Password\",\"description\":\"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 resolves to \\\"Don\u0027t Expire Password - Enabled\\\".\",\"lastUpdatedDateUTC\":\"2024-01-22T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"name\":\"6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let Alerts = SecurityAlert\\n| where AlertName =~ \\\"mass download by a single user\\\"\\n| where Status != \u0027Resolved\u0027\\n| extend ipEnt = parse_json(Entities), accountEnt = parse_json(Entities)\\n| mv-apply tempParams = ipEnt on (\\nmv-expand ipEnt\\n| where ipEnt.Type == \\\"ip\\\" \\n| extend IpAddress = tostring(ipEnt.Address)\\n)\\n| mv-apply tempParams = accountEnt on (\\nmv-expand accountEnt\\n| where accountEnt.Type == \\\"account\\\"\\n| extend AADUserId = tostring(accountEnt.AadUserId)\\n)\\n| extend Alert_TimeGenerated = TimeGenerated\\n| distinct Alert_TimeGenerated, IpAddress, AADUserId, DisplayName, Description, ProductName, ExtendedProperties, Entities, Status, CompromisedEntity\\n;\\nlet CA_Events = CloudAppEvents\\n| where ActionType == \\\"FileDownloaded\\\"\\n| extend parsed = parse_json(RawEventData)\\n| extend UserId = tostring(parsed.UserId)\\n| extend FileName = tostring(parsed.SourceFileName)\\n| extend FileExtension = tostring(parsed.SourceFileExtension)\\n| summarize CloudAppEvent_StartTime = min(TimeGenerated), CloudAppEvent_EndTime = max(TimeGenerated), CloudAppEvent_Files = make_set(FileName), FileCount = dcount(FileName) by Application, AccountObjectId, UserId, IPAddress, City, CountryCode\\n| extend CloudAppEvents_Details = pack_all();\\nlet CA_Alerts_Events = Alerts | join kind=inner (CA_Events)\\non $left.AADUserId == $right.AccountObjectId and $left.IpAddress == $right.IPAddress\\n// Cloud app event comes before Alert\\n| where CloudAppEvent_EndTime \u003c= Alert_TimeGenerated\\n| project Alert_TimeGenerated, UserId, AADUserId, IPAddress, CloudAppEvents_Details, CloudAppEvent_Files\\n;\\n// setup list to filter DeviceFileEvents for only files downloaded as indicated by CloudAppEvents\\nlet CA_FileList = CA_Alerts_Events | project CloudAppEvent_Files;\\nCA_Alerts_Events\\n| join kind=inner ( DeviceFileEvents\\n| where ActionType in (\\\"FileCreated\\\", \\\"FileRenamed\\\")\\n| where FileName in~ (CA_FileList)\\n| summarize DeviceFileEvent_StartTime = min(TimeGenerated), DeviceFileEvent_EndTime = max(TimeGenerated), DeviceFileEvent_Files = make_set(FolderPath), DeviceFileEvent_FileCount = dcount(FolderPath) by InitiatingProcessAccountUpn, DeviceId, DeviceName, InitiatingProcessFolderPath, InitiatingProcessParentFileName//, InitiatingProcessCommandLine\\n| extend DeviceFileEvents_Details = pack_all()\\n) on $left.UserId == $right.InitiatingProcessAccountUpn\\n| where DeviceFileEvent_StartTime \u003e= Alert_TimeGenerated\\n| join kind=inner (\\n// get device events where a USB drive was mounted\\nDeviceEvents\\n| where ActionType == \\\"UsbDriveMounted\\\"\\n| extend parsed = parse_json(AdditionalFields)\\n| extend USB_DriveLetter = tostring(AdditionalFields.DriveLetter), USB_ProductName = tostring(AdditionalFields.ProductName), USB_Volume = tostring(AdditionalFields.Volume)\\n| where isnotempty(USB_DriveLetter)\\n| project USB_TimeGenerated = TimeGenerated, DeviceId, USB_DriveLetter, USB_ProductName, USB_Volume\\n| extend USB_Details = pack_all()\\n) \\non DeviceId\\n// USB event occurs after the Alert\\n| where USB_TimeGenerated \u003e= Alert_TimeGenerated\\n| mv-expand DeviceFileEvent_Files\\n| extend DeviceFileEvent_Files = tostring(DeviceFileEvent_Files)\\n// make sure that we only pickup the files that have the USB drive letter\\n| where DeviceFileEvent_Files startswith USB_DriveLetter\\n| summarize USB_Drive_MatchedFiles = make_set_if(DeviceFileEvent_Files, DeviceFileEvent_Files startswith USB_DriveLetter) by Alert_TimeGenerated, USB_TimeGenerated, UserId, AADUserId, DeviceId, DeviceName, IPAddress, CloudAppEvents_Details = tostring(CloudAppEvents_Details), DeviceFileEvents_Details = tostring(DeviceFileEvents_Details), USB_Details = tostring(USB_Details)\\n| extend InitiatingProcessFileName = tostring(split(todynamic(DeviceFileEvents_Details).InitiatingProcessFolderPath, \\\"\\\\\\\\\\\")[-1]), InitiatingProcessFolderPath = tostring(todynamic(DeviceFileEvents_Details).InitiatingProcessFolderPath)\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DeviceName != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AADUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessFileName\"},{\"identifier\":\"Directory\",\"columnName\":\"InitiatingProcessFolderPath\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Mass Download \u0026 copy to USB device by single user\",\"description\":\"This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. \\nThis query could also reveal unintentional insider that had no intention of malicious activity but their actions may impact an organizations security posture.\\nReference:https://docs.microsoft.com/defender-cloud-apps/policy-template-reference\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-04-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"CloudAppEvents\",\"DeviceEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce74dc9a-cb3c-4081-8c2f-7d39f6b7bae1\",\"name\":\"ce74dc9a-cb3c-4081-8c2f-7d39f6b7bae1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688\\n| where Process has_any (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\") and CommandLine has_cs \\\"-exec bypass -w 1 -enc\\\"\\n| where CommandLine contains_cs \\\"UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA\\\"\\n| extend DvcHostname = Computer, ProcessId = tostring(ProcessId), ActorUsername = Account\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" and ProcessCommandLine has_cs \\\"-exec bypass -w 1 -enc\\\"\\n| where ProcessCommandLine contains_cs \\\"UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA\\\"\\n| extend DvcHostname = DeviceName, ProcessId = tostring(InitiatingProcessId), ActorUsername = strcat(AccountDomain, @\\\"\\\\\\\", AccountName)\\n),\\n(imProcessCreate\\n| where Process has_any (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\") and CommandLine has_cs \\\"-exec bypass -w 1 -enc\\\"\\n| where CommandLine contains_cs \\\"UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA\\\"\\n| extend ProcessId = tostring(TargetProcessId)\\n)\\n)\\n| extend AccountName = tostring(split(ActorUsername, \\\"\\\\\\\\\\\")[0]), AccountNTDomain = tostring(split(ActorUsername, \\\"\\\\\\\\\\\")[1])\\n| extend HostName = tostring(split(DvcHostname, \\\".\\\")[0]), DomainIndex = toint(indexof(DvcHostname, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DvcHostname, DomainIndex + 1), DvcHostname)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessId\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Identify Mango Sandstorm powershell commands\",\"description\":\"The query below identifies powershell commands used by the threat actor Mango Sandstorm.\\nReference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/\",\"lastUpdatedDateUTC\":\"2024-11-25T00:00:00Z\",\"createdDateUTC\":\"2022-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"name\":\"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let schedule_lookback = 14d;\\nlet join_lookback = 1d;\\n// If you want to whitelist specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet meetings = (\\nZoomLogs\\n| where TimeGenerated \u003e= ago(schedule_lookback)\\n| where Event =~ \\\"meeting.created\\\"\\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId)\\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone));\\nZoomLogs\\n| where TimeGenerated \u003e= ago(join_lookback)\\n| where Event =~ \\\"meeting.participant_joined\\\"\\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone)\\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName)\\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId)\\n| where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId\\n| where SchedTimezone != JoinedTimeZone\\n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1\\n| extend AccountName = tostring(split(JoiningUser, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(JoiningUser, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"JoiningUser\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"User joining Zoom meeting from suspicious timezone\",\"description\":\"The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"name\":\"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserID\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient,\\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort,\\nDestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"DestinationUserID\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"TI map Email entity to PaloAlto CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"name\":\"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.2\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\u0027127.0.0.1\u0027, \u0027::1\u0027, \u0027\u0027)\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons = (union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, TargetUserName, TargetDomainName, _ResourceId, Reason\\n),\\n(WindowsEvent\\n| where EventID == 4624 and has_any_ipv4(EventData, toscalar(suspicious_signins))\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend Activity = \\\"4624 - An account was successfully logged on.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend Account = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend AccountType =case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, TargetUserSid, TargetUserName, TargetDomainName, _ResourceId, Reason\\n)\\n);\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex+1), Computer)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"TargetDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"AzureID\",\"columnName\":\"_ResourceId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to host\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Microsoft Entra ID.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2024-10-17T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"name\":\"a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName =~ \\\"Update user\\\"\\n | where Result =~ \\\"success\\\"\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"TargetId.UserType\\\"\\n | extend UpdatingAppName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UpdatingServicePrincipalId = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend UpdatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatingUserAadUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend UpdatingUserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend UpdatingUser = iif(isnotempty(UpdatingServicePrincipalId), UpdatingServicePrincipalId, UpdatingUserPrincipalName)\\n | extend UpdatedUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n | project-reorder TimeGenerated, UpdatedUserPrincipalName, UpdatingUser\\n | where parse_json(tostring(TargetResources_modifiedProperties.newValue)) =~ \\\"\\\\\\\"Member\\\\\\\"\\\" and parse_json(tostring(TargetResources_modifiedProperties.oldValue)) =~ \\\"\\\\\\\"Guest\\\\\\\"\\\"\\n | extend InitiatingAccountName = tostring(split(UpdatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(UpdatingUserPrincipalName, \\\"@\\\")[1])\\n | extend TargetAccountName = tostring(split(UpdatedUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(UpdatedUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UpdatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"UpdatingServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UpdatingUserAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UpdatingUserIPAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User State changed from Guest to Member\",\"description\":\"Detects when a guest account in a tenant is converted to a member of the tenant.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts converted to members should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2023-12-30T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"name\":\"dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let threshold = 10;\\nlet default_ad_attributes = dynamic([\\\"LastDirSyncTime\\\", \\\"StsRefreshTokensValidFrom\\\", \\\"Included Updated Properties\\\", \\\"AccountEnabled\\\", \\\"Action Client Name\\\", \\\"SourceAnchor\\\"]);\\nlet addUsers = AuditLogs\\n| where OperationName =~ \\\"Add user\\\"\\n| where Result =~ \\\"success\\\"\\n| extend AccountProperties = TargetResources[0].modifiedProperties\\n| mv-expand AccountProperties\\n;\\naddUsers\\n| evaluate bag_unpack(AccountProperties) : (displayName:string, oldValue: string, newValue: string , TenantId : string, SourceSystem : string, TimeGenerated : datetime, ResourceId : string, OperationName : string, OperationVersion : string, Category : string, ResultType : string, ResultSignature : string, ResultDescription : string, DurationMs : long, CorrelationId : string, Resource : string, ResourceGroup : string, ResourceProvider : string, Identity : string, Level : string, Location : string, AdditionalDetails : dynamic, Id : string, InitiatedBy : dynamic, LoggedByService : string, Result : string, ResultReason : string, TargetResources : dynamic, AADTenantId : string, ActivityDisplayName : string, ActivityDateTime : datetime, AADOperationType : string, Type : string)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"Unknown Value\\\")\\n| summarize count() by displayName, TenantId\\n| where displayName !in (default_ad_attributes)\\n| top threshold by count_ desc\\n| summarize make_set(displayName) by TenantId\\n| join kind=inner (\\naddUsers\\n| extend CreatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend CreatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend CreatingUserIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n| extend PropName = tostring(AccountProperties.displayName)) \\non TenantId\\n| summarize makeset(PropName) by TimeGenerated, CorrelationId, CreatedUserPrincipalName, CreatingUserPrincipalName, CreatingAadUserId, CreatingUserIPAddress, tostring(set_displayName)\\n| extend missing_props = set_difference(todynamic(set_displayName), set_PropName)\\n| where array_length(missing_props) \u003e 0\\n| join kind=innerunique (\\nAuditLogs\\n| where Result =~ \\\"success\\\"\\n| where OperationName =~ \\\"Add user\\\"\\n| extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)) \\non CorrelationId, CreatedUserPrincipalName\\n| extend ExpectedProperties = set_displayName\\n| project-away set_displayName, set_PropName\\n| extend InitiatingAccountName = tostring(split(CreatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(CreatingUserPrincipalName, \\\"@\\\")[1])\\n| extend TargetAccountName = tostring(split(CreatedUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(CreatedUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"CreatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatedUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CreatingUserIPAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User account created without expected attributes defined\",\"description\":\"This query looks for accounts being created that do not have attributes populated that are commonly populated in the tenant.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2023-12-30T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"name\":\"d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"// Microsoft Entra ID Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\\n// Microsoft Entra ID Connect - cb1056e2-e479-49de-ae31-7812af012ed8\\nlet appList = dynamic([\u0027cf6d7e68-f018-4e0a-a7b3-126e053fb88d\u0027,\u0027cb1056e2-e479-49de-ae31-7812af012ed8\u0027]);\\nlet operationNamesList = dynamic([\u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027,\u0027Microsoft.ADHybridHealthService/services/delete\u0027]);\\nAzureActivity\\n| where CategoryValue =~ \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId has \u0027AdFederationService\u0027\\n| where OperationNameValue in~ (operationNamesList)\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid), AccountName = tostring(claimsJson.name), Name = tostring(split(Caller,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Caller,\u0027@\u0027,1)[0])\\n| where AppId !in (appList)\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Microsoft Entra ID Hybrid Health AD FS Suspicious Application\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify a suspicious application adding a server instance to an Microsoft Entra ID Hybrid Health AD FS service or deleting the AD FS service instance.\\nUsually the Microsoft Entra ID Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d and ID cb1056e2-e479-49de-ae31-7812af012ed8 is used to perform those operations.\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/218f60de-c269-457a-b882-9966632b9dc6\",\"name\":\"218f60de-c269-457a-b882-9966632b9dc6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"High\",\"query\":\"let AdminRecords = AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),\\n props = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = props on \\n (\\n where Property.displayName =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where RoleName contains \\\"Admin\\\";\\nAdminRecords\\n| summarize dcount(TargetUserPrincipalName) by bin(TimeGenerated, 1h)\\n| where dcount_TargetUserPrincipalName \u003e 9\\n| join kind=rightsemi (\\n AdminRecords\\n | extend TimeWindow = bin(TimeGenerated, 1h)\\n) on $left.TimeGenerated == $right.TimeWindow\\n| extend InitiatedByUser = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), \\\"\\\")\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend TargetName = tostring(split(TargetUserPrincipalName,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,\u0027@\u0027,1)[0])\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"customDetails\":{\"InitiatedByUser\":\"InitiatedByUser\",\"TargetUser\":\"TargetUserPrincipalName\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Bulk Changes to Privileged Account Permissions\",\"description\":\"Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"name\":\"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\")\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated)\\nby EventSource, EventName, UserIdentityType, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Elastic Load Balancer security groups\",\"description\":\"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications.\\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/. \",\"lastUpdatedDateUTC\":\"2024-03-27T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.3\",\"severity\":\"Low\",\"query\":\"let TeamsAddDel = (Op:string){\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation == Op\\n| where Members has (\\\"#EXT#\\\")\\n| mv-expand Members\\n| extend UPN = tostring(Members.UPN)\\n| where UPN has (\\\"#EXT#\\\")\\n| project TimeGenerated, Operation, UPN, UserId, TeamName, ClientIP\\n};\\nlet TeamsAdd = TeamsAddDel(\\\"MemberAdded\\\")\\n| project TimeAdded=TimeGenerated, Operation, MemberAdded = UPN, UserWhoAdded = UserId, TeamName, ClientIP;\\nlet TeamsDel = TeamsAddDel(\\\"MemberRemoved\\\")\\n| project TimeDeleted=TimeGenerated, Operation, MemberRemoved = UPN, UserWhoDeleted = UserId, TeamName, ClientIP;\\nTeamsAdd\\n| join kind=inner (TeamsDel) on $left.MemberAdded == $right.MemberRemoved\\n| where TimeDeleted \u003e TimeAdded\\n| project TimeAdded, TimeDeleted, MemberAdded_Removed = MemberAdded, UserWhoAdded, UserWhoDeleted, TeamName, ClientIP\\n| extend MemberAdded_RemovedAccountName = tostring(split(MemberAdded_Removed, \\\"@\\\")[0]), MemberAdded_RemovedAccountUPNSuffix = tostring(split(MemberAdded_Removed, \\\"@\\\")[1])\\n| extend UserWhoAddedAccountName = tostring(split(UserWhoAdded, \\\"@\\\")[0]), UserWhoAddedAccountUPNSuffix = tostring(split(UserWhoAdded, \\\"@\\\")[1])\\n| extend UserWhoDeletedAccountName = tostring(split(UserWhoDeleted, \\\"@\\\")[0]), UserWhoDeletedAccountUPNSuffix = tostring(split(UserWhoDeleted, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"MemberAdded_Removed\"},{\"identifier\":\"Name\",\"columnName\":\"MemberAdded_RemovedAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"MemberAdded_RemovedAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserWhoAdded\"},{\"identifier\":\"Name\",\"columnName\":\"UserWhoAddedAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UserWhoAddedAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserWhoDeleted\"},{\"identifier\":\"Name\",\"columnName\":\"UserWhoDeletedAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UserWhoDeletedAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"External user added and removed in short timeframe\",\"description\":\"This detection flags the occurrences of external user accounts that are added to a Team and then removed within one hour.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"name\":\"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url\\n| project timestamp = Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"HostIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map URL Entity to Syslog Data\",\"description\":\"This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in Syslog data.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"name\":\"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 6d;\\n// Adjust this to adjust the key export detection timeframe\\n//let timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer);\\n// Look for ADFS servers where Named Pipes event are present\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"),\\n TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\\n TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\"),\\n Image = column_ifexists(\\\"Image\\\", \\\"\\\"),\\n PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\"),\\n EventType = column_ifexists(\\\"EventType\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n// Look for Pipe related to querying the WID\\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Exclude expected processes\\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(UserName, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(UserName, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS Database Named Pipe Connection\",\"description\":\"This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\"name\":\"f110287e-1358-490d-8147-ed804b328514\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for AWSCloudTrail logs\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n // Filter out indicators without relevant IP address fields\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n // Select the IP entity based on availability of different IP fields\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and AWSCloudTrail logs to identify potential malicious activity\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n AWSCloudTrail\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated // Rename time column for clarity\\n )\\n on $left.TI_ipEntity == $right.SourceIpAddress\\n // Filter out logs that occurred after the expiration of the corresponding indicator\\n | where AWSCloudTrail_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and SourceIpAddress, and keep the log entry with the latest timestamp\\n | summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress\\n // Select the desired output fields\\n | project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\n NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n // Rename the timestamp field\\n | extend timestamp = AWSCloudTrail_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"ObjectGuid\",\"columnName\":\"UserIdentityUserName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to AWSCloudTrail\",\"description\":\"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"name\":\"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\")\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated)\\nby EventSource, EventName, UserIdentityType, RecipientAccountId, AccountName, AccountUPNSuffix, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Security Group ingress and egress settings\",\"description\":\"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic.\\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255. \",\"lastUpdatedDateUTC\":\"2024-03-27T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d71fc38-f249-454e-8479-0a358382ef9a\",\"name\":\"3d71fc38-f249-454e-8479-0a358382ef9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-44228\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMachine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMachine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"VirtualMachine\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to log4j CVE-2021-44228\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228.\\nLog4j is an open-source Apache logging library that is used in many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\\n Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bca9c877-2afc-4246-a26d-087ab1cdcd5f\",\"name\":\"bca9c877-2afc-4246-a26d-087ab1cdcd5f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let sha256Hashes = dynamic([\\\"5dd1ca0d471dee41eb3ea0b6ea117810f228354fc3b7b47400a812573d40d91d\\\", \\\"5fc44c7342b84f50f24758e39c8848b2f0991e8817ef5465844f5f2ff6085a57\\\", \\\"6cff0bbd62efe99f381e5cc0c4182b0fb7a9a34e4be9ce68ee6b0d0ea3eee39c\\\"]);\\nlet signames = dynamic([\\\"Ransom:Win32/Prestige\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, Algorithm = \\\"SHA256\\\", AccountNTName = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend AccountNT = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, AccountNT, IPAddress, CommandLine, FileHash, Algorithm = \\\"SHA256\\\"\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ProcessId = tolong(EventDetail.[3].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"]), CommandLine = tostring(EventDetail.[10].[\\\"#text\\\"]), Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", dynamic([\\\"\\\", \\\"\\\"])), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| mv-expand Hashes\\n| where Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, ProcessId, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend AccountNT = UserName, InitiatingProcessId = ProcessId\\n| extend Process = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), Algorithm = \\\"SHA256\\\", FileHash = tostring(Hashes[1]) \\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend AccountNT = InitiatingProcessAccountName, Computer = DeviceName\\n| extend Algorithm = \\\"SHA256\\\", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine, Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend AccountNT = InitiatingProcessAccountName, Computer = DeviceName\\n| extend Algorithm = \\\"SHA256\\\", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine, Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend AccountNT = InitiatingProcessAccountName, Computer = DeviceName\\n| extend Algorithm = \\\"SHA256\\\", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine, Image = InitiatingProcessFolderPath\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (signames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n)\\n)\\n| extend AccountNTName = tostring(split(AccountNT, \\\"\\\\\\\\\\\")[0]), AccountNTDomain = tostring(split(AccountNT, \\\"\\\\\\\\\\\")[1])\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"Algorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHash\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"InitiatingProcessId\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountNT\"},{\"identifier\":\"Name\",\"columnName\":\"AccountNTName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Prestige ransomware IOCs Oct 2022\",\"description\":\"This query looks for file hashes and AV signatures associated with Prestige ransomware payload.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"name\":\"f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.4\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| where isnotempty(Process)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend AccountName = tostring(split(ActorUsername, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(ActorUsername, @\u0027\\\\\u0027)[0])\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines (Normalized Process Events)\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\"name\":\"d564ff12-8f53-41b8-8649-44f76b37b99f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"// How many greater than Service Connections you want to view per build/release\\nlet ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\"\\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)\\n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName, ActorUPN, IpAddress\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iif(\\n Type == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\n strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| extend timestamp = StartTime\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Abuse\",\"description\":\"Flags builds/releases that use a large number of service connections if they aren\u0027t manually in the allow list.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cd8d946d-10a4-40a9-bac1-6d0a6c847d65\",\"name\":\"cd8d946d-10a4-40a9-bac1-6d0a6c847d65\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let BEC_Keywords = dynamic([ \u0027invoice\u0027,\u0027payment\u0027,\u0027paycheck\u0027,\u0027transfer\u0027,\u0027bank statement\u0027,\u0027bank details\u0027,\u0027closing\u0027,\u0027funds\u0027,\u0027bank account\u0027,\u0027account details\u0027,\u0027remittance\u0027,\u0027purchase\u0027,\u0027deposit\u0027,\\\"PO#\\\",\\\"Zahlung\\\",\\\"Rechnung\\\",\\\"Paiement\\\", \\\"virement bancaire\\\",\\\"Bankuberweisung\\\",\u0027hacked\u0027,\u0027phishing\u0027]);\\n// Adjust this threshold based on your environment\\nlet sensitivity = 2.5;\\nlet Events = materialize(imFileEvent\\n| where TimeGenerated between(startofday(ago(14d))..endofday(ago(0d)))\\n| where User !~ \\\"app@sharepoint\\\"\\n| where EventType =~ \\\"FileAccessed\\\"\\n| extend OriginalEvent = column_ifexists(\\\"EventOriginalType\\\",\\\"Unknown\\\")\\n| where OriginalEvent !~ \\\"FileSyncDownloadedFull\\\"\\n| where EventProduct in (\\\"SharePoint 365\\\", \\\"Azure File Storage\\\", \\\"OneDrive\\\" , \\\"SharePoint\\\")\\n| where FilePath has_any(BEC_Keywords)\\n| extend _AuthDetails = column_ifexists(\\\"AuthorizationDetails\\\", \\\"None\\\")\\n| extend SPuser = case(gettype(_AuthDetails) == \\\"array\\\", tostring(todynamic(_AuthDetails)[0].principals[0].id), \\\"Unknown\\\")\\n| extend User = case(isnotempty(User), User, SPuser)\\n| where isnotempty(User));\\nEvents\\n| summarize dcount(FileName) by User, bin(startofday(TimeGenerated), 1d)\\n| summarize CountOfDocs = make_list(dcount_FileName, 10000), TimeStamp = make_list(TimeGenerated, 10000) by User\\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(CountOfDocs, sensitivity, -1, \u0027linefit\u0027)\\n| mv-expand CountOfDocs to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)\\n| where Anomalies \u003e 0\\n| project TimeStamp, CountOfDocs, Baseline, Score, Anomalies, User\\n| join kind=inner(Events | extend TimeStamp = startofday(TimeGenerated)) on TimeStamp, User\\n| extend IpAddr = column_ifexists(\\\"IpAddr\\\", SrcIpAddr)\\n| extend Name = iif(User contains \\\"@\\\", split(User, \\\"@\\\")[0], split(User, \\\"\\\\\\\\\\\")[1])\\n| extend UPNSuffix = iif(User contains \\\"@\\\", split(User, \\\"@\\\")[1], \\\"\\\")\\n| extend NTDomain = iif(User contains \\\"@\\\", split(User, \\\"\\\\\\\\\\\")[0], \\\"\\\")\\n| project-reorder TimeGenerated, User, EventType, EventResult, EventProduct, FilePath, HttpUserAgent, IpAddr, CountOfDocs, Baseline, Score\",\"customDetails\":{\"Type\":\"EventType\",\"Result\":\"EventResult\",\"Product\":\"EventProduct\",\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddr\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FilePath\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Suspicious access of {{number_of_files_accessed}} BEC related documents by {{User}}\",\"alertDescriptionFormat\":\"This query looks for users (in this case {{User}}) with suspicious spikes in the number of files accessed (in this case {{number_of_files_accessed}} events) that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks. The query looks for access to files in storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. \\nThis query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities. This query uses the imFileEvent schema from ASIM, you will first need to ensure you have ASIM deployed in your environment. Ref https://learn.microsoft.com/azure/sentinel/normalization-about-parsers\\n\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Collection\"],\"displayName\":\"Suspicious access of BEC related documents\",\"description\":\"This query looks for users with suspicious spikes in the number of files accessed that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks.\\nThe query looks for access to files in storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. \\nThis query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities. This query uses the imFileEvent schema from ASIM, you will first need to ensure you have ASIM deployed in your environment. Ref https://learn.microsoft.com/azure/sentinel/normalization-about-parsers\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2023-02-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"name\":\"87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\\n// On the downloads page, click the \u0027details\u0027 button, and then replace just the filename in the URL below\\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n[\\\"https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/MSFTIPRanges/ServiceTags_Public.json\\\"] with(format=\u0027multijson\u0027)\\n| mv-expand values\\n| mv-expand values.properties.addressPrefixes\\n| mv-expand values_properties_addressPrefixes\\n| summarize by tostring(values_properties_addressPrefixes)\\n| extend isipv4 = parse_ipv4(values_properties_addressPrefixes)\\n| extend isipv6 = parse_ipv6(values_properties_addressPrefixes)\\n| extend ip_type = case(isnotnull(isipv4), \\\"v4\\\", \\\"v6\\\")\\n| summarize make_list(values_properties_addressPrefixes) by ip_type\\n;\\nSigninLogs\\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\\n| where ResultType == 0\\n| where AppDisplayName =~ \\\"Azure Portal\\\"\\n| extend isipv4 = parse_ipv4(IPAddress)\\n| extend ip_type = case(isnotnull(isipv4), \\\"v4\\\", \\\"v6\\\")\\n // Only get logons where the IP address is in an Azure range\\n| join kind=fullouter (azure_ranges) on ip_type\\n| extend ipv6_match = ipv6_is_in_any_range(IPAddress, list_values_properties_addressPrefixes)\\n| extend ipv4_match = ipv4_is_in_any_range(IPAddress, list_values_properties_addressPrefixes)\\n| where ipv4_match or ipv6_match \\n// Limit to where the user is external to the tenant\\n| where HomeTenantId != ResourceTenantId\\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\\n| where ResourceTenantId == AADTenantId\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId, UserId\\n| extend AccountName = split(UserPrincipalName, \\\"@\\\")[0]\\n| extend UPNSuffix = split(UserPrincipalName, \\\"@\\\")[1]\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Azure Portal sign in by {{UserPrincipalName}} from another Azure Tenant with IP Address {{IPAddress}}\",\"alertDescriptionFormat\":\"This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\\nand the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\\nto pivot to other tenants leveraging cross-tenant delegated access in this manner.\\nIn this instance {{UserPrincipalName}} logged in at {{FirstSeen}} from IP Address {{IPAddress}}.\\n\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Portal sign in from another Azure Tenant\",\"description\":\"This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant, and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look to pivot to other tenants leveraging cross-tenant delegated access in this manner.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"name\":\"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAZFWApplicationRule\\n| where Fqdn has_any (IPList)\\n| extend IPCustomEntity = SourceIp\\n),\\n(\\nAZFWNetworkRule\\n| where DestinationIp has_any (IPList)\\n| extend IPCustomEntity = SourceIp\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] -Known Barium IP\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWNetworkRule\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"name\":\"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA265 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"[Deprecated] - Known Diamond Sleet related maldoc hash\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"name\":\"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for OfficeActivity events\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\nlet OfficeActivity_ = materialize(OfficeActivity\\n | where isnotempty(ClientIP)\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]%]+)(%\\\\d+)?\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n | extend IPAddress = iff(array_length(ClientIPValues) \u003e 0, tostring(ClientIPValues[0]), \u0027\u0027)\\n | project-rename OfficeActivity_TimeGenerated = TimeGenerated);\\nlet ActivityIPs = OfficeActivity_ | summarize IPs = make_list(IPAddress);\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = materialize(ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = coalesce(NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress)\\n | where TI_ipEntity in (ActivityIPs)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now()\\n | where Description !contains_cs \\\"State: inactive;\\\" and Description !contains_cs \\\"State: falsepos;\\\");\\nIP_Indicators\\n// Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n| join kind=innerunique (OfficeActivity_)\\n on $left.TI_ipEntity == $right.IPAddress\\n// Filter out OfficeActivity events that occurred after the expiration of the corresponding indicator\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n// Group the results by IndicatorId and keep the OfficeActivity event with the latest timestamp\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId\\n// Select the desired output fields\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(UserId, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(UserId, \u0027@\u0027, 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"TI_ipEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to OfficeActivity\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\"name\":\"32555639-b639-4c2b-afda-c0ae0abefa55\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\"\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid,\\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTime\\n| sort by EndTime desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Monitor AWS Credential abuse or hijacking\",\"description\":\"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole\\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws \\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\"lastUpdatedDateUTC\":\"2024-03-27T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/229f71ba-d83b-42a5-b83b-11a641049ed1\",\"name\":\"229f71ba-d83b-42a5-b83b-11a641049ed1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P2D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// In User \u0026 Groups and in Applications, the following \\\"AccessType\\\" values in columns PremodifiedOutboundSettings and ModifiedOutboundSettings are interpreted accordingly\\n// When Access Type in premodified outbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified outbound settings value was 2 that means that the initial access was blocked.\\n// When Access Type in modified outbound settings value is 1 that means that now access is allowed. When Access Type in modified outbound settings value is 2 that means that now access is blocked.\\nAuditLogs\\n| where OperationName has \\\"Update a partner cross-tenant access setting\\\"\\n| mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type =~ \\\"Policy\\\"\\n | extend Properties = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = Properties on\\n (\\n where Property.displayName =~ \\\"b2bCollaborationOutbound\\\"\\n | extend PremodifiedOutboundSettings = trim(\u0027\\\"\u0027,tostring(Property.oldValue)),\\n ModifiedOutboundSettings = trim(@\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where PremodifiedOutboundSettings != ModifiedOutboundSettings\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed\",\"description\":\"Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Collaboration Settings are changed for \\\"Users \u0026 Groups\\\" and for \\\"Applications\\\".\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"name\":\"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.6\",\"severity\":\"Medium\",\"query\":\"let endpointData = \\n(union isfuzzy=true\\n(SecurityEvent\\n | where EventID == 4688\\n | extend shortFileName = tolower(tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1]))\\n ),\\n (WindowsEvent\\n | where EventID == 4688\\n | extend NewProcessName = tostring(EventData.NewProcessName)\\n | extend shortFileName = tolower(tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1]))\\n | extend TargetUserName = tostring(EventData.TargetUserName)\\n ));\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, \u0027/\u0027)[-1]))\\n| join kind=innerunique (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Network endpoint to host executable correlation\",\"description\":\"Correlates blocked URLs hosting [malicious] executables with host endpoint data to identify potential instances of executables of the same name having been recently run.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicro\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"name\":\"95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\\n),\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| mv-apply Property = modifiedProperties on\\n (\\n where Property.displayName =~ \\\"LiveType\\\"\\n | extend targetDisplayName = tostring(Property.displayName),\\n NewDomainValue = tostring(Property.newValue)\\n )\\n| where NewDomainValue has \\\"Federated\\\"\\n)\\n)\\n| mv-apply AdditionalDetail = AdditionalDetails on\\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend UserAgent = tostring(AdditionalDetail.value)\\n )\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2566e99f-ad0f-472a-b9ac-d3899c9283e6\",\"name\":\"2566e99f-ad0f-472a-b9ac-d3899c9283e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688\\n| where (CommandLine has_all (\u0027reg\u0027, \u0027add\u0027, \u0027HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\\u0027, \u0027/v\u0027,\u0027/t\u0027, \u0027REG_DWORD\u0027, \u0027/d\u0027, \u0027/f\u0027) and CommandLine has_any(\u0027DisableRealtimeMonitoring\u0027, \u0027UseTPMKey\u0027, \u0027UseTPMKeyPIN\u0027, \u0027UseAdvancedStartup\u0027, \u0027EnableBDEWithNoTPM\u0027, \u0027RecoveryKeyMessageSource\u0027))\\n or CommandLine has_all (\u0027reg\u0027, \u0027add\u0027, \u0027HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\\u0027, \u0027/v\u0027,\u0027/t\u0027, \u0027REG_DWORD\u0027, \u0027/d\u0027, \u0027/f\u0027, \u0027RecoveryKeyMessage\u0027, \u0027Your drives are Encrypted!\u0027, \u0027@\u0027)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(DeviceProcessEvents \\n| where (InitiatingProcessCommandLine has_all(@\u0027\\\"reg\\\"\u0027, \u0027add\u0027, @\u0027\\\"HKLM\\\\SOFTWARE\\\\Policies\\\\\u0027, \u0027/v\u0027,\u0027/t\u0027, \u0027REG_DWORD\u0027, \u0027/d\u0027, \u0027/f\u0027) \\n and InitiatingProcessCommandLine has_any(\u0027DisableRealtimeMonitoring\u0027, \u0027UseTPMKey\u0027, \u0027UseTPMKeyPIN\u0027, \u0027UseAdvancedStartup\u0027, \u0027EnableBDEWithNoTPM\u0027, \u0027RecoveryKeyMessageSource\u0027) ) \\n or InitiatingProcessCommandLine has_all(\u0027\\\"reg\\\"\u0027, \u0027add\u0027, @\u0027\\\"HKLM\\\\SOFTWARE\\\\Policies\\\\\u0027, \u0027/v\u0027,\u0027/t\u0027, \u0027REG_DWORD\u0027, \u0027/d\u0027, \u0027/f\u0027, \u0027RecoveryKeyMessage\u0027, \u0027Your drives are Encrypted!\u0027, \u0027@\u0027)\\n| extend Account = strcat(InitiatingProcessAccountDomain, @\u0027\\\\\u0027, InitiatingProcessAccountName), Computer = DeviceName\\n )\\n )\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(Account, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0270 Registry IOC - September 2022\",\"description\":\"The query below identifies modification of registry by Dev-0270 actor to disable security feature as well as to add ransom notes\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-09-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2bc08fa-030a-4eea-931a-762d27c6a042\",\"name\":\"d2bc08fa-030a-4eea-931a-762d27c6a042\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Threshold = 1; \\n AzureDiagnostics\\n | where Category == \\\"ApplicationGatewayFirewallLog\\\"\\n | where action_s == \\\"Matched\\\"\\n | project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s\\n | join kind = inner(\\n AzureDiagnostics\\n | where Category == \\\"ApplicationGatewayFirewallLog\\\"\\n | where action_s == \\\"Blocked\\\"\\n | parse Message with MessageText \u0027Total Inbound Score: \u0027 TotalInboundScore \u0027 - SQLI=\u0027 SQLI_Score \u0027,XSS=\u0027 XSS_Score \u0027,RFI=\u0027 RFI_Score \u0027,LFI=\u0027 LFI_Score \u0027,RCE=\u0027 RCE_Score \u0027,PHPI=\u0027 PHPI_Score \u0027,HTTP=\u0027 HTTP_Score \u0027,SESS=\u0027 SESS_Score \u0027): \u0027 Blocked_Reason \u0027; individual paranoia level scores:\u0027 Paranoia_Score\\n | where Blocked_Reason contains \\\"XSS\\\" and toint(TotalInboundScore) \u003e=15 and toint(XSS_Score) \u003e= 10 and toint(SQLI_Score) \u003c= 5) on transactionId_g\\n | extend Uri = strcat(hostname_s,requestUri_s)\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g), Message = make_set(Message), Detail_Message = make_set(details_message_s), Detail_Data = make_set(details_data_s), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s, SQLI_Score, XSS_Score, TotalInboundScore\\n | where Total_TransactionId \u003e= Threshold\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Uri\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"clientIp_s\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Application Gateway WAF - XSS Detection\",\"description\":\"Identifies a match for XSS attack in the Application gateway WAF logs. The Threshold value in the query can be changed as per your infrastructure\u0027s requirement.\\n References: https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"name\":\"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Low\",\"query\":\"(union isfuzzy=true\\n (SecurityEvent\\n | where EventID == 4720\\n | where AccountType == \\\"User\\\"\\n | project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\n CreatedUser = tolower(TargetAccount), CreatedUserAccountName = TargetUserName, CreatedUserDomainName = TargetDomainName, CreatedUserSid = TargetSid, \\n AccountUsedToCreateUser = SubjectAccount, CreatedByAccountName = SubjectUserName, CreatedByDomainName = SubjectDomainName, SidofAccountUsedToCreateUser = SubjectUserSid\\n ),\\n (WindowsEvent\\n | where EventID == 4720\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | where AccountType == \\\"User\\\"\\n | extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n | extend SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName)\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName) \\n | extend Activity=\\\"4720 - A user account was created.\\\"\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\n CreatedUser = tolower(TargetAccount), CreatedUserAccountName = TargetUserName, CreatedUserDomainName = TargetDomainName, CreatedUserSid = TargetSid, \\n AccountUsedToCreateUser = SubjectAccount, CreatedByAccountName = SubjectUserName, CreatedByDomainName = SubjectDomainName, SidofAccountUsedToCreateUser = SubjectUserSid\\n )\\n )\\n| join kind=inner\\n(\\n (union isfuzzy=true\\n (SecurityEvent \\n | where AccountType == \\\"User\\\"\\n // 4732 - A member was added to a security-enabled local group\\n | where EventID == 4732\\n // TargetSid is the builin Admins group: S-1-5-32-544\\n | where TargetSid == \\\"S-1-5-32-544\\\"\\n | project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\n GroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, AddedByAccountName = SubjectUserName, AddedByDomainName = SubjectDomainName,\\n CreatedUserSid = MemberSid\\n ),\\n ( WindowsEvent \\n // 4732 - A member was added to a security-enabled local group\\n | where EventID == 4732 and EventData has \\\"S-1-5-32-544\\\"\\n //TargetSid is the builin Admins group: S-1-5-32-544\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | where AccountType == \\\"User\\\"\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | where TargetSid == \\\"S-1-5-32-544\\\"\\n | extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n | extend SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName)\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend Activity=\\\"4732 - A member was added to a security-enabled local group.\\\"\\n | extend MemberSid = tostring(EventData.MemberSid)\\n | project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\n GroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, AddedByAccountName = SubjectUserName, AddedByDomainName = SubjectDomainName,\\n CreatedUserSid = MemberSid\\n )\\n )\\n)\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, CreatedUserAccountName, CreatedUserDomainName,\\nGroupAddTime, GroupAddEventID, GroupAddActivity, GroupName, GroupSid,\\nAccountUsedToCreateUser, SidofAccountUsedToCreateUser, CreatedByAccountName, CreatedByDomainName, \\nAccountThatAddedUser, SIDofAccountThatAddedUser, AddedByAccountName, AddedByDomainName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountUsedToCreateUser\"},{\"identifier\":\"Name\",\"columnName\":\"CreatedByAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"CreatedByDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountThatAddedUser\"},{\"identifier\":\"Name\",\"columnName\":\"AddedByAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AddedByDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatedUser\"},{\"identifier\":\"Name\",\"columnName\":\"CreatedUserAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"CreatedUserDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"CreatedUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"New user created and added to the built-in administrators group\",\"description\":\"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56fe0db0-6779-46fa-b3c5-006082a53064\",\"name\":\"56fe0db0-6779-46fa-b3c5-006082a53064\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"192\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv24\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where OperationNameValue in~ (operationList)\\n| where ActivityStatusValue startswith \\\"Accept\\\"\\n| where Properties has \u0027vmSize\u0027\\n| extend parsed_property= parse_json(tostring((parse_json(Properties).responseBody))).properties\\n| extend vmSize = tostring((parsed_property.hardwareProfile).vmSize)\\n| mv-apply token=tokens to typeof(string) on (where vmSize contains token)\\n| extend ComputerName = tostring((parsed_property.osProfile).computerName)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend Name = tostring(split(Caller,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Caller,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"ComputerName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size or expensive VMs (with GPUs or with a large number of virtual CPUs) in Azure.\\nAn adversary may create new or update existing virtual machines to evade defenses or use them for cryptomining purposes.\\nFor Windows/Linux Vm Sizes, see https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions, see https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b79f6190-d104-4691-b7db-823e05980895\",\"name\":\"b79f6190-d104-4691-b7db-823e05980895\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"OriginatingServer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"NRT Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.\\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/639aa695-9de9-4921-aa6b-6fdc35cb1eee\",\"name\":\"639aa695-9de9-4921-aa6b-6fdc35cb1eee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs \\n| where OperationName contains \\\"Update user\\\"\\n| where TargetResources[0].modifiedProperties[0].oldValue contains \\\"Guest\\\"\\n| extend InvitedUser = TargetResources[0].userPrincipalName\\n// Uncomment the below line if you want to get alerts for changed usertype from specific domains or users\\n//| where InvitedUser has_any (\\\"CUSTOM DOMAIN NAME#\\\", \\\"#EXT#\\\")\\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress \\n| extend OldUserType = TargetResources[0].modifiedProperties[0].oldValue contains \\\"Guest\\\"\\n| extend NewUserType = TargetResources[0].modifiedProperties[0].newValue contains \\\"Member\\\"\\n| mv-expand OldUserType = TargetResources[0].modifiedProperties[0].oldValue to typeof(string)\\n| mv-expand NewUserType = TargetResources[0].modifiedProperties[0].newValue to typeof(string)\\n| where OldUserType != NewUserType\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InvitedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatedByActionUserInformation\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatedByIPAdress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Guest accounts changed user type from guest to members in AzureAD\",\"description\":\"Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are changed from user type as should be in AzureAD to member and gain other rights in the tenant.\",\"lastUpdatedDateUTC\":\"2022-10-23T00:00:00Z\",\"createdDateUTC\":\"2022-10-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"name\":\"29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.8\",\"severity\":\"High\",\"query\":\"let UserAgentString = dynamic ([\\\"${jndi:ldap:/\\\", \\\"${jndi:rmi:/\\\", \\\"${jndi:ldaps:/\\\", \\\"${jndi:dns:/\\\", \\\"${jndi:iiop:/\\\",\\\"${jndi:\\\",\\\"${jndi:nds:/\\\",\\\"${jndi:corba/\\\"]);\\nlet UARegexMinimalString=dynamic([\u0027{\u0027,\u0027%7b\u0027, \u0027%7B\u0027]);\\nlet UARegex = @\u0027(\\\\\\\\$|%24)(\\\\\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\\\\\$|%24|}|%7D)\u0027;\\n(union isfuzzy=true\\n(OfficeActivity\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, Operation\\n),\\n(AzureDiagnostics\\n| where Category in (\\\"FrontdoorWebApplicationFirewallLog\\\", \\\"FrontdoorAccessLog\\\", \\\"ApplicationGatewayFirewallLog\\\", \\\"ApplicationGatewayAccessLog\\\")\\n| where userAgent_s has_any (UserAgentString) or userAgent_s matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = userAgent_s, SourceIP = column_ifexists(\\\"clientIp_s\\\",clientIP_s), Type, column_ifexists(\\\"originalHost_s\\\",host_s), Url = requestUri_s, HttpStatus = column_ifexists(\\\"httpStatusDetails_s\\\",httpStatus_d), column_ifexists(\\\"transactionId_g\\\",trackingReference_s), ruleName_s, ResourceType, ResourceId\\n),\\n(\\nW3CIISLog\\n| where csUserAgent has_any (UserAgentString) or csUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, Url = csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventName\\n),\\n(SigninLogs\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(_Im_WebSession (httpuseragent_has_any=array_concat(UserAgentString,UARegexMinimalString))\\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, Url, Type\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Account\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User agent search for log4j exploitation attempt\",\"description\":\"This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern.\\nLog4j is an open-source Apache logging library that is used in many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation.\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"name\":\"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT4H\",\"queryPeriod\":\"PT4H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"// Change to true to monitor for Project Administrator adds to *any* project\\nlet MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\\nlet ProjectsToMonitor = dynamic([\u0027\u003cproject_X\u003e\u0027,\u0027\u003cproject_Y\u003e\u0027]);\\nAzureDevOpsAuditing\\n| where Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has \u0027Administrators\u0027\\n| where Details has \\\"was added as a member of group\\\" and (Details endswith \u0027\\\\\\\\Project Administrators\u0027 or Details endswith \u0027\\\\\\\\Project Collection Administrators\u0027)\\n| parse Details with AddedIdentity \u0027 was added as a member of group [\u0027 EntityName \u0027]\\\\\\\\\u0027 GroupName\\n| extend Level = iif(GroupName == \u0027Project Collection Administrators\u0027, \u0027Organization\u0027, \u0027Project\u0027), AddedIdentityId = Data.MemberId\\n| extend Severity = iif(Level == \u0027Organization\u0027, \u0027High\u0027, \u0027Medium\u0027), AlertDetails = strcat(\u0027At \u0027, TimeGenerated, \u0027 UTC \u0027, ActorUPN, \u0027/\u0027, ActorDisplayName, \u0027 added \u0027, AddedIdentity, \u0027 to the \u0027, EntityName, \u0027 \u0027, Level)\\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == \u0027Organization\u0027\\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism,\\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(Adder, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(Adder, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Adder\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ActorIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Administrator Group Monitoring\",\"description\":\"This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"name\":\"875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| where AttributeLDAPDisplayName == \\\"servicePrincipalName\\\" and ObjectClass == \\\"user\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeValue\\\"\u003e\u0027 AttributeValue \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue, SubjectUserName, SubjectDomainName, SubjectUserSid\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"SubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Name (SPN) Assigned to User Account\",\"description\":\"This query identifies whether an Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. \\nThis query checks for event id 5136, that the Object Class field is \\\"user\\\" and the LDAP Display Name is \\\"servicePrincipalName\\\".\\nRef: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"name\":\"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let DomainNames = dynamic([\u0027onetechcompany.com\u0027, \u0027reyweb.com\u0027, \u0027srfnetwork.org\u0027, \u0027sense4baby.fr\u0027, \u0027nikeoutletinc.org\u0027, \u0027megatoolkit.com\u0027]);\\nlet IPList = dynamic([\u0027185.225.69.69\u0027]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (DomainNames)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = Fqdn\\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (DomainNames)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = QueryName\\n| extend IPCustomEntity = SourceIp\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Midnight Blizzard - Domain and IP IOCs - March 2021\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"name\":\"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(lookBack) and TimeGenerated \u003c ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlOriginal\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Rare User Agent Detected\",\"description\":\"Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"name\":\"bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.6\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where Process hassuffix \u0027rundll32.exe\u0027\\n| where CommandLine has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend AccountName = tostring(split(User, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(User, @\u0027\\\\\u0027)[0])\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events)\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"name\":\"7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.8\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role request denied (PIM activation)\u0027\\n| mv-apply ResourceItem = TargetResources on \\n (\\n where ResourceItem.type =~ \\\"Role\\\"\\n | extend Role = trim(@\u0027\\\"\u0027,tostring(ResourceItem.displayName))\\n )\\n| mv-apply ResourceItem = TargetResources on \\n (\\n where ResourceItem.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = trim(@\u0027\\\"\u0027,tostring(ResourceItem.userPrincipalName))\\n )\\n| where isnotempty(InitiatedBy.user)\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend TargetName = tostring(split(TargetUserPrincipalName,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,\u0027@\u0027,1)[0])\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\\n| project-reorder TimeGenerated, TargetUserPrincipalName, Role, OperationName, Result, ResultDescription\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c895c5b9-0fc6-40ce-9830-e8818862f2d5\",\"name\":\"c895c5b9-0fc6-40ce-9830-e8818862f2d5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P2D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// In User \u0026 Groups and in Applications, the following \\\"AccessType\\\" values in columns PremodifiedInboundSettings and ModifiedInboundSettings are interpreted accordingly\\n// When Access Type in premodified inbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified inbound settings value was 2 that means that the initial access was blocked.\\n// When Access Type in modified inbound settings value is 1 that means that now access is allowed. When Access Type in modified inbound settings value is 2 that means that now access is blocked.\\nAuditLogs\\n| where OperationName has \\\"Update a partner cross-tenant access setting\\\"\\n| mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type =~ \\\"Policy\\\"\\n | extend Properties = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = Properties on\\n (\\n where Property.displayName =~ \\\"b2bCollaborationInbound\\\"\\n | extend PremodifiedInboundSettings = trim(\u0027\\\"\u0027,tostring(Property.oldValue)),\\n ModifiedInboundSettings = trim(@\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where PremodifiedInboundSettings != ModifiedInboundSettings\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed\",\"description\":\"Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Collaboration Settings are changed for \\\"Users \u0026 Groups\\\" and for \\\"Applications\\\".\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0433c8a3-9aa6-4577-beef-2ea23be41137\",\"name\":\"0433c8a3-9aa6-4577-beef-2ea23be41137\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | where TimeGenerated \u003e ago(2d)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\" or GroupMembership has \\\"Admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName has \\\"Add eligible member\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(TargetUserPrincipalName) in (admin_users)\\n | extend TargetAadUserId = tostring(TargetResources[0].id)\\n | extend Group = tostring(TargetResources[0].displayName)\\n | extend RoleAddedTo = iif(isnotempty(TargetUserPrincipalName), TargetUserPrincipalName, Group)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend RoleAddedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)\\n | mv-expand mod_props\\n | where mod_props.displayName == \\\"Role.DisplayName\\\"\\n | extend UserAgent = tostring(AdditionalDetails[0].value)\\n | extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))\\n | extend TargetAccountName = tostring(split(TargetUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \\\"@\\\")[1])\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, OperationName, TargetUserPrincipalName, RoleAddedTo, RoleAdded, RoleAddedBy, InitiatingUserPrincipalName, InitiatingAppName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"TargetAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Account Permissions Changed\",\"description\":\"Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.\\nReview any modifications to ensure they were made legitimately.\\nRef: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2024-04-05T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\"name\":\"884c4957-70ea-4f57-80b9-1bca3890315b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"\u0026\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"\u0026\\\")[0]),tostring(split(csUriQuery, \\\"\u0026\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus)\\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status))\\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\",\\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\",\\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\",\\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\",\\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\",\\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\",\\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\",\\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\",\\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\",\\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(csUserName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(csUserName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"csUserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed logons by a user\",\"description\":\"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2023-12-28T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"name\":\"3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.1\",\"severity\":\"Medium\",\"query\":\"let authenticationWindow = 20m;\\nlet sensitivity = 2.5;\\nSigninLogs\\n| where AppDisplayName =~ \\\"Windows Sign In\\\"\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\"), IPAddresses = make_set(IPAddress,1000)\\n by bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName\\n| extend FailureSuccessDiff = FailureCount - SuccessCount\\n| where FailureSuccessDiff \u003e 0\\n| summarize Diff = make_list(FailureSuccessDiff, 10000), TimeStamp = make_list(TimeGenerated, 10000) by UserDisplayName, UserPrincipalName//, tostring(IPAddresses)\\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(Diff, sensitivity, -1, \u0027linefit\u0027) \\n| mv-expand Diff to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)\\n| where Anomalies \u003e 0\\n| summarize by UserDisplayName, UserPrincipalName, Anomalies, Score, Baseline, FailureToSuccessDiff = Diff\\n| join kind=leftouter (\\n SigninLogs\\n | where AppDisplayName =~ \\\"Windows Sign In\\\"\\n | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n | summarize StartTime = min(TimeGenerated), \\n EndTime = max(TimeGenerated), \\n IPAddresses = make_set(IPAddress,100), \\n OS = make_set(OS,20), \\n Browser = make_set(Browser,20), \\n City = make_set(City,100), \\n ResultType = make_set(ResultType,100)\\n by UserDisplayName, UserPrincipalName, UserId, AppDisplayName\\n ) on UserDisplayName, UserPrincipalName\\n| project-away UserDisplayName1, UserPrincipalName1\\n| extend IPAddressFirst = tostring(IPAddresses[0])\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddressFirst\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against a Cloud PC\",\"description\":\"Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.\",\"lastUpdatedDateUTC\":\"2024-04-05T00:00:00Z\",\"createdDateUTC\":\"2021-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"name\":\"66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet dt_lookBack = 1h; // Look back 1 hour for CommonSecurityLog events\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and CommonSecurityLog events\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n CommonSecurityLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MessageIP = extract(IPRegex, 0, Message)\\n | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)\\n | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\n on $left.TI_ipEntity == $right.CS_ipEntity\\n // Filter out logs that occurred after the expiration of the corresponding indicator\\n | where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and CS_ipEntity, and keep the log entry with the latest timestamp\\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity\\n // Select the desired output fields\\n | project timestamp = CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction, Type\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CS_ipEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to CommonSecurityLog\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in CommonSecurityLog.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"name\":\"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"version\":\"2.0.4\",\"severity\":\"Medium\",\"query\":\"// Adjust this figure to adjust how sensitive this detection is\\nlet sensitivity = 2.5;\\nlet AuthEvents = materialize(\\nunion isfuzzy=True SigninLogs, AADNonInteractiveUserSignInLogs\\n| where TimeGenerated \u003e ago(7d)\\n| where ResultType == 0\\n| extend LocationDetails = LocationDetails_dynamic\\n| extend Location = strcat(LocationDetails.countryOrRegion, \\\"-\\\", LocationDetails.state,\\\"-\\\", LocationDetails.city)\\n| where Location != \\\"--\\\");\\nAuthEvents\\n| summarize dcount(Location) by AppDisplayName, AppId, UserPrincipalName, UserId, bin(startofday(TimeGenerated), 1d)\\n| where dcount_Location \u003e 2\\n| make-series CountOfLocations = sum(dcount_Location) on TimeGenerated step 1d by AppId, UserId\\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(CountOfLocations, sensitivity, -1, \u0027linefit\u0027)\\n| mv-expand CountOfLocations to typeof(double), TimeGenerated to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)\\n| where Anomalies \u003e 0 and Baseline \u003e 0\\n| join kind=inner( AuthEvents | extend TimeStamp = startofday(TimeGenerated)) on UserId, AppId\\n| extend SignInDetails = bag_pack(\\\"TimeGenerated\\\", TimeGenerated1, \\\"Location\\\", Location, \\\"Source\\\", IPAddress, \\\"Device\\\", DeviceDetail_dynamic)\\n| summarize SignInDetailsSet=make_set(SignInDetails, 1000) by UserId, UserPrincipalName, CountOfLocations, TimeGenerated, AppId, AppDisplayName\\n| extend Name = split(UserPrincipalName, \\\"@\\\")[0], UPNSuffix = split(UserPrincipalName, \\\"@\\\")[1]\",\"customDetails\":{\"Application\":\"AppDisplayName\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Anomalous sign-in location by {{UserPrincipalName}} to {{AppDisplayName}}\",\"alertDescriptionFormat\":\"This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an\\nindividual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} \\ndifferent locations.\\n\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous sign-in location by user account and authenticating application\",\"description\":\"This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an individual application.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\"name\":\"44a555d8-ecee-4a25-95ce-055879b4b14b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus)\\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status))\\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\",\\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\",\\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\",\\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\",\\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\",\\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\",\\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\",\\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\",\\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\",\\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount \u003e= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"cIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High count of connections by client IP on many ports\",\"description\":\"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications.\\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"name\":\"14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService =~ \\\"Core Directory\\\" and OperationName =~ \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName)\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend TargetName = tostring(split(TargetUserPrincipalName,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,\u0027@\u0027,1)[0])\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"NRT Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"name\":\"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory has_any (\u0027Dynamic and Residential\u0027, \u0027Personal VPN\u0027)\\n| project TimeGenerated, SrcIpAddr, Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Identities\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Cisco Umbrella - Connection to non-corporate private network\",\"description\":\"IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7feb859-f03e-4e8d-8b21-617be0213b13\",\"name\":\"d7feb859-f03e-4e8d-8b21-617be0213b13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where OperationName =~ \\\"Admin registered security info\\\"\\n | where ResultReason =~ \\\"Admin registered temporary access pass method for user\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(TargetUserPrincipalName) in (admin_users)\\n | extend TargetAadUserId = tostring(TargetResources[0].id)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend TargetAccountName = tostring(split(TargetUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \\\"@\\\")[1])\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"TargetAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Addition of a Temporary Access Pass to a Privileged Account\",\"description\":\"Detects when a Temporary Access Pass (TAP) is created for a Privileged Account.\\n A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.\\n A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.\\n Review any TAP creations to ensure they were used legitimately.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b6ae038-f66e-4f74-9315-df52fd492be4\",\"name\":\"5b6ae038-f66e-4f74-9315-df52fd492be4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Low\",\"query\":\"imProcess\\n| where CommandLine has_all (\\\"accepteula\\\", \\\"-s\\\", \\\"-r\\\", \\\"-q\\\")\\n| where Process !endswith \\\"sdelete.exe\\\"\\n| where CommandLine !has \\\"sdelete\\\"\\n| extend AccountName = tostring(split(ActorUsername, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(ActorUsername, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"DvcHostname\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DvcDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage (ASIM Version)\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\\nThis detection uses the ASIM imProcess parser, this will need to be deployed before use - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"name\":\"9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category == \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | where TargetResources has \\\"AppIdentifierUri\\\"\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend TargetAppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | where mod_props.displayName has \\\"AppIdentifierUri\\\"\\n | extend OldURI = tostring(mod_props.oldValue)\\n | extend NewURI = tostring(mod_props.newValue)\\n | extend UpdatedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingAadUserId, InitiatingUserPrincipalName, InitiatingIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"OldURI\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURI\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application ID URI Changed\",\"description\":\"Detects changes to an Application ID URI.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c701f94-783c-4cd4-bc9b-3b3334976090\",\"name\":\"2c701f94-783c-4cd4-bc9b-3b3334976090\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let suspiciousCmdLineKeywords = dynamic([\\\"http://\\\", \\\"https://\\\"]);\\n// Identify exchange servers based on known paths\\n// Summarize these to get a list of exchange server hostnames\\nlet exchangeServers = W3CIISLog\\n| where csUriStem has_any(\\\"/owa/\\\",\\\"/ews/\\\",\\\"/ecp/\\\",\\\"/autodiscover/\\\")\\n// Only where successful, rule out failed scanning\\n| where scStatus startswith \\\"2\\\"\\n| summarize by Computer;\\nDeviceProcessEvents\\n| where DeviceName in~ (exchangeServers)\\n// Where the IIS worker process initiated CMD or PowerShell\\n| where InitiatingProcessParentFileName == \\\"w3wp.exe\\\"\\n| where InitiatingProcessFileName has_any(\\\"cmd.exe\\\", \\\"powershell.exe\\\")\\n// Where CMD or PowerShell command line included parameters associated with CVE-2022-41040/CVE-2022-41082 exploitation\\n| where ProcessCommandLine has_any(suspiciousCmdLineKeywords)\\n| project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName\\n| extend Account = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Exchange Worker Process Making Remote Call\",\"description\":\"This query dynamically identifies Exchange servers and then looks for instances where the IIS worker process initiates a call out to a remote URL using either cmd.exe or powershell.exe.\\nThis behaviour was described as post-compromise behaviour following exploitation of CVE-2022-41040 and CVE-2022-41082, this pattern of activity was use to download additional tools to the server. This suspicious activity is generic.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f40ed57-f54b-462f-906a-ac3a89cc90d4\",\"name\":\"1f40ed57-f54b-462f-906a-ac3a89cc90d4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Materialize a table named \\\"Azure_Bruforce\\\" containing Azure Portal sign-in logs within the last 1 day\\nlet Azure_Bruforce = materialize (\\n SigninLogs\\n// Filter sign-in logs related to the Azure Portal\\n | where AppDisplayName == \\\"Azure Portal\\\"\\n// Exclude entries with empty OriginalRequestId\\n | where isnotempty(OriginalRequestId)\\n// Summarize various counts and sets based on brute force criteria\\n | summarize \\n AzureSuccessfulEvent = countif(ResultType == 0), \\n AzureFailedEvent = countif(ResultType != 0), \\n totalAzureLoginEventId = dcount(OriginalRequestId), \\n AzureFailedEventsCount = dcountif(OriginalRequestId, ResultType != 0), \\n AzureSuccessfuleventsCount = dcountif(OriginalRequestId, ResultType == 0),\\n AzureSetOfFailedevents = makeset(iff(ResultType != 0, OriginalRequestId, \\\"\\\"), 5), \\n AzureSetOfSuccessfulEvents = makeset(iff(ResultType == 0, OriginalRequestId, \\\"\\\"), 5) \\n by \\n IPAddress, \\n UserPrincipalName, \\n bin(TimeGenerated, 1min), \\n UserAgent,\\n ConditionalAccessStatus,\\n OperationName,\\n RiskDetail,\\n AuthenticationRequirement,\\n ClientAppUsed\\n// Extracting the name and UPN suffix from UserPrincipalName\\n | extend\\n Name = tostring(split(UserPrincipalName, \u0027@\u0027)[0]),\\n UPNSuffix = tostring(split(UserPrincipalName, \u0027@\u0027)[1]));\\n// Materialize a table named \\\"AWS_Bruforce\\\" containing AWS CloudTrail events related to ConsoleLogins within the last 1 day\\nlet AWS_Bruforce = materialize (\\n AWSCloudTrail \\n// Filter CloudTrail events related to ConsoleLogin\\n | where EventName == \\\"ConsoleLogin\\\" \\n// Extract ActionType from ResponseElements JSON\\n | extend ActionType = tostring(parse_json(ResponseElements).ConsoleLogin) \\n// Summarize various counts and sets based on brute force criteria \\n | summarize \\n AWSSuccessful=countif(ActionType == \\\"Success\\\"), \\n AWSFailed = countif(ActionType == \\\"Failure\\\"), \\n totalAwsEventId= dcount(AwsEventId), \\n AWSFailedEventsCount = dcountif(AwsEventId, ActionType == \\\"Failure\\\"), \\n AWSSuccessfuleventsCount = dcountif(AwsEventId, ActionType == \\\"Success\\\"), \\n AWSFailedevents = makeset(iff(ActionType == \\\"Failure\\\", AwsEventId, \\\"\\\"), 5), \\n AWSSuccessfulEvents = makeset(iff(ActionType == \\\"Success\\\", AwsEventId, \\\"\\\"), 5) \\n// Grouping by various attributes\\n by \\n SourceIpAddress, \\n UserIdentityUserName,\\n bin(TimeGenerated, 1min), \\n UserAgent );\\n// Joining the Azure_Bruforce and AWS_Bruforce tables on matching IP addresses and UserAgents\\nAzure_Bruforce\\n| join kind=inner AWS_Bruforce on $left.IPAddress == $right.SourceIpAddress and $left.UserAgent == $right.UserAgent\\n// Filtering based on conditions for failed and successful events\\n| where (AWSFailedEventsCount \u003e= 4 and AzureFailedEventsCount \u003e= 5) and ((AzureSuccessfuleventsCount \u003e= 1 and AzureFailedEvent \u003e AzureSuccessfulEvent) or (AWSSuccessfuleventsCount \u003e= 1 and AWSFailedEventsCount \u003e AWSSuccessfuleventsCount))\",\"customDetails\":{\"AwsUser\":\"UserIdentityUserName\",\"UserAgent\":\"UserAgent\",\"AzureUser\":\"UserPrincipalName\",\"AzureClientAppUsed\":\"ClientAppUsed\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Cross-Cloud Password Spray detection\",\"description\":\"This detection focuses on identifying potential cross-cloud brute force / Password Spray attempts involving Azure and AWS platforms. It monitors sign-in activities within the Azure Portal and AWS ConsoleLogins where brute force attempts are successful on both platforms in a synchronized manner.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2023-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"name\":\"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\",\\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\",\\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\",\\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend HostName = iff(Computer has \u0027.\u0027, substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer)\\n| extend DnsDomain = iff(Computer has \u0027.\u0027, substring(Computer,indexof(Computer,\u0027.\u0027)+1),\\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"name\":\"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory contains \u0027Adult Themes\u0027 or\\n UrlCategory contains \u0027Adware\u0027 or\\n UrlCategory contains \u0027Alcohol\u0027 or\\n UrlCategory contains \u0027Illegal Downloads\u0027 or\\n UrlCategory contains \u0027Drugs\u0027 or\\n UrlCategory contains \u0027Child Abuse Content\u0027 or\\n UrlCategory contains \u0027Hate/Discrimination\u0027 or\\n UrlCategory contains \u0027Nudity\u0027 or\\n UrlCategory contains \u0027Pornography\u0027 or\\n UrlCategory contains \u0027Proxy/Anonymizer\u0027 or\\n UrlCategory contains \u0027Sexuality\u0027 or\\n UrlCategory contains \u0027Tasteless\u0027 or\\n UrlCategory contains \u0027Terrorism\u0027 or\\n UrlCategory contains \u0027Web Spam\u0027 or\\n UrlCategory contains \u0027German Youth Protection\u0027 or\\n UrlCategory contains \u0027Illegal Activities\u0027 or\\n UrlCategory contains \u0027Lingerie/Bikini\u0027 or\\n UrlCategory contains \u0027Weapons\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Identities\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request Allowed to harmful/malicious URI category\",\"description\":\"It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\"name\":\"35a0792a-1269-431e-ac93-7ae2980d4dde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n| where isnotempty(EmailSenderAddress)\\n| extend TI_emailEntity = EmailSenderAddress\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcUserUpn)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientEmail = SrcUserUpn\\n)\\non $left.TI_emailEntity == $right.ClientEmail\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail\\n| project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ClientEmail\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender in TI list\",\"description\":\"Email sender in TI list.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e715730-82c0-496c-983b-7a20c4590bd9\",\"name\":\"6e715730-82c0-496c-983b-7a20c4590bd9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let accountLookback = 3d;\\nlet requestLookback = 3d;\\nlet extraction_regex = @\\\"(?:\\\\?|\u0026)[a-zA-Z0-9\\\\%]*=([a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Collect account names and base64 encode them\\nDeviceEvents\\n| where TimeGenerated \u003e ago(accountLookback)\\n| summarize make_set(DeviceId), make_set(DeviceName) by InitiatingProcessAccountName\\n| where isnotempty(InitiatingProcessAccountName)\\n| extend base64_user = base64_encode_tostring(InitiatingProcessAccountName)\\n| join (\\n // Collect requests and extract base64 parameters\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(requestLookback)\\n | where isnotempty(RequestURL)\\n // Summarize early on the RequestURL\\n | summarize FirstRequest=min(TimeGenerated), LastRequest=max(TimeGenerated), NumberOfRequests=count() by RequestURL\\n | extend base64_candidate = extract_all(extraction_regex, RequestURL)\\n | mv-expand base64_candidate to typeof(string)\\n) on $left.base64_user == $right.base64_candidate\\n| project FirstRequest, LastRequest, NumberOfRequests, RequestURL, DeviceIds=set_DeviceId, DeviceNames=set_DeviceName, UserName=InitiatingProcessAccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Windows host username encoded in base64 web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table.\\nThis technique was seen usee by POLONIUM in their RunningRAT tool.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\"name\":\"871ba14c-88ef-48aa-ad38-810f26760ca3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1d;\\nlet queryperiod = 7d;\\nOfficeActivity\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n//| where Operation in (\\\"Set-Mailbox\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\")\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(bag_pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1 and EndTime \u003e ago(queryfrequency)\\n| mv-expand UserId to typeof(string)\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cd8b3d5-c9e0-4be3-80f7-0469d511c3f6\",\"name\":\"2cd8b3d5-c9e0-4be3-80f7-0469d511c3f6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"BehaviorAnalytics\\n// User modification is expected from this account so focus on logons\\n| where ActivityType =~ \\\"LogOn\\\"\\n| where UserName startswith \\\"Sync_\\\" and UsersInsights.AccountDisplayName =~ \\\"On-Premises Directory Synchronization Service Account\\\"\\n// Filter out this expected activity\\n| where ActivityInsights.App !~ \\\"Microsoft Azure Active Directory Connect\\\"\\n| where InvestigationPriority \u003e 0\\n| extend Name = split(UserPrincipalName, \\\"@\\\")[0], UPNSuffix = split(UserPrincipalName, \\\"@\\\")[1]\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIPAddress\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DestinationDevice\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Suspicious Sign In by AAD Connect Sync Account {{UserPrincipalName}} from {{SourceIPAddress}}\",\"alertDescriptionFormat\":\"This query looks for sign ins by the Azure AD Connect Sync account to Azure where properties about the logon are anomalous.\\nThis query uses Microsoft Sentinel\u0027s UEBA features to detect these suspicious properties.\\nA threat actor may attempt to steal the Sync account credentials and use them to access Azure resources. This alert should be \\nreviewed to ensure that the log in came was from a legitimate source.\\nIn this case {{UserPrincipalName}} logged in from {{SourceIPAddress}}.\\n\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"Suspicious Sign In by Entra ID Connect Sync Account\",\"description\":\"This query looks for sign ins by the Microsoft Entra ID Connect Sync account to Azure where properties about the logon are anomalous.\\nThis query uses Microsoft Sentinel\u0027s UEBA features to detect these suspicious properties.\\nA threat actor may attempt to steal the Sync account credentials and use them to access Azure resources. This alert should be \\nreviewed to ensure that the log in came was from a legitimate source.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2023-03-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\"name\":\"106813db-679e-4382-a51b-1bfc463befc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = column_ifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url\\n| project timestamp = CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"PA_Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map URL Entity to PaloAlto Data\",\"description\":\"This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in PaloAlto Data.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"name\":\"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\",\\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\",\\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\",\\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\",\\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\",\\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\",\\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\",\\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\",\\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend HostName = iff(Computer has \u0027.\u0027, substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer)\\n| extend DnsDomain = iff(Computer has \u0027.\u0027, substring(Computer,indexof(Computer,\u0027.\u0027)+1),\\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"name\":\"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.7\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nlet Signins = materialize(union isfuzzy=true\\n( SigninLogs | where TimeGenerated \u003e= ago(dt_lookBack)),\\n( AADNonInteractiveUserSignInLogs | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails))\\n| where isnotempty(UserPrincipalName) and UserPrincipalName matches regex emailregex\\n| extend UserPrincipalName = tolower(UserPrincipalName)\\n| extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend SigninLogs_TimeGenerated = TimeGenerated);\\nlet SigninUPNs = Signins | distinct UserPrincipalName | summarize make_list(UserPrincipalName);\\nThreatIntelligenceIndicator\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| where EmailSenderAddress in (SigninUPNs)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n| where Description !contains_cs \\\"State: inactive;\\\" and Description !contains_cs \\\"State: falsepos;\\\"\\n| join kind=innerunique (Signins) on $left.EmailSenderAddress == $right.UserPrincipalName\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, UserPrincipalName\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\\n| extend Name = tostring(split(UserPrincipalName, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(UserPrincipalName, \u0027@\u0027, 1)[0])\\n| extend timestamp = SigninLogs_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"TI map Email entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"name\":\"3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"let OMIVulnerabilityPatchVersion = \\\"OMIVulnerabilityPatchVersion:1.13.40-0\\\";\\nHeartbeat\\n| where Category == \\\"Direct Agent\\\"\\n| summarize arg_max(TimeGenerated,*) by Computer\\n| parse strcat(\\\"Version:\\\" , Version) with * \\\"Version:\\\" Major:long \\\".\\\"\\nMinor:long \\\".\\\" Patch:long \\\"-\\\" *\\n| parse OMIVulnerabilityPatchVersion with * \\\"OMIVulnerabilityPatchVersion:\\\"\\nOMIVersionMajor:long \\\".\\\" OMIVersionMinor:long \\\".\\\" OMIVersionPatch:long \\\"-\\\" *\\n| where Major \u003cOMIVersionMajor or (Major==OMIVersionMajor and Minor\\n\u003cOMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and\\nPatch\u003cOMIVersionPatch) \\n| project Version, Major,Minor,Patch,\\nComputer,ComputerIP,OSType,OSName,ResourceId\",\"customDetails\":{\"HostIp\":\"ComputerIP\",\"OSType\":\"OSType\",\"OSName\":\"OSName\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"OMI Vulnerability Exploitation\",\"description\":\"Following the September 14th, 2021 release of three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in the Open Management Infrastructure (OMI) Framework.\\nThis detection validates that any OMS-agent that is reporting to the Microsoft Sentinel workspace is updated with the patch. The detection will go over the heartbeats received from all agents over the last day and will create alert for those agents who are not updated.\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2021-09-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d173248-439b-4741-8b37-f63ad0c896ae\",\"name\":\"4d173248-439b-4741-8b37-f63ad0c896ae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\nWindowsEvent\\n| where EventID == \u00274688\u0027 and EventData has_any (process)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName has_any (process)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n , Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n , NewProcessId = tostring(EventData.NewProcessId)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n| project TimeGenerated, timestamp, File, AlertDetail, FilePath,Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend AccountCustomEntity = Account, HostCustomEntity = Computer, FileCustomEntity = File, FilePathCustomEntity = FilePath\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining IOC - June 2021\",\"description\":\"Identifies a match across IOC\u0027s related to Chia cryptocurrency farming/plotting activity\",\"lastUpdatedDateUTC\":\"2022-12-13T00:00:00Z\",\"createdDateUTC\":\"2022-02-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"name\":\"ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let SunburstURL=dynamic([\\\"panhardware.com\\\",\\\"databasegalore.com\\\",\\\"avsvmcloud.com\\\",\\\"freescanonline.com\\\",\\\"thedoccloud.com\\\",\\\"deftsecurity.com\\\"]);\\nDeviceNetworkEvents\\n| where ActionType == \\\"ConnectionSuccess\\\"\\n| where RemoteUrl in(SunburstURL)\\n| extend HashAlgorithm = \u0027MD5\u0027\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingProcessAccountDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"RemoteIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RemoteUrl\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"InitiatingProcessMD5\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST network beacons\",\"description\":\"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"name\":\"999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.8\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet DomainTIs= ThreatIntelligenceIndicator\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \\n | project DomainList = iff(NDomains \u003e HAS_ANY_MAX, dynamic([]), DomainsList) ;\\nDomainTIs\\n | join (\\n _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.DnsQuery\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, Domain, DnsQuery, DnsQueryType\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"DnsQuery\":\"DnsQuery\",\"QueryType\":\"DnsQueryType\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Domain\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map Domain entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any Domain IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2024-10-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"name\":\"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| where msg_s has_any (DomainNames)\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" to \\\" TargetIP \\\":\\\" TargetPortInt:int *\\n| parse kind=regex flags=U msg_s with * \\\". Action\\\\\\\\: \\\" Action1a \\\"\\\\\\\\.\\\"\\n| parse msg_s with * \\\". Policy: \\\" Policy \\\". Rule Collection Group: \\\" RuleCollectionGroup \\\".\\\" *\\n| parse msg_s with * \\\" Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\n| extend IPCustomEntity = SourceIP\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| where msg_s has_any (DomainNames)\\n| parse msg_s with \\\"DNS Request: \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" - \\\" QueryID:int \\\" \\\" RequestType \\\" \\\" RequestClass \\\" \\\" hostname \\\". \\\" protocol \\\" \\\" details\\n| extend\\n ResponseDuration = extract(\\\"[0-9]*.?[0-9]+s$\\\", 0, msg_s),\\n SourcePort = tostring(SourcePortInt),\\n QueryID = tostring(QueryID)\\n| extend IPCustomEntity = SourceIP\\n| project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\\n| order by TimeGenerated\\n),\\n(AZFWApplicationRule\\n| where Fqdn has_any (DomainNames)\\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (DomainNames)\\n| extend DNSName = QueryName\\n| extend IPCustomEntity = SourceIp\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"[Deprecated] - Emerald Sleet domains included in DCU takedown\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-01-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\"name\":\"9713e3c0-1410-468d-b79e-383448434b2d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for VMConnection events\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and VMConnection events\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n VMConnection\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n )\\n on $left.TI_ipEntity == $right.RemoteIp\\n // Filter out VMConnection events that occurred after the expiration of the corresponding indicator\\n | where VMConnection_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and keep the VMConnection event with the latest timestamp\\n | summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId, RemoteIp\\n // Select the desired output fields\\n | project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n | extend timestamp = VMConnection_TimeGenerated, HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"RemoteIp\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to VMConnection\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in VMConnection.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"name\":\"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Changes made to AWS CloudTrail logs\",\"description\":\"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity.\\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html \\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html \\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \u0027 \",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac9e233e-44d4-45eb-b522-6e47445f6582\",\"name\":\"ac9e233e-44d4-45eb-b522-6e47445f6582\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"imRegistry\\n | where EventType in (\\\"RegistryValueSet\\\", \\\"RegistryKeyCreated\\\")\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (imProcess\\n | where Process endswith \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass (ASIM Version)\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\"name\":\"84cf1d59-f620-4fee-b569-68daf7008b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"name\":\"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\nlet wef_fails =\\nWindowsEvent\\n| where EventID == 4625\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains \u0027auth\u0027 and ProcessName != \u0027sudo\u0027 and SyslogMessage has \u0027from\u0027 and not(SyslogMessage has_any (\u0027Disconnecting\u0027, \u0027Disconnected\u0027, \u0027Accepted\u0027, \u0027disconnect\u0027, @\u0027[preauth]\u0027))\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails) or IPAddress in (wef_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timestamp = TimeGenerated, Type = Type\\n| extend AccountName = tostring(split(UserPrincipalName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed host logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Microsoft Entra ID from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"name\":\"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to internet facing AWS RDS Database instances\",\"description\":\"Amazon Relational Database Service (RDS) is scalable relational database in the cloud.\\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service)\\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2024-03-27T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"name\":\"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Build Variable Modified by New User\",\"description\":\"Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify or add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build.\\nAs variables are often changed by users, just detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed modifying them before.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/572f3951-5fa3-4e42-9640-fe194d859419\",\"name\":\"572f3951-5fa3-4e42-9640-fe194d859419\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet lookback = 7d;\\nlet known_useragents = dynamic([]);\\nDynamics365Activity\\n| where TimeGenerated \u003e ago(timeframe)\\n| extend Message = tostring(split(OriginalObjectId, \u0027 \u0027)[0])\\n| where Message =~ \\\"UserSignIn\\\"\\n| extend IPAddress = tostring(split(ClientIP, \\\":\\\")[0])\\n| where isnotempty(UserAgent)\\n// Exclude user agents with a render agent to reduce noise\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| join kind=leftanti(\\nOfficeActivity\\n| where TimeGenerated \u003e ago(lookback)\\n| where UserAgent !in~ (known_useragents))\\non UserAgent\\n| summarize MostRecentActivity=max(TimeGenerated), IPs=make_set(IPAddress), Users=make_set(UserId), Actions=make_set(OriginalObjectId) by UserAgent\\n| extend timestamp = MostRecentActivity\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New Office User Agent in Dynamics 365\",\"description\":\"Detects users accessing Dynamics from a User Agent that has not been seen in any Office 365 workloads in the last 7 days. Has configurable filter for known good user agents such as PowerApps.\",\"lastUpdatedDateUTC\":\"2022-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Dynamics365\",\"dataTypes\":[\"Dynamics365Activity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/269435e3-1db8-4423-9dfc-9bf59997da1c\",\"name\":\"269435e3-1db8-4423-9dfc-9bf59997da1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService =~ \\\"Core Directory\\\" and OperationName =~ \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\" and Identity != \\\"MS-PIM-Fairfax\\\")\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName)\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend TargetName = tostring(split(TargetUserPrincipalName,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,\u0027@\u0027,1)[0])\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2024-10-18T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"Low\",\"query\":\"let fileAccessThrehold = 10;\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| extend MemberAdded = tostring(parse_json(Members)[0].UPN)\\n| where MemberAdded contains (\\\"#EXT#\\\")\\n| project TimeAdded=TimeGenerated, Operation, MemberAdded, UserWhoAdded = UserId, TeamName\\n| join kind = inner (\\n OfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberRemoved\\\"\\n | extend MemberAdded = tostring(parse_json(Members)[0].UPN)\\n | where MemberAdded contains (\\\"#EXT#\\\")\\n | project TimeDeleted=TimeGenerated, Operation, MemberAdded, UserWhoDeleted = UserId, TeamName\\n ) on MemberAdded\\n| where TimeDeleted \u003e TimeAdded\\n| join kind=inner (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | where Operation == \\\"FileUploaded\\\"\\n | extend MemberAdded = UserId\\n | join kind = inner (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where Operation == \\\"FileAccessed\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | summarize FileAccessCount = count() by OfficeObjectId\\n | where FileAccessCount \u003e fileAccessThrehold\\n ) on $left.OfficeObjectId == $right.OfficeObjectId\\n )on MemberAdded\\n| project-away MemberAdded1, MemberAdded2, OfficeObjectId1, Operation1, Operation2, TeamName1, TeamName2\\n| extend MemberAddedAccountName = tostring(split(MemberAdded, \\\"@\\\")[0]), MemberAddedAccountUPNSuffix = tostring(split(MemberAdded, \\\"@\\\")[1])\\n| extend UserWhoAddedAccountName = tostring(split(UserWhoAdded, \\\"@\\\")[0]), UserWhoAddedAccountUPNSuffix = tostring(split(UserWhoAdded, \\\"@\\\")[1])\\n| extend UserWhoDeletedAccountName = tostring(split(UserWhoDeleted, \\\"@\\\")[0]), UserWhoDeletedAccountUPNSuffix = tostring(split(UserWhoDeleted, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"MemberAdded\"},{\"identifier\":\"Name\",\"columnName\":\"MemberAddedAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"MemberAddedAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserWhoAdded\"},{\"identifier\":\"Name\",\"columnName\":\"UserWhoAddedAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UserWhoAddedAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserWhoDeleted\"},{\"identifier\":\"Name\",\"columnName\":\"UserWhoDeletedAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UserWhoDeletedAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Accessed files shared by temporary external user\",\"description\":\"This detection identifies when an external user is added to a Team or Teams chat and shares a file which is accessed by many users (\u003e10) and the users is removed within short period of time. This might be an indicator of suspicious activity.\",\"lastUpdatedDateUTC\":\"2024-10-28T00:00:00Z\",\"createdDateUTC\":\"2020-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (SharePoint)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1faf5e8-6958-11ec-90d6-0242ac120003\",\"name\":\"c1faf5e8-6958-11ec-90d6-0242ac120003\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4720 and TargetUserName endswith \\\"$\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectUserName, SubjectDomainName, SubjectAccount, SubjectUserSid, SubjectLogonId, \\nTargetUserName, TargetDomainName, TargetAccount, TargetSid, UserPrincipalName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"SubjectUserSid\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"TargetDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Fake computer account created\",\"description\":\"This query detects domain user accounts creation (event ID 4720) where the username ends with $. \\nAccounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights.html\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"name\":\"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlOriginal\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"Cisco Umbrella - Windows PowerShell User-Agent Detected\",\"description\":\"Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"name\":\"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Low\",\"query\":\"let User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"[Deprecated] - Possible Forest Blizzard attempted credential harvesting - Oct 2020\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\"name\":\"4ca74dc0-8352-4ac5-893c-73571cc78331\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let keywords = dynamic([\\\"secret\\\", \\\"secrets\\\", \\\"password\\\", \\\"PAT\\\", \\\"passwd\\\", \\\"pswd\\\", \\\"pwd\\\", \\\"cred\\\", \\\"creds\\\", \\\"credentials\\\", \\\"credential\\\", \\\"key\\\"]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend Type = tostring(Data.Type)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| mv-expand Data.Variables\\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\\n| where Type != \\\"AzureKeyVault\\\"\\n| where Data_Variables !has \\\"IsSecret\\\"\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps Variable Secret Not Secured\",\"description\":\"Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \\nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\"name\":\"3533f74c-9207-4047-96e2-0eb9383be587\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| mv-apply TargetResource=TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend ModifiedProperties = TargetResource.modifiedProperties,\\n AppDisplayName = tostring(TargetResource.displayName),\\n AppClientId = tolower(tostring(TargetResource.id))\\n )\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| mv-apply Properties=ModifiedProperties on \\n (\\n where Properties.displayName =~ \\\"ConsentAction.Permissions\\\"\\n | extend ConsentFull = tostring(Properties.newValue)\\n | extend ConsentFull = trim(@\u0027\\\"\u0027,tostring(ConsentFull))\\n )\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull has \\\"offline_access\\\" and ConsentFull has_any (\\\"Files.Read\\\", \\\"Mail.Read\\\", \\\"Notes.Read\\\", \\\"ChannelMessage.Read\\\", \\\"Chat.Read\\\", \\\"TeamsActivity.Read\\\", \\\"Group.Read\\\", \\\"EWS.AccessAsUser.All\\\", \\\"EAS.AccessAsUser.All\\\")\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantInitiatedByAppName = tostring(InitiatedBy.app.displayName)\\n| extend GrantInitiatedByAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend GrantInitiatedByUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend GrantInitiatedByAadUserId = tostring(InitiatedBy.user.id)\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(GrantInitiatedByUserPrincipalName), GrantInitiatedByUserPrincipalName, GrantInitiatedByAppName)\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantInitiatedByUserPrincipalName, GrantInitiatedByAadUserId, GrantInitiatedByAppName, GrantInitiatedByAppServicePrincipalId, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| mv-apply TargetResource=TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend ModifiedProperties = TargetResource.modifiedProperties,\\n AppClientId = tolower(TargetResource.id)\\n )\\n| mv-apply ModifiedProperties=TargetResource.modifiedProperties on \\n (\\n where ModifiedProperties.displayName =~ \\\"AppAddress\\\" and ModifiedProperties.newValue has \\\"AddressType\\\"\\n | extend AppReplyURLs = ModifiedProperties.newValue\\n )\\n | distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n | mv-apply TargetResource=TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\" and array_length(TargetResource.modifiedProperties) \u003e 0 and isnotnull(TargetResource.displayName)\\n | extend GrantAuthentication = tostring(TargetResource.displayName)\\n )\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantInitiatedByUserPrincipalName, GrantInitiatedByAadUserId, GrantInitiatedByAppName, GrantInitiatedByAppServicePrincipalId, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend Name = tostring(split(GrantInitiatedByUserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(GrantInitiatedByUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GrantInitiatedByUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"GrantInitiatedByAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"GrantInitiatedByAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"GrantIpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Suspicious application consent for offline access\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"name\":\"d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and AzureDiagnostics logs for SQL Security Audit events\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where ResourceProvider == \u0027MICROSOFT.SQL\u0027\\n | where Category == \u0027SQLSecurityAuditEvents\u0027\\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\\n | extend ClientIP = column_ifexists(\\\"client_ip_s\\\", \\\"Not Available\\\")\\n | extend Action = column_ifexists(\\\"action_name_s\\\", \\\"Not Available\\\")\\n | extend Application = column_ifexists(\\\"application_name_s\\\", \\\"Not Available\\\")\\n | extend HostName = column_ifexists(\\\"host_name_s\\\", \\\"Not Available\\\")\\n )\\n on $left.TI_ipEntity == $right.ClientIP\\n // Filter out logs that occurred after the expiration of the corresponding indicator\\n | where SQLSecurityAuditEvents_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and ClientIP, and keep the log entry with the latest timestamp\\n | summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n // Select the desired output fields\\n | project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n // Rename the timestamp field\\n | extend timestamp = SQLSecurityAuditEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to Azure SQL Security Audit Events\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SQL Security Audit Events.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureSql\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6dd2629c-534b-4275-8201-d7968b4fa77e\",\"name\":\"6dd2629c-534b-4275-8201-d7968b4fa77e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 4657\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\"), OperationType = column_ifexists(\u0027OperationType\u0027, \\\"\\\"), ObjectValueName = column_ifexists(\u0027ObjectValueName\u0027, \\\"\\\")\\n| where ObjectName has \u0027Schedule\\\\\\\\TaskCache\\\\\\\\Tree\u0027 and ObjectValueName == \\\"SD\\\" and OperationType == \\\"%%1906\\\" // %%1906 - Registry value deleted\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(TargetAccount, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(TargetAccount, @\u0027\\\\\u0027)[0])\\n| extend timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Scheduled Task Hide\",\"description\":\"This query detects attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task disappearing from schtasks /query and Task Scheduler.\\n The query requires auditing to be turned on for HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree registry hive as well as audit policy for registry auditing to be turned on.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\\n Reference: https://4sysops.com/archives/audit-changes-in-the-windows-registry/\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"name\":\"b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"let query_frequency = 15m;\\nlet missing_period = 1h;\\n//Enter a reference list of hostnames for your DC servers\\nlet DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\n//Alternatively, a Watchlist can be used\\n//let DCServersList = _GetWatchlist(\u0027HostName-DomainControllers\u0027) | project HostName;\\nHeartbeat\\n| summarize arg_max(TimeGenerated, *) by Computer\\n| where Computer in (DCServersList)\\n//You may specify the OS type of your Domain Controllers\\n//| where OSType == \u0027Windows\u0027\\n| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))\\n| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions\\n| sort by TimeGenerated asc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\",\"DefenseEvasion\"],\"displayName\":\"Missing Domain Controller Heartbeat\",\"description\":\"This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2021-11-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\"name\":\"074ce265-f684-41cd-af07-613c5f3e6d0d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n (CommonSecurityLog\\n | where Message has_any (DomainNames)\\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n | extend AccountName = SourceUserID, DeviceName, IPAddress = SourceIP\\n ),\\n (_Im_Dns(domain_has_any=DomainNames)\\n | where DnsQuery has_any (DomainNames)\\n | extend IPAddress = SrcIpAddr, DeviceName = Dvc\\n ),\\n (VMConnection\\n | where RemoteDnsCanonicalNames has_any (DomainNames)\\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | extend IPAddress = RemoteIp, DeviceName = Computer\\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where DestinationHost has_any (DomainNames)\\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ),\\n (AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | project TimeGenerated,Resource, msg_s, Type\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (DomainNames)\\n | extend DNSName = Request_Name\\n | extend IPAddress = ClientIP\\n ),\\n (AZFWApplicationRule\\n | where isnotempty(Fqdn)\\n | where Fqdn has_any (DomainNames) \\n | extend DNSName = Fqdn \\n | extend IPAddress = SourceIp\\n ),\\n (AZFWDnsQuery\\n | where isnotempty(QueryName)\\n | where QueryName has_any (DomainNames)\\n | extend DNSName = QueryName\\n | extend IPAddress = SourceIp\\n ),\\n (\\n _Im_WebSession(url_has_any=DomainNames)\\n | extend IPAddress=IpAddr, DeviceName=Hostname, AccountName = tostring(split(User, \\\"@\\\")[0]), AccountDomain = tostring(split(User, \\\"@\\\")[1])\\n )\\n)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Forest Blizzard group domains - July 2019\",\"description\":\"Matches domain name IOCs related to Forest Blizzard group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2019-07-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"name\":\"c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft 365 Insider Risk Management\",\"displayName\":\"(Private Preview) Create incidents based on Microsoft 365 Insider Risk Management\",\"description\":\"Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management\",\"lastUpdatedDateUTC\":\"2021-05-13T00:00:00Z\",\"createdDateUTC\":\"2021-05-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeIRM\",\"dataTypes\":[\"SecurityAlert (OfficeIRM)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"name\":\"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"DeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName has \\\"Solorigate\\\"\\n) on $left.DeviceName == $right.CompromisedEntity\\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Solorigate Defender Detections\",\"description\":\"Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as\\n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"name\":\"c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog =~ \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppCert DLL Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec.\\nRef: https://attack.mitre.org/techniques/T1546/009/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"name\":\"4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"let Hive_threats = dynamic([\\\"Ransom:Win64/Hive\\\", \\\"Ransom:Win32/Hive\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Hive_threats) or ThreatFamilyName in~ (Hive_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by bin(TimeGenerated, 1d), DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Hive Ransomware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Hive Ransomware.\\nIn Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9adbd1c3-a4be-44ef-ac2f-503fd25692ee\",\"name\":\"9adbd1c3-a4be-44ef-ac2f-503fd25692ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 100;\\nlet timeRange = ago(7d);\\nlet timeBuffer = 1;\\nSigninLogs \\n| where TimeGenerated \u003e timeRange\\n| where ResultType == \\\"50057\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \\napplicationSet = make_set(AppDisplayName) by IPAddress, AppId\\n| order by disabledAccountLoginAttempts desc\\n| join kind=inner (\\n // IPs are considered suspicious - and any related successful sign-ins are detected\\n SigninLogs\\n | where TimeGenerated \u003e timeRange\\n | where ResultType == 0\\n | summarize successSigninStart = min(TimeGenerated), successSigninEnd = max(TimeGenerated), successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c threshold\\n) on IPAddress \\n// IPs where attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where successfulAccountSigninCount != 0\\n// Successful Account Signins occur within the same lookback period as the failed \\n| extend SuccessBeforeFailure = iff(successSigninStart \u003e= StartTime and successSigninEnd \u003c= EndTime, true, false) \\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, successSigninStart, successSigninEnd, AppId\\n| order by disabledAccountLoginAttempts\\n// Break up the string of Succesfully signed into accounts into individual events\\n| mvexpand successfulAccountSigninSet\\n| extend JoinedOnIp = IPAddress\\n| join kind = inner (\\n OfficeActivity\\n | where TimeGenerated \u003e timeRange\\n | where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\", \\\"Set-TransportRule\\\") and not(UserId has_any (\u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\u0027, \u0027NT AUTHORITY\\\\\\\\SYSTEM (w3wp)\u0027, \u0027devilfish-applicationaccount\u0027))\\n // Remove port from the end of the IP and/or square brackets around IP, if they exist \\n | extend JoinedOnIp = case(\\n ClientIP matches regex @\u0027\\\\[((25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\.){3}(25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\]-\\\\d{1,5}\u0027, tostring(extract(\u0027\\\\\\\\[([0-9]+\\\\\\\\.[0-9]+\\\\\\\\.[0-9]+)\\\\\\\\]-[0-9]+\u0027, 1, ClientIP)),\\n ClientIP matches regex @\u0027\\\\[((25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\.){3}(25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\]\u0027, tostring(extract(\u0027\\\\\\\\[([0-9]+\\\\\\\\.[0-9]+\\\\\\\\.[0-9]+)\\\\\\\\]\u0027, 1, ClientIP)), \\n ClientIP matches regex @\u0027(((25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\.){3}(25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?))-\\\\d{1,5}\u0027, tostring(extract(\u0027([0-9]+\\\\\\\\.[0-9]+\\\\\\\\.[0-9]+)-[0-9]+\u0027, 1, ClientIP)),\\n ClientIP matches regex @\u0027((25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\.){3}(25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\u0027, ClientIP, \\n ClientIP matches regex @\u0027\\\\[((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\\\d{1,3}(?:\\\\.\\\\d{1,3}){3})\\\\]-\\\\d{1,5}\u0027, tostring(extract(\u0027\\\\\\\\[((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\\\\\\\d{1,3}(?:\\\\\\\\.\\\\\\\\d{1,3}){3})\\\\\\\\]-[0-9]+\u0027, 1, ClientIP)),\\n ClientIP matches regex @\u0027\\\\[((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\\\d{1,3}(?:\\\\.\\\\d{1,3}){3})\\\\]\u0027, tostring(extract(\u0027\\\\\\\\[((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\\\\\\\d{1,3}(?:\\\\\\\\.\\\\\\\\d{1,3}){3})\\\\\\\\]\u0027, 1, ClientIP)), \\n ClientIP matches regex @\u0027((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\\\d{1,3}(?:\\\\.\\\\d{1,3}){3})-\\\\d{1,5}\u0027, tostring(extract(\u0027((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\\\\\\\d{1,3}(?:\\\\\\\\.\\\\\\\\d{1,3}){3})-[0-9]+\u0027, 1, ClientIP)),\\n ClientIP matches regex @\u0027((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\\\d{1,3}(?:\\\\.\\\\d{1,3}){3})\u0027, ClientIP,\\n \\\"\\\")\\n | where isnotempty(JoinedOnIp)\\n | extend OfficeTimeStamp = ElevationTime, UserPrincipalName = UserId\\n) on JoinedOnIp\\n// Rare and risky operations only happen within a certain time range of the successful sign-in\\n| where OfficeTimeStamp \u003e= successSigninStart and datetime_diff(\u0027day\u0027, OfficeTimeStamp, successSigninEnd) \u003c= timeBuffer\\n| extend AccountName = tostring(split(UserPrincipalName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"JoinedOnIp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"AppId\",\"columnName\":\"ApplicationId\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Collection\"],\"displayName\":\"High risk Office operation conducted by IP Address that recently attempted to log into a disabled account\",\"description\":\"It is possible that a disabled user account is compromised and another account on the same IP is used to perform operations that are not typical for that user.\\n The query filters the SigninLogs for entries where ResultType is indicates a disabled account and the TimeGenerated is within a defined time range.\\n It then summarizes these entries by IPAddress and AppId, calculating various statistics such as number of login attempts, distinct UPNs, App IDs etc and joins these results with another set of results from SigninLogs, filtering for entries with less than normal number of successful sign-ins.\\n It then filters out entries where there were no successful sign-ins or where successful sign-ins did not occur within the same lookback period as the failed sign-ins, later projecting relevant fields by the count of login attempts, and expands the set of successful sign-ins into individual events.\\n Finally, it joins these results with entries from OfficeActivity where certain operations deemed rare and high risk have been performed, ensuring their occurrance within a certain time range of the successful sign-ins.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2023-10-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"name\":\"d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let IPList = dynamic([\\\"185.63.90.137\\\"]); \\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = \\ndynamic([\\\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\\\",\\n\\\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\\\",\\n\\\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\\\",\\n\\\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\\\",\\n\\\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\\\",\\n\\\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\\\",\\n\\\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\",\\n\\\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\"\\n]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost) \\n| where SourceHost in (IPList) or DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where SourceIp in (IPList) or Fqdn in (IPList)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = Fqdn\\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where SourceIp in (IPList) or QueryName in (IPList)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = QueryName\\n| extend IPCustomEntity = SourceIp\\n),\\n(DeviceFileEvents\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n| where FileHash in (sha256Hashes)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where CommandLine has_any (IPList) \\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n(WindowsEvent\\n| where EventID == \u00274688\u0027 and has_any_ipv4(EventData, toscalar(IPList)) \\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName in (IPList) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"[Deprecated] - Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-09-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18dbdc22-b69f-4109-9e39-723d9465f45f\",\"name\":\"18dbdc22-b69f-4109-9e39-723d9465f45f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet AVHits = (iocs | where Type =~ \\\"AVDetection\\\"| project IoC);\\nSecurityAlert\\n| where ProviderName == \u0027MDATP\u0027\\n| extend ThreatName_ = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName_ has_any (AVHits)\\n| extend Directory = tostring(parse_json(Entities)[0].Directory), SHA256 = tostring(parse_json(tostring(parse_json(Entities)[0].FileHashes))[2].Value), FileName = tostring(parse_json(Entities)[0].Name), Hostname = tostring(parse_json(Entities)[6].FQDN)| extend AccountName = tostring(parse_json(tostring(parse_json(Entities)[6].LoggedOnUsers))[0].AccountName)\\n| project TimeGenerated, AlertName, ThreatName_, ProviderName, AlertSeverity, Description, RemediationSteps, ExtendedProperties, Entities, FileName,SHA256, Directory, Hostname, AccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Hostname , AccountCustomEntity = AccountName, FileHashCustomEntity = SHA256, FileHashType = \\\"SHA256\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Aqua Blizzard AV hits - Feb 2022\",\"description\":\"Identifies a match in the Security Alert table for MDATP hits related to the Aqua Blizzard actor\",\"lastUpdatedDateUTC\":\"2023-07-18T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"name\":\"b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let oneDriveCalls = dynamic([\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content\u0027,\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/response.json:/content\u0027]);\\nlet oneDriveCallsRegex = dynamic([@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Uploaded\\\\/.*\\\\:\\\\/content\u0027,@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Downloaded\\\\/.*\\\\:\\\\/content\u0027]);\\nCommonSecurityLog\\n| where RequestURL has_any (oneDriveCalls) or RequestURL matches regex tostring(oneDriveCallsRegex[0]) or RequestURL matches regex tostring(oneDriveCallsRegex[1])\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive URLs\",\"description\":\"CreepyDrive uses OneDrive for command and control. This detection identifies URLs specific to CreepyDrive.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/186970ee-5001-41c1-8c73-3178f75ce96a\",\"name\":\"186970ee-5001-41c1-8c73-3178f75ce96a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let Europium_threats = dynamic([\\\"TrojanDropper:ASP/WebShell!MSR\\\", \\\"Trojan:Win32/BatRunGoXml\\\", \\\"DoS:Win64/WprJooblash\\\", \\\"Ransom:Win32/Eagle!MSR\\\", \\\"Trojan:Win32/Debitom.A\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Europium_threats) or ThreatFamilyName in~ (Europium_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId, bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(CompromisedEntity != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Europium actors\",\"description\":\"This query looks for Microsoft Defender AV detections related to Europium actor. \\nIn Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government \",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\",\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"name\":\"0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| where SessionIssuerUserName !contains \\\"AWSReservedSSO\\\"\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\n UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"NRT Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for administrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used and the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15049017-527f-4d3b-b011-b0e99e68ef45\",\"name\":\"15049017-527f-4d3b-b011-b0e99e68ef45\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityEvent\\n| where EventID == 4688 and Process has_any (procList) and not (NewProcessName has (\\\"C:\\\\\\\\Windows\\\\\\\\\\\"))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SubjectUserName, NewProcessName, Process, CommandLine\\n| extend Name=tostring(split(SubjectUserName, \\\"@\\\")[0]), UPNSuffix=tostring(split(SubjectUserName, \\\"@\\\")[1])\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Executed from Non-Default Directory\",\"description\":\"The query detects Windows binaries, that can be executed from a non-default directory (e.g. C:\\\\Windows\\\\, C:\\\\Windows\\\\System32 etc.). \\nRef: https://lolbas-project.github.io/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"name\":\"595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), Account = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), File = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, Account = UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, Account = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, Computer, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost\\n),\\n(AZFWApplicationRule\\n| where isnotempty (Fqdn)\\n| where Fqdn has_any (domains)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = Fqdn\\n| extend IPEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (domains) or SourceIp in (IPList)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = QueryName\\n| extend IPEntity = SourceIp\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) \\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessFolderPath has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashAlgo = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| project TimeGenerated, EventDetail, UserName, Computer, Type\\n| extend Image = tostring(EventDetail.[4].[\\\"#text\\\"]), CommandLine = tostring(EventDetail.[10].[\\\"#text\\\"]), Account = UserName, FileHash = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| where Image has_any (process)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath= replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceEvents\\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName has_any (process)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n)\\n)\\n| extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"[Deprecated] - Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/93a25f10-593d-4c57-a752-a8a75f031425\",\"name\":\"93a25f10-593d-4c57-a752-a8a75f031425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let baseline_time = 14d;\\nlet detection_time = 1d;\\nDynamics365Activity\\n| where TimeGenerated between(ago(baseline_time)..ago(detection_time-1d))\\n| extend Message = tostring(split(OriginalObjectId, \u0027 \u0027)[0])\\n| where Message =~ \\\"RetrieveMultiple\\\"\\n| extend numQueryCount = todouble(QueryResults)\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), \u0027,\u0027) + 1), numQueryCount)\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\n| summarize sum(QueryCount) by UserId\\n| extend HistoricalBaseline = sum_QueryCount\\n| join (Dynamics365Activity\\n| where TimeGenerated \u003e ago(detection_time)\\n| extend Message = tostring(split(OriginalObjectId, \u0027 \u0027)[0])\\n| where Message =~ \\\"RetrieveMultiple\\\"\\n| extend numQueryCount = todouble(QueryResults)\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), \u0027,\u0027) + 1), numQueryCount)\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\n| summarize sum(QueryCount) by UserId\\n| extend CurrentExportRate = sum_QueryCount) on UserId\\n| where CurrentExportRate \u003e HistoricalBaseline\\n| project UserId, HistoricalBaseline, CurrentExportRate\\n| join kind=inner(Dynamics365Activity\\n| where TimeGenerated \u003e ago(detection_time)\\n| extend Message = tostring(split(OriginalObjectId, \u0027 \u0027)[0])\\n| where Message =~ \\\"RetrieveMultiple\\\"\\n| extend numQueryCount = todouble(QueryResults)\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), \u0027,\u0027) + 1), numQueryCount)\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))) on UserId\\n| project TimeGenerated, UserId, QueryCount, UserAgent, Message, ClientIP, HistoricalBaseline, CurrentExportRate, CorrelationId, CrmOrganizationUniqueName, Query\\n| summarize QuerySizes = make_set(QueryCount), MostRecentQuery = max(TimeGenerated), IPs = make_set(ClientIP), UserAgents = make_set(UserAgent), make_set(Query) by UserId, CrmOrganizationUniqueName, HistoricalBaseline, CurrentExportRate\\n| extend timestamp = MostRecentQuery, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Dynamics 365 - User Bulk Retrieval Outside Normal Activity\",\"description\":\"This query detects users retrieving significantly more records from Dynamics 365 than they have in the past 2 weeks. This could indicate potentially unauthorized access to data within Dynamics 365.\",\"lastUpdatedDateUTC\":\"2022-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Dynamics365\",\"dataTypes\":[\"Dynamics365Activity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"name\":\"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlOriginal matches regex @\u0027\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Identities\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - URI contains IP address\",\"description\":\"Malware can use IP address to communicate with C2.\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3705158d-e008-49c9-92dd-e538e1549090\",\"name\":\"3705158d-e008-49c9-92dd-e538e1549090\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let Zinc_threats = dynamic([\\\"Trojan:Win32/ZetaNile.A\\\", \\\"Trojan:Win32/EventHorizon.A\\\", \\\"Trojan:Win32/FoggyBrass.A\\\", \\\"Trojan:Win32/FoggyBrass.B\\\", \\\"Trojan:Win32/PhantomStar.A\\\",\\\"Trojan:Win32/PhantomStar.C\\\",\\\"TrojanDropper:Win32/PhantomStar.A\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Zinc_threats) or ThreatFamilyName in~ (Zinc_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\\n| extend HostName = tostring(split(CompromisedEntity, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(CompromisedEntity, \u0027.\u0027), 1, -1), \u0027.\u0027))\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Zinc actors\",\"description\":\"This query looks for Microsoft Defender AV detections related to Zinc threat actor. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, etc. \\n This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\",\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"name\":\"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous RDP Login Detections\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2020-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"name\":\"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.7\",\"severity\":\"Low\",\"query\":\"let selfServicePasswordReset = dynamic([\\\"Self-service password reset flow activity progress\\\", \\\"Change password (self-service)\\\", \\\"Reset password (self-service)\\\"]); \\n//Self-service password reset flow activity progress is typically caused by a password policy which requires users to rotate passwords. This operation already implies the user has signed in successfully and therefore the password reset is non-malicious.\\nlet PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nWindowsEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \\\"success\\\"\\n| where OperationName !in (selfServicePasswordReset)\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend AccountType = tostring(TargetResource.type),\\n Account = tostring(InitiatedBy.user.userPrincipalName),\\n TargetUserName = tolower(tostring(TargetResource.userPrincipalName))\\n )\\n| project TimeGenerated, AccountType, Account, TargetUserName, Computer = \\\"\\\", Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\"\\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId\\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| where SyslogMessage matches regex \\\".*password changed for.*\\\"\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\\n(union isfuzzy=true\\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\\n| where Total \u003e PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"),\\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\\n| where Total \u003e TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027)), Name = tostring(split(Account, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(Account, \u0027@\u0027, 1)[0]), TargetName = tostring(split(TargetUserName,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(TargetUserName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Multiple Password Reset by user\",\"description\":\"This query will determine multiple password resets by user across multiple data sources.\\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\"name\":\"75bf9902-0789-47c1-a5d8-f57046aa72df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet recycle_bin_paths = dynamic([@\\\":\\\\RECYCLER\\\", @\\\":\\\\$RECYCLE.BIN\\\"]);\\nlet ProcessCreationEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688 and EventData has_any (procList) and EventData has_any (recycle_bin_paths)\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName) \\n| extend NewProcessName = tostring(EventData.NewProcessName) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n));\\nProcessCreationEvents \\n| where FileName in~ (procList)\\n| where CommandLine has_any (recycle_bin_paths)\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin\",\"description\":\"The query detects Windows binaries that can be used for executing malware and have been hidden in the recycle bin.\\nThe list of these binaries is sourced from https://lolbas-project.github.io/\\nReferences: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\"lastUpdatedDateUTC\":\"2024-07-16T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4902eddb-34f7-44a8-ac94-8486366e9494\",\"name\":\"4902eddb-34f7-44a8-ac94-8486366e9494\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.7\",\"severity\":\"Medium\",\"query\":\"let threshold = 5000;\\n_Im_NetworkSession(eventresult=\u0027Failure\u0027)\\n| summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m)\\n| where Count \u003e threshold\\n| extend timestamp = TimeGenerated, threshold\",\"customDetails\":{\"NumberOfDenies\":\"Count\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of failed connections from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} generated more than {{threshold}} failures over a 5 minutes time window, which may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"Excessive number of failed connections from a single source (ASIM Network Session schema)\",\"description\":\"This rule identifies a single source that generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"AzureNSG\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoAsaAma\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"AIVectraStream\",\"dataTypes\":[\"VectraStream\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoMeraki\",\"dataTypes\":[\"Syslog\",\"CiscoMerakiNativePoller\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"name\":\"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"2.0.3\",\"severity\":\"Low\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"192\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv24\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where OperationNameValue in~ (operationList)\\n| where ActivityStatusValue startswith \\\"Accept\\\"\\n| where Properties has \u0027vmSize\u0027\\n| extend parsed_property= parse_json(tostring((parse_json(Properties).responseBody))).properties\\n| extend vmSize = tostring((parsed_property.hardwareProfile).vmSize)\\n| mv-apply token=tokens to typeof(string) on (where vmSize contains token)\\n| extend ComputerName = tostring((parsed_property.osProfile).computerName)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend Name = tostring(split(Caller,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Caller,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"ComputerName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size or expensive VMs (with GPUs or with a large number of virtual CPUs) in Azure.\\nAn adversary may create new or update existing virtual machines to evade defenses or use them for cryptomining purposes.\\nFor Windows/Linux Vm Sizes, see https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions, see https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\"name\":\"f8127962-7739-4211-a4a9-390a7a00e91f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet lbperiod = 14d;\\nlet knownrecipients = ProofpointPOD\\n| where TimeGenerated \u003e ago(lbperiod)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where SrcUserUpn != \u0027\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated between (ago(lbtime) .. now())\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend isProtected = todynamic(MsgParts)[0][\u0027isProtected\u0027]\\n| extend mimePgp = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where isProtected == \u0027true\u0027 or mimePgp == \u0027application/pgp-encrypted\u0027\\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple protected emails to unknown recipient\",\"description\":\"Detects when multiple protected messages where sent to early not seen recipient.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\"name\":\"d3980830-dd9d-40a5-911f-76b44dfdce16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let locationThreshold = 1;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppDisplayName =~ \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location,100), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\\n| where CountOfLocations \u003e locationThreshold\\n| extend timestamp = BurstStartTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"GitHub Signin Burst from Multiple Locations\",\"description\":\"This detection triggers when there is a Signin burst from multiple locations in GitHub (Entra ID SSO).\\n This detection is based on configurable threshold which can be prone to false positives. To view the anomaly based equivalent of thie detection, please see here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml. \",\"lastUpdatedDateUTC\":\"2024-01-04T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"name\":\"bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nimFileEvent\\n| where TargetFileMD5 in (SunburstMD5) or TargetFileMD5 in (SupernovaMD5)\\n| extend AccountName = tostring(split(User, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(User, @\u0027\\\\\u0027)[0])\\n| extend AlgorithmType = \\\"MD5\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"DvcHostname\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DvcDomain\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmType\"},{\"identifier\":\"Value\",\"columnName\":\"TargetFileMD5\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimFileEvent)\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1baaaf00-655f-4de9-8ff8-312e902cda71\",\"name\":\"1baaaf00-655f-4de9-8ff8-312e902cda71\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let known_locations = (\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location);\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend City = tostring(parse_json(LocationDetails).city)\\n | extend State = tostring(parse_json(LocationDetails).state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(Place) by ServicePrincipalName, Location\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Service Principal Authentication Attempt from New Country\",\"description\":\"Detects when there is a Service Principal login attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"name\":\"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations above which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet AzureBuiltInRole = externaldata(Role:string,RoleDescription:string,ID:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/AzureBuiltInRole.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationNameValue =~ \\\"microsoft.authorization/roleassignments/write\\\";\\nlet RoleAssignedActivity = createRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, bin(TimeGenerated, 1d)\\n| where count_ \u003e= alertOperationThreshold\\n// Returns all the records from the right side that don\u0027t have matches from the left.\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| extend parsed_property = tostring(parse_json(Properties).requestbody)\\n| extend PrincipalId = case(parsed_property has_cs \u0027PrincipalId\u0027,parse_json(parsed_property).Properties.PrincipalId, parsed_property has_cs \u0027principalId\u0027,parse_json(parsed_property).properties.principalId,\\\"\\\")\\n| extend PrincipalType = case(parsed_property has_cs \u0027PrincipalType\u0027,parse_json(parsed_property).Properties.PrincipalType, parsed_property has_cs \u0027principalType\u0027,parse_json(parsed_property).properties.principalType, \\\"\\\")\\n| extend Scope = case(parsed_property has_cs \u0027Scope\u0027,parse_json(parsed_property).Properties.Scope, parsed_property has_cs \u0027scope\u0027,parse_json(parsed_property).properties.scope,\\\"\\\")\\n| extend RoleAddedDetails = case(parsed_property has_cs \u0027RoleDefinitionId\u0027,parse_json(parsed_property).Properties.RoleDefinitionId,parsed_property has_cs \u0027roleDefinitionId\u0027,parse_json(parsed_property).properties.roleDefinitionId,\\\"\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup, PrincipalId, PrincipalType, Scope, RoleAddedDetails\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress;\\nlet RoleAssignedActivitywithRoleDetails = RoleAssignedActivity\\n| extend RoleAssignedID = tostring(split(RoleAddedDetails, \\\"/\\\")[-1])\\n// Returns all matching records from left and right sides.\\n| join kind = inner (AzureBuiltInRole \\n) on $left.RoleAssignedID == $right.ID;\\nlet CallerIPCountSummary = RoleAssignedActivitywithRoleDetails | summarize AssignmentCountbyCaller = count() by Caller, CallerIpAddress;\\nlet RoleAssignedActivityWithCount = RoleAssignedActivitywithRoleDetails | join kind = inner (CallerIPCountSummary | project Caller, AssignmentCountbyCaller, CallerIpAddress) on Caller, CallerIpAddress;\\nRoleAssignedActivityWithCount\\n| summarize arg_max(StartTimeUtc, *) by PrincipalId, RoleAssignedID\\n// \\tReturns all the records from the left side and only matching records from the right side.\\n| join kind = leftouter( IdentityInfo\\n| summarize arg_max(TimeGenerated, *) by AccountObjectId\\n) on $left.PrincipalId == $right.AccountObjectId\\n// Check if assignment count is greater than the threshold.\\n| where AssignmentCountbyCaller \u003e= alertOperationThreshold\\n| project ActivityTimeStamp, OperationNameValue, Caller, CallerIpAddress, PrincipalId, RoleAssignedID, RoleAddedDetails, Role, RoleDescription, AccountUPN, AccountCreationTime, GroupMembership, UserType, ActivityStatusValue, ResourceGroup, PrincipalType, Scope, CorrelationId, timestamp, AccountCustomEntity, IPCustomEntity, AssignmentCountbyCaller\\n| extend Name = tostring(split(Caller,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Caller,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Suspicious granting of permissions to an account\",\"description\":\"Identifies IPs from which users grant access to other users on Azure resources and alerts when a previously unseen source IP address is used.\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fe3c520-04f1-44b8-8398-782ed21435f8\",\"name\":\"3fe3c520-04f1-44b8-8398-782ed21435f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.4\",\"severity\":\"Low\",\"query\":\"let torProxies=dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\n_Im_Dns(domain_has_any=torProxies)\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"name\":\"a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.8\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| where TimeGenerated \u003e ago(1d)\\n| where ProductName == \\\"Azure Active Directory Identity Protection\\\"\\n| where AlertName == \\\"Sign-in from an infected device\\\"\\n| mv-apply EntityAccount=todynamic(Entities) on\\n(\\nwhere EntityAccount.Type == \\\"account\\\"\\n| extend AadTenantId = tostring(EntityAccount.AadTenantId), AadUserId = tostring(EntityAccount.AadUserId)\\n)\\n| mv-apply EntityIp=todynamic(Entities) on\\n(\\nwhere EntityIp.Type == \\\"ip\\\"\\n| extend IpAddress = tostring(EntityIp.Address)\\n)\\n| join kind=inner (\\nIdentityInfo\\n| distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName\\n| extend UserAccount = AccountUPN\\n| extend UserName = AccountDisplayName\\n| where isnotempty(AccountDisplayName) and isnotempty(UserAccount)\\n| project AccountTenantId, AccountObjectId, UserAccount, UserName\\n)\\non\\n$left.AadTenantId == $right.AccountTenantId,\\n$left.AadUserId == $right.AccountObjectId\\n| extend CompromisedEntity = iff(CompromisedEntity == \\\"N/A\\\" or isempty(CompromisedEntity), UserAccount, CompromisedEntity)\\n| project AlertName, AlertSeverity, CompromisedEntity, UserAccount, IpAddress, TimeGenerated, UserName\\n| join kind=inner \\n(\\nAzureActivity\\n| where OperationNameValue has_any (\\\"/workspaces/computes/delete\\\", \\\"workspaces/delete\\\") \\n| where ActivityStatusValue has_any (\\\"Succeeded\\\", \\\"Success\\\")\\n| project TimeGenerated, ResourceProviderValue, _ResourceId, SubscriptionId, UserAccount=Caller, IpAddress=CallerIpAddress, CorrelationId, OperationId, ResourceGroup, TenantId\\n) on IpAddress, UserAccount\\n| extend AccountName = tostring(split(UserAccount, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserAccount, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"tactics\":[\"InitialAccess\",\"Impact\"],\"displayName\":\"Workspace deletion activity from an infected device\",\"description\":\"This query will alert on any sign-ins from devices infected with malware in correlation with workspace deletion activity. \\nAttackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-04-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45076281-35ae-45e0-b443-c32aa0baf965\",\"name\":\"45076281-35ae-45e0-b443-c32aa0baf965\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.6\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nimProcessCreate\\n//looks for execution from a shell\\n| where ActingProcessName has_any (parentProcesses)\\n| extend ActingProcessFileName = tostring(split(ActingProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ActingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where Process hassuffix \\\"AdFind.exe\\\" or TargetProcessSHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n// AdFind common Flags to check for from various threat actor TTPs\\nor CommandLine has_any (args)\\n| extend AlgorithmType = \\\"SHA256\\\"\\n| extend AccountName = tostring(split(User, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(User, @\u0027\\\\\u0027)[0])\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ActingProcessName\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmType\"},{\"identifier\":\"Value\",\"columnName\":\"TargetProcessSHA256\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage (Normalized Process Events)\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2021-06-09T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"name\":\"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center for IoT\",\"displayName\":\"Create incidents based on Microsoft Defender for IOT alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for IOT\",\"lastUpdatedDateUTC\":\"2019-12-24T00:00:00Z\",\"createdDateUTC\":\"2019-12-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"IoT\",\"dataTypes\":[\"SecurityAlert (ASC for IoT)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"name\":\"884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = column_ifexists(\\\"ResultType\\\", \\\"NoResultType\\\"), \\nrequestUri_s = column_ifexists(\\\"requestUri_s\\\", \\\"None\\\"), \\nidentity_claim_oid_g = column_ifexists(\\\"identity_claim_oid_g\\\", \\\"None\\\"), CallerIPAddress = column_ifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), \\nclientInfo_s = column_ifexists(\\\"clientInfo_s\\\", \\\"None\\\"), \\nidentity_claim_upn_s = column_ifexists(\\\"identity_claim_upn_s\\\", \\\"None\\\"),\\nidentity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = column_ifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in~ (SensitiveOperationList)\\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=make_list(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, identity_claim_upn_s, clientInfo_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = StartTimeUtc\\n| extend Name = tostring(split(identity_claim_upn_s,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(identity_claim_upn_s,\u0027@\u0027,1)[0]), AadUserId = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AadUserId\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPMax\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup.\\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"name\":\"ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue =~ \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId has \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid), AccountName = tostring(claimsJson.name), Name = tostring(split(Caller,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Caller,\u0027@\u0027,1)[0])\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Microsoft Entra ID Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Microsoft Entra ID Hybrid Health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-premises AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/60f31001-018a-42bf-8045-a92e1f361b7b\",\"name\":\"60f31001-018a-42bf-8045-a92e1f361b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Define a variable \u0027AwsAlert\u0027 to collect Unauthorized user access alerts from AWS GuardDuty table\\nlet AwsAlert = materialize (\\n AWSGuardDuty\\n | where ActivityType has_any (\\\"UnauthorizedAccess:IAMUser/TorIPCaller\\\", \\\"UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom\\\", \\n \\\"UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS\\\", \\\"UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS\\\",\\n \\\"UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B\\\",\\\"UnauthorizedAccess:IAMUser/MaliciousIPCaller\\\")\\n | extend\\n AWSAlertId = Id, \\n AWSAlertTitle = Title,\\n AWSAlertDescription = Description,\\n AWSresourceType = tostring(parse_json(ResourceDetails).resourceType),\\n AWSNetworkEntity = tostring(parse_json(ServiceDetails).action.awsApiCallAction.remoteIpDetails.ipAddressV4),\\n AWSAlertUserNameEntity = tostring(parse_json(ResourceDetails).accessKeyDetails.userName),\\n InstanceType = tostring(parse_json(ResourceDetails).instanceDetails.instanceType),\\n AWSTargetingService = parse_json(ServiceDetails).additionalInfo.apiCalls,\\n AWSAlertTime = TimeCreated,\\n AWSAlertLink= tostring(strcat(\u0027https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current\u0026fId=\u0027,Id)),\\n Severity = \\n case (\\n Severity \u003e= 7.0, \\\"High\\\",\\n Severity between (4.0 .. 6.9), \\\"Medium\\\",\\n Severity between (1.0 .. 3.9), \\\"Low\\\",\\n \\\"Unknown\\\")\\n | mv-apply AIPCall = AWSTargetingService on \\n ( \\n where AIPCall has \\\"name\\\" \\n | extend APICallName = tostring(AIPCall.name), APICallCount = tostring(AIPCall[\\\"count\\\"])\\n ) \\n | distinct\\n AWSAlertTime,\\n ActivityType,\\n Severity,\\n AWSAlertId,\\n AWSAlertTitle,\\n AWSAlertDescription,\\n AWSAlertLink,\\n Arn,\\n AWSresourceType,\\n AWSNetworkEntity,\\n AWSAlertUserNameEntity,\\n InstanceType,\\n APICallName,\\n APICallCount \\n );\\n // Define a variable \u0027Azure_sigin\u0027 to collect Azure portal Signing activity from SigninLogs Table\\n let Azure_sigin = materialize (SigninLogs\\n | where AppDisplayName == \\\"Azure Portal\\\"\\n | where isnotempty(OriginalRequestId)\\n | summarize \\n totalAzureLoginEventId = dcount(OriginalRequestId), \\n AzureFailedEventsCount = dcountif(OriginalRequestId, ResultType != 0), \\n AzureSuccessfulEventsCount = dcountif(OriginalRequestId, ResultType == 0),\\n AzureSetOfFailedEvents = makeset(iff(ResultType != 0, OriginalRequestId, \\\"\\\"), 5), \\n AzureSetOfSuccessfulEvents = makeset(iff(ResultType == 0, OriginalRequestId, \\\"\\\"), 5) \\n by \\n IPAddress, \\n UserPrincipalName, \\n bin(TimeGenerated, 1min), \\n UserAgent,\\n ConditionalAccessStatus,\\n OperationName,\\n RiskDetail,\\n AuthenticationRequirement,\\n ClientAppUsed \\n // Extracting the name and UPN suffix from UserPrincipalName\\n | extend\\n Name = tostring(split(UserPrincipalName, \\\"@\\\")[0]),\\n UPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n );\\n // Join \u0027AwsAlert\u0027 and \u0027Azure_sigin\u0027 on the AWS Network Entity and Azure IP Address\\n AwsAlert\\n | join kind=inner Azure_sigin on $left.AWSNetworkEntity == $right.IPAddress\",\"customDetails\":{\"AWSAlertUserName\":\"AWSAlertUserNameEntity\",\"AWSArn\":\"Arn\",\"AWSresourceType\":\"AWSresourceType\",\"AWSInstanceType\":\"InstanceType\",\"AWSAPICallName\":\"APICallName\",\"AWSAPICallCount\":\"APICallCount\",\"AzureUserAgent\":\"UserAgent\",\"AzureUser\":\"UserPrincipalName\",\"AzureClientAppUsed\":\"ClientAppUsed\",\"AzConditionalAccess\":\"ConditionalAccessStatus\",\"AzureOperationName\":\"OperationName\",\"AzureRiskDetail\":\"RiskDetail\",\"AzAuthRequirement\":\"AuthenticationRequirement\",\"alertSeverity\":\"Severity\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"{{AWSNetworkEntity}} from {{AWSAlertTitle}} observed in Azure Singins with {{UserPrincipalName}}\",\"alertDescriptionFormat\":\" This detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty With Alert Description \u0027{{AWSAlertDescription}}\u0027 with Azure portal sign-in activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources. \\n\\n AWS ALert Link : \u0027{{AWSAlertLink}}\u0027 \\n\\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":\"Severity\"},\"tactics\":[\"CredentialAccess\",\"Exfiltration\",\"Discovery\"],\"displayName\":\"Unauthorized user access across AWS and Azure\",\"description\":\"\\nThis detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty with Azure portal sign-in activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The ditection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources.\\n\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2023-09-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\"name\":\"78979d32-e63f-4740-b206-cfb300c735e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcIpAddr)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientIP = SrcIpAddr\\n )\\non $left.TI_ipEntity == $right.ClientIP\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientIP\\n| project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUserUpn\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender IP in TI list\",\"description\":\"Email sender IP in TI list.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5c847e47-0a07-4c01-ab99-5817ad6cb11e\",\"name\":\"5c847e47-0a07-4c01-ab99-5817ad6cb11e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// Materialize AWS GuardDuty findings\\nlet AwsAlert = materialize (\\n AWSGuardDuty\\n // Filter for specific activity types in AWS GuardDuty\\n | where ActivityType has_any (\\n \\\"Backdoor:EC2/DenialOfService.UnusualProtocol\\\",\\n \\\"CredentialAccess:Kubernetes/MaliciousIPCaller\\\",\\n \\\"CredentialAccess:Kubernetes/SuccessfulAnonymousAccess\\\",\\n \\\"CredentialAccess:Kubernetes/TorIPCaller\\\",\\n \\\"CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteForce\\\",\\n \\\"CredentialAccess:RDS/TorIPCaller.FailedLogin\\\",\\n \\\"CredentialAccess:RDS/TorIPCaller.SuccessfulLogin\\\",\\n \\\"Discovery:Kubernetes/MaliciousIPCaller\\\",\\n \\\"Recon:IAMUser/MaliciousIPCaller.Custom\\\",\\n \\\"UnauthorizedAccess:EC2/TorClient\\\",\\n \\\"UnauthorizedAccess:IAMUser/TorIPCaller\\\",\\n \\\"UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom\\\",\\n \\\"UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS\\\",\\n \\\"UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS\\\",\\n \\\"UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B\\\"\\n )\\n // Extract and transform AWS GuardDuty attributes\\n | extend\\n AWSAlertId = Id, \\n AWSAlertTitle = Title,\\n AWSAlertDescription = Description,\\n AWSresourceType = tostring(parse_json(ResourceDetails).resourceType),\\n AWSNetworkEntity = tostring(parse_json(ServiceDetails).action.awsApiCallAction.remoteIpDetails.ipAddressV4),\\n AWSAlertUserNameEntity = tostring(parse_json(ResourceDetails).accessKeyDetails.userName),\\n InstanceType = tostring(parse_json(ResourceDetails).instanceDetails.instanceType),\\n AWSTargetingService = parse_json(ServiceDetails).additionalInfo.apiCalls,\\n AWSAlertTime = TimeCreated,\\n AWSAlertLink= tostring(strcat(\u0027https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current\u0026fId=\u0027, Id)),\\n Severity = \\n case (\\n Severity \u003e= 7.0,\\n \\\"High\\\",\\n Severity between (4.0 .. 6.9),\\n \\\"Medium\\\",\\n Severity between (1.0 .. 3.9),\\n \\\"Low\\\",\\n \\\"Unknown\\\"\\n)\\n // Extract API call details and count\\n | mv-apply AIPCall = AWSTargetingService on \\n ( \\n where AIPCall has \\\"name\\\" \\n | extend APICallName = tostring(AIPCall.name), APICallCount = tostring(AIPCall[\\\"count\\\"])\\n ) \\n // Select distinct attributes for further analysis\\n | distinct\\n AWSAlertTime,\\n ActivityType,\\n Severity,\\n AWSAlertId,\\n AWSAlertTitle,\\n AWSAlertDescription,\\n AWSAlertLink,\\n Arn,\\n AWSresourceType,\\n AWSNetworkEntity,\\n AWSAlertUserNameEntity,\\n InstanceType,\\n APICallName,\\n APICallCount \\n );\\n// Materialize GCP Audit Logs related to VM instance creation\\nlet GCPVMActivity= materialize(\\n GCPAuditLogs \\n // Filter for Compute Engine instances insertions\\n | where ServiceName == \\\"compute.googleapis.com\\\" and MethodName endswith \\\"instances.insert\\\"\\n // Extract and transform relevant GCP Audit Log attributes\\n | extend\\n GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),\\n GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),\\n GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),\\n VMDetails= parse_json(AuthorizationInfo),\\n VMStatus = tostring(parse_json(Response).status),\\n VMOperation=tostring(parse_json(Response).operationType),\\n VMName= tostring(parse_json(Request).name),\\n VMDescription= tostring(parse_json(Request).description),\\n VMType = tostring(split(parse_json(Request).machineType, \\\"/\\\")[-1]),\\n Tags= tostring(parse_json(Request).tags),\\n RequestJS = parse_json(Request)\\n // Filter out service account-related activities and private IP addresses\\n | where GCPUserUPN !has \\\"gserviceaccount.com\\\"\\n | extend Name = tostring(split(GCPUserUPN, \\\"@\\\")[0]), UPNSuffix = tostring(split(GCPUserUPN, \\\"@\\\")[1])\\n | where VMOperation == \\\"insert\\\" and isnotempty(GCPUserIp) and GCPUserIp != \\\"private\\\"\\n // Select relevant attributes for further analysis\\n | project\\n GCPOperationTime=TimeGenerated,\\n VMName,\\n VMStatus,\\n MethodName,\\n GCPUserUPN,\\n ProjectId,\\n GCPUserIp,\\n GCPUserUA,\\n VMOperation,\\n VMType,\\n Name,\\n UPNSuffix\\n );\\n// Join AWS and GCP activities based on matching IP addresses\\nAwsAlert\\n| join kind= inner (GCPVMActivity)\\n on\\n $left.AWSNetworkEntity == $right.GCPUserIp\",\"customDetails\":{\"AWSAlertUserName\":\"AWSAlertUserNameEntity\",\"AWSArn\":\"Arn\",\"AWSresourceType\":\"AWSresourceType\",\"AWSInstanceType\":\"InstanceType\",\"AWSAPICallName\":\"APICallName\",\"AWSAPICallCount\":\"APICallCount\",\"GCPUserAgent\":\"GCPUserUA\",\"GCPVMName\":\"VMName\",\"GCPProjectId\":\"ProjectId\",\"GCPVMType\":\"VMType\",\"CorrelationWith\":\"GCPAuditLogs\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"GCPUserIp\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"{{AWSNetworkEntity}} from {{AWSAlertTitle}} observed in GCP compute activity with {{GCPUserUPN}}\",\"alertDescriptionFormat\":\" This detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty With Alert Description \u0027{{AWSAlertDescription}}\u0027 assocated with GCP compute activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources. \\n\\n AWS ALert Link : \u0027{{AWSAlertLink}}\u0027 \\n\\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":\"Severity\"},\"tactics\":[\"InitialAccess\",\"Execution\",\"Persistence\",\"PrivilegeEscalation\",\"CredentialAccess\",\"Discovery\",\"LateralMovement\"],\"displayName\":\"Cross-Cloud Suspicious Compute resource creation in GCP\",\"description\":\"\\nThis detection identifies potential suspicious activity across multi-cloud environments by combining AWS GuardDuty findings with GCP Audit Logs. It focuses on AWS activities related to unauthorized access, credential abuse, and unusual behaviors, as well as GCP instances creation with non-Google service account users. The query aims to provide a comprehensive view of cross-cloud security incidents for proactive threat detection and response.\\n\",\"lastUpdatedDateUTC\":\"2023-10-06T00:00:00Z\",\"createdDateUTC\":\"2023-10-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"GCPAuditLogsDefinition\",\"dataTypes\":[\"GCPAuditLogs\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"name\":\"50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog =~ \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" *\\n| where ParentCommandLine =~ \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k DcomLaunch\\\" and CommandLine =~ \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe -Embedding\\\"\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Lateral Movement via DCOM\",\"description\":\"This query detects a fairly uncommon attack technique using the Windows Distributed Component Object Model (DCOM) to make a remote execution call to another computer system and gain lateral movement throughout the network.\\nRef: http://thenegative.zone/incident%20response/2017/02/04/MMC20.Application-Lateral-Movement-Analysis.html\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\"name\":\"dd0a6029-ecef-4507-89c4-fc355ac52111\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour\\nlet ioc_lookBack = 14d; // Look back 14 days\\n// Create a list of top-level domains (TLDs) from the threat feed data for later validation\\nlet SecurityLog = materialize(\\n CommonSecurityLog\\n // Filter common security logs based on the specified time range\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceEventClassID =~ \u0027url\u0027\\n // Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n // Extract the domain from RequestURL, if not present, extract it from AdditionalExtensions\\n | extend PA_Url = column_ifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\\\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(\u0027\\\"\u0027, tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n);\\nlet LogDomains = SecurityLog | distinct Domain | summarize make_list(Domain);\\n// Retrieve threat intelligence indicators within the specified time range\\nlet Domain_Indicators = materialize(\\n ThreatIntelligenceIndicator\\n | where isnotempty(DomainName)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_DomainEntity = tolower(DomainName)\\n | where TI_DomainEntity in (LogDomains)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now());\\n// Join threat intelligence indicators with common security logs\\nDomain_Indicators | join kind=innerunique (SecurityLog) on $left.TI_DomainEntity == $right.Domain\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod, Type, TI_DomainEntity\\n| extend timestamp = CommonSecurityLog_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"PA_Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map Domain entity to PaloAlto CommonSecurityLog\",\"description\":\"Identifies a match in PaloAlto CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"name\":\"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| where FilterModulesSpamScoresOverall == \u0027100\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - High risk message not discarded\",\"description\":\"Detects when email with high risk score was not rejected or discarded by filters.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ec3a7f9-9f55-4be3-aeb6-9188f91b278e\",\"name\":\"8ec3a7f9-9f55-4be3-aeb6-9188f91b278e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet user_accounts = \\\"(([a-zA-Z]{1,})\\\\\\\\.([a-zA-Z]{1,}))@.*\\\";\\nlet known_useragents = dynamic([]);\\nDynamics365Activity\\n| where TimeGenerated between(ago(lookback)..ago(timeframe))\\n| where isnotempty(UserAgent)\\n| summarize by UserAgent, UserId\\n| join kind = rightanti (Dynamics365Activity\\n| where TimeGenerated \u003e ago(timeframe)\\n| where isnotempty(UserAgent)\\n| where UserAgent !in~ (known_useragents)\\n| where UserAgent !hasprefix \\\"azure-logic-apps\\\" and UserAgent !hasprefix \\\"PowerApps\\\"\\n| where UserId matches regex user_accounts)\\non UserAgent, UserId\\n// Uncomment this section to exclude user agents with a rendering engine, indicating browsers.\\n//| join kind = leftanti(\\n//Dynamics365Activity\\n//| where TimeGenerated between(ago(lookback)..ago(timeframe))\\n//| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")) on UserAgent\\n| summarize FirstSeen = min(TimeGenerated), IPs = make_set(ClientIP) by UserAgent, UserId\\n| extend timestamp = FirstSeen, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New Dynamics 365 User Agent\",\"description\":\"Detects users accessing Dynamics from a User Agent that has not been seen the 14 days. Has configurable filter for known good user agents such as PowerApps. Also includes optional section to exclude User Agents to indicate a browser being used.\",\"lastUpdatedDateUTC\":\"2022-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Dynamics365\",\"dataTypes\":[\"Dynamics365Activity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29e99017-e28d-47be-8b9a-c8c711f8a903\",\"name\":\"29e99017-e28d-47be-8b9a-c8c711f8a903\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let security_info_actions = dynamic([\\\"User registered security info\\\", \\\"User changed default security info\\\", \\\"User deleted security info\\\", \\\"Admin updated security info\\\", \\\"User reviewed security info\\\", \\\"Admin deleted security info\\\", \\\"Admin registered security info\\\"]);\\nlet VIPUsers = (_GetWatchlist(\u0027VIPUsers\u0027) | distinct \\\"User Principal Name\\\");\\nAuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName in (security_info_actions)\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend Target = trim(@\u0027\\\"\u0027,tolower(tostring(TargetResource.userPrincipalName)))\\n )\\n| where Target in~ (VIPUsers)\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason) by InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, Result, Target\\n| extend TargetName = tostring(split(Target,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(Target,\u0027@\u0027,1)[0])\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Target\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NRT Authentication Methods Changed for VIP Users\",\"description\":\"Identifies authentication methods being changed for a list of VIP users watchlist. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/67775878-7f8b-4380-ac54-115e1e828901\",\"name\":\"67775878-7f8b-4380-ac54-115e1e828901\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.4\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = \\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| extend IoC = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n| where IoC != \\\"NO_IP\\\"\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now();\\nIP_TI\\n| join kind=innerunique // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n(\\n_Im_Dns(starttime=ago(dt_lookBack))\\n| where isnotempty(DnsResponseName)\\n| summarize imDns_mintime=min(TimeGenerated), imDns_maxtime=max(TimeGenerated) by SrcIpAddr, DnsQuery, DnsResponseName, Dvc, EventProduct, EventVendor\\n| extend addresses = extract_all (@\u0027(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)\u0027, DnsResponseName)\\n| mv-expand IoC = addresses to typeof(string)\\n)\\non IoC\\n| where imDns_mintime \u003c ExpirationDateTime\\n| project imDns_mintime, imDns_maxtime, Description, ActivityGroupNames, IndicatorId, ThreatType, LatestIndicatorTime, ExpirationDateTime, ConfidenceScore, SrcIpAddr, IoC, Dvc, EventVendor, EventProduct, DnsQuery, DnsResponseName\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"imDns_mintime\",\"SourceIPAddress\":\"SrcIpAddr\",\"DnsQuery\":\"DnsQuery\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IoC\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The response {{IoC}} to DNS query matched an IoC\",\"alertDescriptionFormat\":\"The response address {{IoC}} to a DNS query matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to DNS Events (ASIM DNS schema)\",\"description\":\"This rule identifies DNS requests for which response IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\"name\":\"48607a29-a26a-4abf-8078-a06dbdd174a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Medium\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet aadFunc = (tableName:string){\\nlet identityLookup = table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\\n// collect window threshold breaches\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\\n| where FailedPrincipalCount \u003e= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend LocationDetails = todynamic(LocationDetails)\\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed,20), make_set(FullLocation,20), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup\\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName,20), make_set(UserDisplayName,20), make_set(set_ClientAppUsed,20), make_set(set_FullLocation,20), make_list(FailureCount,20) by IPAddress, AppDisplayName, Type\\n| extend FailedPrincipalCount = array_length(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\\n| join kind= inner (\\ntable(tableName) // get data on success vs. failure history for each IP\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in (successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in (successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in (failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in (failureCodes))) by IPAddress, Type\\n| where GlobalFailPrincipalCount \u003e GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Microsoft Entra ID application\",\"description\":\"Identifies evidence of password spray activity against Microsoft Entra ID applications by looking for failures from multiple accounts from the same IP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range are bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 1 day\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"name\":\"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.7\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nlet OfficeEvents = materialize(\\n OfficeActivity\\n | where isnotempty(UserId)\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where UserId matches regex emailregex\\n | project-rename OfficeActivity_TimeGenerated = TimeGenerated);\\nlet OfficeActivityUPNs = OfficeEvents | distinct UserId = tolower(UserId) | summarize make_list(UserId);\\nThreatIntelligenceIndicator\\n| where isnotempty(EmailSenderAddress)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| where tolower(EmailSenderAddress) in (OfficeActivityUPNs)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n| where Description !contains_cs \\\"State: inactive;\\\" and Description !contains_cs \\\"State: falsepos;\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (OfficeEvents) on $left.EmailSenderAddress == $right.UserId\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, UserId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend Name = tostring(split(UserId, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(UserId, \u0027@\u0027, 1)[0])\\n| extend timestamp = OfficeActivity_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"TI map Email entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\"name\":\"a04cf847-a832-4c60-b687-b0b6147da219\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Collection\"],\"displayName\":\"[Deprecated] - Known Manganese IP and UserAgent activity\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2019-10-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\"name\":\"78422ef2-62bf-48ca-9bab-72c69818a425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.6\",\"severity\":\"Low\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account = tolower(Account), IpAddress, AccountType, Activity, LogonTypeName),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account = tolower(Account), IpAddress, AccountType, Activity, LogonTypeName)\\n)\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress)\\n)\\n) on Account, IpAddress\\n| extend Ratio = iff(isempty(ComputerCountPrev7Days), toreal(ComputerCountToday), ComputerCountToday / (ComputerCountPrev7Days * 1.0))\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio \u003e threshold\\n| project StartTime, EndTime, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend AccountName = tostring(split(Account, @\\\"\\\\\\\")[1]), AccountNTDomain = tostring(split(Account, @\\\"\\\\\\\")[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Multiple RDP connections from Single System\",\"description\":\"Identifies when an RDP connection is made to multiple systems and above the normal connection count for the previous 7 days.\\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"name\":\"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed.\\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated \u003e= ago(auditLookback) and TimeGenerated \u003c ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are\\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName has \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(InitiatedBy.user.userPrincipalName)),\\n tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend TargetResourceName = tolower(tostring(TargetResource.displayName))\\n )\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount \u003e threshold;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated \u003e= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(InitiatedBy.user.ipAddress)) and tostring(InitiatedBy.user.ipAddress) != \u0027null\u0027, tostring(InitiatedBy.user.ipAddress),\\n isnotempty(tostring(InitiatedBy.app.ipAddress)) and tostring(InitiatedBy.app.ipAddress) != \u0027null\u0027, tostring(InitiatedBy.app.ipAddress),\\n \u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(InitiatedBy.user.userPrincipalName)),\\n tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend TargetResourceName = tolower(tostring(TargetResource.displayName)),\\n props = TargetResource.modifiedProperties\\n )\\n| parse props with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend UserAgent = tostring(AdditionalDetail.value)\\n )\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy\\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = make_set(Reason,100) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\\n| extend timestamp = TimeGenerated, Name = tolower(tostring(split(InitiatedBy,\u0027@\u0027,0)[0])), UPNSuffix = tolower(tostring(split(InitiatedBy,\u0027@\u0027,1)[0]))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatedBy\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetResourceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Rare application consent\",\"description\":\"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor.\\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events.\\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-01-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\"name\":\"06a9b845-6a95-4432-a78b-83919b28c375\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n// Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal \u003e percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIPMax\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly detection for total volume of traffic\",\"description\":\"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"name\":\"3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Hacking Tool\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername\\n| extend AccountName = tostring(split(SrcUsername, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(SrcUsername, \\\"@\\\")[1])\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running a hacking tool\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by a hacking tool and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Execution\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"A host is potentially running a hacking tool (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.\u003cbr\u003eYou can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\"name\":\"53e936c6-6c30-4d12-8343-b8a0456e8429\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend timestamp=TimeGenerated\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingProcessAccountDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT malware hashes\",\"description\":\"This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceImageLoadEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7b9df32-1367-402d-b385-882daf6e3020\",\"name\":\"a7b9df32-1367-402d-b385-882daf6e3020\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog =~ \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==10\\n| parse EventData with * \u0027TargetImage\\\"\u003e\u0027 TargetImage \\\"\u003c\\\" * \u0027GrantedAccess\\\"\u003e\u0027 GrantedAccess \\\"\u003c\\\" * \u0027CallTrace\\\"\u003e\u0027 CallTrace \\\"\u003c\\\" * \\n| where GrantedAccess =~ \\\"0x1FFFFF\\\" and TargetImage =~ \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and CallTrace has_any (\\\"dbghelp.dll\\\",\\\"dbgcore.dll\\\")\\n| parse EventData with * \u0027SourceProcessGUID\\\"\u003e\u0027 SourceProcessGUID \\\"\u003c\\\" * \u0027SourceImage\\\"\u003e\u0027 SourceImage \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"SourceImage\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Dumping LSASS Process Into a File\",\"description\":\"Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\\nAfter a user logs on, the system generates and stores a variety of credential materials in LSASS process memory.\\nThese credential materials can be harvested by an administrative user or system and used to conduct lateral movement using alternate authentication materials.\\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\\nRef: https://attack.mitre.org/techniques/T1003/001/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2399891-383c-4caf-ae67-68a008b9f89e\",\"name\":\"e2399891-383c-4caf-ae67-68a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = materialize (\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n | where TI_ipEntity != \\\"NO_IP\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now()\\n);\\nIP_TI\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique \\n(\\n _Im_NetworkSession (starttime=ago(dt_lookBack))\\n | where isnotempty(SrcIpAddr)\\n | summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated) by SrcIpAddr, DstIpAddr, Dvc, EventProduct, EventVendor \\n | lookup (IP_TI | project TI_ipEntity, Active) on $left.SrcIpAddr == $right.TI_ipEntity\\n | project-rename SrcMatch = Active\\n | lookup (IP_TI | project TI_ipEntity, Active) on $left.DstIpAddr == $right.TI_ipEntity\\n | project-rename DstMatch = Active\\n | where SrcMatch or DstMatch\\n | extend \\n IoCIP = iff(SrcMatch, SrcIpAddr, DstIpAddr),\\n IoCDirection = iff(SrcMatch, \\\"Source\\\", \\\"Destination\\\")\\n)on $left.TI_ipEntity == $right.IoCIP\\n| where imNWS_mintime \u003c ExpirationDateTime\\n| project imNWS_mintime, imNWS_maxtime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SrcIpAddr, DstIpAddr, IoCDirection, IoCIP, Dvc, EventVendor, EventProduct\",\"customDetails\":{\"EventStartTime\":\"imNWS_mintime\",\"EventEndTime\":\"imNWS_maxtime\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\",\"IoCIPDirection\":\"IoCDirection\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IoCIP\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A network session {{IoCDirection}} address {{IoCIP}} matched an IoC.\",\"alertDescriptionFormat\":\"The {{IoCDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to Network Session Events (ASIM Network Session schema)\",\"description\":\"This rule identifies a match Network Sessions for which the source or destination IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"AzureNSG\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"AIVectraStream\",\"dataTypes\":[\"VectraStream\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"CiscoMeraki\",\"dataTypes\":[\"Syslog\",\"CiscoMerakiNativePoller\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"name\":\"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.7\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.Caller\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, Caller\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, EmailSenderName, EmailRecipient,\\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue,\\nResourceGroup, SubscriptionId\\n| extend Name = tostring(split(Caller, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(Caller, \u0027@\u0027, 1)[0])\\n| extend timestamp = AzureActivity_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"TI map Email entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\"name\":\"40ba9493-4183-4eee-974f-87fe39c8f267\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Identity alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Identity\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (AATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"name\":\"d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, NewProcessId, Computer\\n | join kind=inner (SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ParentProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend newProcess = Process\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.NewProcessId == $right.ProcessId, timekey, Computer\\n | extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n | extend AccountName = tostring(split(TargetAccount, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(TargetAccount, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"name\":\"70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),\\n modProps = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = modProps on \\n (\\n where Property.displayName =~ \\\"Role.WellKnownObjectName\\\"\\n | extend DisplayName = trim(\u0027\\\"\u0027,tostring(Property.displayName)),\\n GroupName = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| extend InitiatingAppId = tostring(InitiatedBy.app.appId)\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingAppServicePrincipalName = tostring(InitiatedBy.app.servicePrincipalName)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) \\n| extend InitiatingUserRoles = InitiatedBy.user.roles\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatingAppName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppId, InitiatingAppServicePrincipalId, InitiatingIpAddress, InitiatingUserRoles, DisplayName, GroupName, TargetUserPrincipalName\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\\n| extend TargetName = tostring(split(TargetUserPrincipalName,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"NRT User added to Microsoft Entra ID Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Microsoft Entra ID please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"name\":\"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n (WindowsEvent\\n| where EventID == 4663 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\") and EventData has_any (scriptExtensions) \\n| where EventData has_any (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (scriptExtensions)\\n| extend AccessMask = tostring(EventData.AccessMask)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n and\\n TargetFileName has_any (scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where FileName has_any(scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"[Deprecated] - Silk Typhoon UM Service writing suspicious file\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\"name\":\"04384937-e927-4595-8f3c-89ff58ed231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.1\",\"severity\":\"Low\",\"query\":\"let IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible Forest Blizzard attempted credential harvesting - Sept 2020\",\"description\":\"Surfaces potential Forest Blizzard group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7965f0be-c039-4d18-8ee8-9a6add8aecf3\",\"name\":\"7965f0be-c039-4d18-8ee8-9a6add8aecf3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688\\n| where CommandLine has_all (\u0027net user\u0027, \u0027/add\u0027) \\n| parse CommandLine with * \\\"user \\\" username \\\" \\\"*\\n| extend password = extract(@\\\"\\\\buser\\\\s+[^\\\\s]+\\\\s+([^\\\\s]+)\\\", 1, CommandLine) \\n| where username in(\u0027DefaultAccount\u0027) or password in(\u0027P@ssw0rd1234\u0027, \u0027_AS_@1394\u0027) \\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(DeviceProcessEvents \\n| where InitiatingProcessCommandLine has_all(\u0027net user\u0027, \u0027/add\u0027) \\n| parse InitiatingProcessCommandLine with * \\\"user \\\" username \\\" \\\"* \\n| extend password = extract(@\\\"\\\\buser\\\\s+[^\\\\s]+\\\\s+([^\\\\s]+)\\\", 1, InitiatingProcessCommandLine) \\n| where username in(\u0027DefaultAccount\u0027) or password in(\u0027P@ssw0rd1234\u0027, \u0027_AS_@1394\u0027) \\n| extend Account = strcat(InitiatingProcessAccountDomain, @\u0027\\\\\u0027, InitiatingProcessAccountName), Computer = DeviceName\\n)\\n)\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(Account, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"DEV-0270 New User Creation\",\"description\":\"The following query tries to detect creation of a new user using a known DEV-0270 username/password schema\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-09-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/042f2801-a375-4cfd-bd29-041fc7ed88a0\",\"name\":\"042f2801-a375-4cfd-bd29-041fc7ed88a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n//Find risky Signin\\n| where RiskState == \\\"atRisk\\\" and ResultType == 0\\n| extend Signin_Time = TimeGenerated\\n| summarize\\n AppDisplayName=make_set(AppDisplayName),\\n ClientAppUsed=make_set(ClientAppUsed),\\n UserAgent=make_set(UserAgent),\\n CorrelationId=make_set(CorrelationId),\\n Signin_Time= min(Signin_Time),\\n RiskEventTypes=make_set(RiskEventTypes)\\n by\\n ConditionalAccessStatus,\\n IPAddress,\\n IsRisky,\\n ResourceDisplayName,\\n RiskDetail,\\n ResultType,\\n RiskLevelAggregated,\\n RiskLevelDuringSignIn,\\n RiskState,\\n UserPrincipalName=tostring(tolower(UserPrincipalName)),\\n SourceSystem\\n| join kind=inner (\\n CommonSecurityLog\\n | where DeviceVendor has_any (\\\"Palo Alto Networks\\\", \\\"Fortinet\\\", \\\"Check Point\\\", \\\"Zscaler\\\")\\n | where DeviceProduct startswith \\\"FortiGate\\\" or DeviceProduct startswith \\\"PAN\\\" or DeviceProduct startswith \\\"VPN\\\" or DeviceProduct startswith \\\"FireWall\\\" or DeviceProduct startswith \\\"NSSWeblog\\\" or DeviceProduct startswith \\\"URL\\\"\\n | where DeviceAction != \\\"Block\\\"\\n | where isnotempty(RequestURL)\\n | where isnotempty(SourceUserName)\\n | extend SourceUserName = tolower(SourceUserName)\\n | summarize\\n min(TimeGenerated),\\n max(TimeGenerated),\\n Activity=make_set(Activity)\\n by DestinationHostName, DestinationIP, RequestURL, SourceUserName=tostring(tolower(SourceUserName)),DeviceVendor,DeviceProduct\\n | extend 3p_observed_Time= min_TimeGenerated,Name = tostring(split(SourceUserName,\\\"@\\\")[0]),UPNSuffix =tostring(split(SourceUserName,\\\"@\\\")[1]))\\n on $left.IPAddress == $right.DestinationIP and $left.UserPrincipalName == $right.SourceUserName\\n| extend Timediff = datetime_diff(\u0027day\u0027, 3p_observed_Time, Signin_Time)\\n| where Timediff \u003c= 1 and Timediff \u003e= 0\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DestinationHostName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Risky user signin observed in non-Microsoft network device\",\"description\":\"This content is utilized to identify instances of successful login by risky users, who have been observed engaging in potentially suspicious network activity on non-Microsoft network devices.\",\"lastUpdatedDateUTC\":\"2024-06-14T00:00:00Z\",\"createdDateUTC\":\"2023-05-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/594c653d-719a-4c23-b028-36e3413e632e\",\"name\":\"594c653d-719a-4c23-b028-36e3413e632e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend Name = iif(Actor contains \\\"@\\\", split(Actor, \\\"@\\\")[0], Actor)\\n| extend UPNSuffix = iif(Actor contains \\\"@\\\", split(Actor, \\\"@\\\")[1], \\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Actor\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPaddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\"name\":\"500415fb-bba7-4227-a08a-9857fb61b6a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", OfficeObjectId,\\n Operation =~ \\\"New-TransportRule\\\", ParsedParameters.Name,\\n \\\"Unknown\\\")\\n| mv-expand ExpandedParameters = todynamic(Parameters)\\n| where ExpandedParameters.Name in~ (\\\"BlindCopyTo\\\", \\\"RedirectMessageTo\\\") and isnotempty(ExpandedParameters.Value)\\n| extend RedirectTo = ExpandedParameters.Value\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend From = ParsedParameters.From\\n| project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, From, Operation, RuleName, Parameters\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Mail redirect via ExO transport rule\",\"description\":\"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-05-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"name\":\"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"W3CIISLog\\n| where csMethod == \u0027GET\u0027\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp = TimeGenerated\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(csUserName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(csUserName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"csUserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"cIP\"}]}],\"tactics\":[\"Persistence\",\"CommandAndControl\"],\"displayName\":\"SUPERNOVA webshell\",\"description\":\"Identifies SUPERNOVA webshell based on W3CIISLog data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2021-01-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"name\":\"7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, AccountName = SubjectUserName, AccountNTDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName, SubjectAccount\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection.\\nThe first CommandLine component is looking for Python decoding base64.\\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\"name\":\"5efb0cfd-063d-417a-803b-562eae5b0301\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need to exhibit execution of more \\\"new\\\" connections than this number.\\nlet NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\"\\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName))\\n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\"\\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)\\n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iff(\\nType == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\nstrcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| where CurrentCount \u003e= HistoricCount + NewConnectionThreshold\\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount,\\n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend timestamp = StartTime\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Addition/Abuse - Historic allow list\",\"description\":\"This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and not historically included in the allow list Build/Release runs.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"name\":\"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.3\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has_any (\\\".decode(\u0027base64\u0027)\\\", \\\"base64 --decode\\\", \\\".decode64(\\\" )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend FileName=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, CommandLine, ParentProcessName\\n));\\nProcessCreationEvents \\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"name\":\"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by FileHashValue\\n| project CommonSecurityLog_TimeGenerated, FileHashValue, FileHashType, Description, ThreatType,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend AccountName = tostring(split(SourceUserName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(SourceUserName, \\\"@\\\")[1])\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Microsoft COVID-19 file hash indicator matches\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\"lastUpdatedDateUTC\":\"2024-11-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CefAma\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"name\":\"572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let inviting_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend InitiatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(InitiatingUserPrincipalName)\\n | summarize by InitiatingUserPrincipalName);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend InitiatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | where isnotempty(InitiatingUserPrincipalName) and InitiatingUserPrincipalName !in (inviting_users)\\n | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend TargetAadUserId = tostring(TargetResources[0].id)\\n | extend invitingUser = InitiatingUserPrincipalName, invitedUserPrincipalName = TargetUserPrincipalName\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | extend TargetAccountName = tostring(split(TargetUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, OperationName, Result, TargetUserPrincipalName, TargetAadUserId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"TargetAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Guest Users Invited to Tenant by New Inviters\",\"description\":\"Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts added should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0255b5f-2a3c-4112-8744-e6757af3283a\",\"name\":\"d0255b5f-2a3c-4112-8744-e6757af3283a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P4D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"// You can leave out Anomalies that are already monitored through other Analytics Rules\\n//let _MonitoredRules = dynamic([\\\"TestAlertName\\\"]);\\nlet query_frequency = 1h;\\nlet query_lookback = 3d;\\nAnomalies\\n| where TimeGenerated \u003e ago(query_frequency)\\n//| where not(RuleName has_any (_MonitoredRules))\\n| join kind = leftanti (\\n Anomalies\\n | where TimeGenerated between (ago(query_frequency + query_lookback)..ago(query_frequency))\\n | distinct RuleName\\n) on RuleName\\n| extend Name = tostring(split(UserPrincipalName, \\\"@\\\")[0]), UPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Unusual Anomaly - {{RuleName}}\",\"alertDescriptionFormat\":null,\"alertTacticsColumnName\":\"Tactics\",\"alertSeverityColumnName\":null},\"displayName\":\"Unusual Anomaly\",\"description\":\"Anomaly Rules generate events in the Anomalies table. This scheduled rule tries to detect Anomalies that are not usual, they could be a type of Anomaly that has recently been activated, or an infrequent type. The detected Anomaly should be reviewed, if it is relevant enough, eventually a separate scheduled Analytics Rule could be created specifically for that Anomaly Type, so an alert and/or incident is generated everytime that type of Anomaly happens.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"name\":\"06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\MicrosoftOnline\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n ( WindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n( WindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend Name = tostring(split(Account, \\\"\\\\\\\\\\\")[1]), NTDomain = tostring(split(Account, \\\"\\\\\\\\\\\")[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Microsoft Entra ID Health Service Agents Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Microsoft Entra ID Health service agents (e.g AD FS).\\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent.\\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ac77493-3cae-4840-8634-15fb23f8fb68\",\"name\":\"8ac77493-3cae-4840-8634-15fb23f8fb68\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let BEC_Keywords = dynamic([ \u0027invoice\u0027,\u0027payment\u0027,\u0027paycheck\u0027,\u0027transfer\u0027,\u0027bank statement\u0027,\u0027bank details\u0027,\u0027closing\u0027,\u0027funds\u0027,\u0027bank account\u0027,\u0027account details\u0027,\u0027remittance\u0027,\u0027purchase\u0027,\u0027deposit\u0027,\\\"PO#\\\",\\\"Zahlung\\\",\\\"Rechnung\\\",\\\"Paiement\\\", \\\"virement bancaire\\\",\\\"Bankuberweisung\\\",\u0027hacked\u0027,\u0027phishing\u0027]);\\nOfficeActivity\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (BEC_Keywords)\\n or BodyContainsWords has_any (BEC_Keywords)\\n or SubjectOrBodyContainsWords has_any (BEC_Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend UserName = split(UserId, \u0027@\u0027)[0], DomainName = split(UserId, \u0027@\u0027)[1]\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"UserName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"DomainName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious BEC Inbox Rule\",\"description\":\"Often times after the initial compromise in a BEC attack the attackers create inbox rules to delete emails that contain certain keywords related to their BEC attack.\\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. \",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"name\":\"3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1\\n| mv-expand UserId to typeof(string)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"NRT Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination.\\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"name\":\"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.9\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\n// let ioc_lookBack = 14d;\\n// ThreatIntelligenceIndicator\\n// // Picking up only IOC\u0027s that contain the entities we want\\n// | where isnotempty(Url)\\n// | where TimeGenerated \u003e= ago(ioc_lookBack)\\n// | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n// | where Active == true and ExpirationDateTime \u003e now()\\n// // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n// | join kind=innerunique (\\n// OfficeActivity\\n// | where TimeGenerated \u003e= ago(dt_lookBack)\\n// //Extract the Url from a number of potential fields\\n// | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n// | where isnotempty(Url)\\n// // Ensure we get a clean URL\\n// | extend Url = tostring(split(Url, \u0027;\u0027)[0])\\n// | extend OfficeActivity_TimeGenerated = TimeGenerated\\n// // Project a single user identity that we can use for entity mapping\\n// | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))\\n// ) on Url\\n// | where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n// | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url\\n// | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation,\\n// UserType, OfficeWorkload, Parameters, Url, User\\n// | extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(User, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(User, \u0027@\u0027, 1)[0])\\ndatatable() []\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map URL Entity to OfficeActivity Data [Deprecated]\",\"description\":\"This query is Deprecated as its filter conditions will never yield results. This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in OfficeActivity data.\",\"lastUpdatedDateUTC\":\"2024-09-12T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"name\":\"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Low\",\"query\":\"// Add or remove operation names below as per your requirements. For operations lists, please refer to https://learn.microsoft.com/en-us/Azure/role-based-access-control/resource-provider-operations#all\\nlet szOperationNames = dynamic([\\\"Microsoft.Compute/virtualMachines/write\\\", \\\"Microsoft.Resources/deployments/write\\\", \\\"Microsoft.Resources/subscriptions/resourceGroups/write\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue, bin(TimeGenerated,1d)\\n// Returns all the records from the right side that don\u0027t have matches from the left.\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated,100), ActivityStatusValue = make_set(ActivityStatusValue,100), CorrelationIds = make_set(CorrelationId,100), ResourceGroups = make_set(ResourceGroup,100), ResourceIds = make_set(_ResourceId,100), ActivityCountByCallerIPAddress = count()\\nby CallerIpAddress, Caller, OperationNameValue) on CallerIpAddress, Caller, OperationNameValue;\\nRareCaller\\n| extend Name = iif(Caller has \u0027@\u0027,tostring(split(Caller,\u0027@\u0027,0)[0]),\\\"\\\")\\n| extend UPNSuffix = iif(Caller has \u0027@\u0027,tostring(split(Caller,\u0027@\u0027,1)[0]),\\\"\\\")\\n| extend AadUserId = iif(Caller !has \u0027@\u0027,Caller,\\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious Resource deployment\",\"description\":\"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen caller.\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"name\":\"c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where isnotempty(CommandLine)\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n | extend HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Base64 Encoded Windows Process Command-lines\",\"description\":\"This detection identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"name\":\"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.5\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project TimeGenerated, Total, baseline, anomalies, score;\\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e ago(2d)\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress, 1000), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString, 1000) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h)\\n | where HourlyCount \u003e 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\\n | order by HourlyCount desc\\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100\\n| where PercentofTotal \u003e percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\\n| order by PercentofTotal desc\\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId, SourceIPMax, IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"Client_IPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIPMax\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Exchange workflow MailItemsAccessed operation anomaly\",\"description\":\"Identifies anomalous increases in Exchange mail items accessed operations.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\"name\":\"69b7723c-2889-469f-8b55-a2d355ed9c87\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for DNS events\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and DNS events\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | mv-expand SingleIP = split(IPAddresses, \\\", \\\") to typeof(string)\\n | extend DNS_TimeGenerated = TimeGenerated\\n )\\n on $left.TI_ipEntity == $right.SingleIP\\n // Filter out DNS events that occurred after the expiration of the corresponding indicator\\n | where DNS_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and SingleIP, and keep the DNS event with the latest timestamp\\n | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated, *) by IndicatorId, SingleIP\\n // Select the desired output fields\\n | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n | extend timestamp = DNS_TimeGenerated, HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to DnsEvents\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DnsEvents.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f4a28082-2808-4783-9736-33c1ae117475\",\"name\":\"f4a28082-2808-4783-9736-33c1ae117475\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Retrieve Azure AD SigninLogs within the last day\\nSigninLogs \\n// Filter for specific AppDisplayNames, ResultType, and Risk Levels\\n| where AppDisplayName in (\\\"Azure Portal\\\", \\\"ADFS Trust\\\", \\\"Microsoft Azure PowerShell\\\")\\n and RiskLevelAggregated == \\\"high\\\"\\n and RiskLevelDuringSignIn == \\\"high\\\"\\n// Summarize AppDisplayNames by relevant attributes\\n| extend Result = iff(ResultType == 0, \\\"Successful Signin\\\", \\\"Failed Signin\\\")\\n| summarize make_set(AppDisplayName)\\n by\\n IPAddress,\\n signInTime=TimeGenerated,\\n UserPrincipalName,\\n RiskEventTypes,\\n RiskEventTypes_V2\\n// Inner join with AWS CloudTrail events\\n| join kind=inner (\\n AWSCloudTrail\\n | where isempty(ErrorMessage)\\n | where EventSource in (\\\"iam.amazonaws.com\\\", \\\"identitystore.amazonaws.com\\\", \\\"workmail.amazonaws.com\\\", \\\"workdocs.amazonaws.com\\\")\\n // List of AWS event names\\n | where EventName in~ (\\\"CreateRole\\\", \\\"DeleteRole\\\", \\\"CreateUser\\\", \\\"CreateAccessKey\\\", \\\"DeleteAccessKey\\\", \\\"CreateGroup\\\", \\\"AddUserToGroup\\\", \\\"ChangePassword\\\", \\\"DeleteGroup\\\", \\\"DeleteUser\\\", \\\"RemoveUserFromGroup\\\", \\\"CreateVirtualMFADevice\\\", \\\"DeleteLoginProfile\\\", \\\"CreateOrganization\\\", \\\"SetDefaultMailDomain\\\", \\\"SetMailUserDetails\\\", \\\"CreateMailUser\\\", \\\"ResetPassword\\\", \\\"RegisterToWorkMail\\\", \\\"DisableMailUsers\\\", \\\"EnableMailUsers\\\", \\\"DeleteServiceSpecificCredential\\\", \\\"CreateServiceSpecificCredential\\\", \\\"UpdateAccountEmailAddress\\\", \\\"DeleteGroupPolicy\\\", \\\"UploadServerCertificate\\\") \\n // Summarize relevant attributes\\n | summarize make_set(RequestParameters), make_set(ResponseElements)\\n by\\n SourceIpAddress,\\n UserIdentityArn,\\n UserIdentityType,\\n EventName,\\n EventTime=TimeGenerated,\\n EventSource\\n )\\n on $left.IPAddress == $right.SourceIpAddress \\n// Calculate time difference in hours between AWS event and Azure sign-in\\n| extend timedef = datetime_diff(\\\"hour\\\", EventTime, signInTime)\\n// Filter for time differences within a certain range\\n| where timedef between (0 .. 8)\",\"customDetails\":{\"AwsUser\":\"UserIdentityArn\",\"RiskEventTypes\":\"RiskEventTypes\",\"AzureUser\":\"UserPrincipalName\",\"AWSEventName\":\"EventName\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"High-Risk Cross-Cloud User Impersonation\",\"description\":\"This detection focuses on identifying high-risk cross-cloud activities and sign-in anomalies that may indicate potential security threats. The query starts by analyzing Microsoft Entra ID Signin Logs to pinpoint instances where specific applications, risk levels, and result types align. It then correlates this information with relevant AWS CloudTrail events to identify activities across Azure and AWS environments.\",\"lastUpdatedDateUTC\":\"2023-11-12T00:00:00Z\",\"createdDateUTC\":\"2023-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\"name\":\"155f40c6-610d-497d-85fc-3cf06ec13256\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\",\\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList))\\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList)))\\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames)\\n| extend DNSName = Request_Name \\n| extend IPCustomEntity = ClientIP\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (DomainNames) \\n| extend DNSName = Fqdn \\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (DomainNames)\\n| extend DNSName = QueryName\\n| extend IPCustomEntity = SourceIp\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Known Phosphorus group domains/IP\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"name\":\"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.2.4\",\"severity\":\"Medium\",\"query\":\"// Set threshold for the number of downloads/uploads from a new user agent\\nlet threshold = 5;\\n// Define constants for SharePoint file operations\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\n// Define the historical activity for analysis\\nlet starttime = 14d; // Define the start time for historical data (14 days ago)\\nlet endtime = 1d; // Define the end time for historical data (1 day ago)\\n// Extract the base events for analysis\\nlet Baseevents =\\n OfficeActivity\\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where RecordType =~ szSharePointFileOperation\\n | where Operation in~ (szOperations)\\n | where isnotempty(UserAgent);\\n// Identify frequently occurring user agents\\nlet FrequentUA = Baseevents\\n | summarize FUACount = count() by UserAgent, RecordType, Operation\\n | where FUACount \u003e= threshold\\n | distinct UserAgent;\\n// Calculate a user baseline for further analysis\\nlet UserBaseLine = Baseevents\\n | summarize Count = count() by UserId, Operation, Site_Url\\n | summarize AvgCount = avg(Count) by UserId, Operation, Site_Url;\\n// Extract recent activity for analysis\\nlet RecentActivity = OfficeActivity\\n | where TimeGenerated \u003e ago(endtime)\\n | where RecordType =~ szSharePointFileOperation\\n | where Operation in~ (szOperations)\\n | where isnotempty(UserAgent)\\n | where UserAgent in~ (FrequentUA)\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OfficeObjectIdCount = dcount(OfficeObjectId), OfficeObjectIdList = make_set(OfficeObjectId), UserAgentSeenCount = count() \\n by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url;\\n// Analyze user behavior based on baseline and recent activity\\nlet UserBehaviorAnalysis = UserBaseLine\\n | join kind=inner (RecentActivity) on UserId, Operation, Site_Url\\n | extend Deviation = abs(UserAgentSeenCount - AvgCount) / AvgCount;\\n// Filter and format results for specific user behavior analysis\\nUserBehaviorAnalysis\\n | where Deviation \u003e 25\\n | extend UserIdName = tostring(split(UserId, \u0027@\u0027)[0]), UserIdUPNSuffix = tostring(split(UserId, \u0027@\u0027)[1])\\n | project-reorder StartTime, EndTime, UserAgent, UserAgentSeenCount, UserId, ClientIP, Site_Url\\n | project-away Site_Url1, UserId1, Operation1\\n | order by UserAgentSeenCount desc, UserAgent asc, UserId asc, Site_Url asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"UserIdName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UserIdUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Site_Url\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via devices with previously unseen user agents\",\"description\":\"Identifies anomalies if the number of documents uploaded or downloaded from device(s) associated with a previously unseen user agent exceeds a threshold (default is 5) and deviation (default is 25).\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0101e08d-99cd-4a97-a9e0-27649c4369ad\",\"name\":\"0101e08d-99cd-4a97-a9e0-27649c4369ad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P2D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// In User \u0026 Groups and in Applications, the following \\\"AccessType\\\" values in columns PremodifiedOutboundSettings and ModifiedOutboundSettings are interpreted accordingly\\n// When Access Type in premodified outbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified outbound settings value was 2 that means that the initial access was blocked.\\n// When Access Type in modified outbound settings value is 1 that means that now access is allowed. When Access Type in modified outbound settings value is 2 that means that now access is blocked.\\nAuditLogs\\n| where OperationName has \\\"Update a partner cross-tenant access setting\\\"\\n| mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type =~ \\\"Policy\\\"\\n | extend Properties = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = Properties on\\n (\\n where Property.displayName =~ \\\"b2bDirectConnectOutbound\\\"\\n | extend PremodifiedOutboundSettings = trim(\u0027\\\"\u0027,tostring(Property.oldValue)),\\n ModifiedOutboundSettings = trim(@\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where PremodifiedOutboundSettings != ModifiedOutboundSettings\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Cross-tenant Access Settings Organization Outbound Direct Settings Changed\",\"description\":\"Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Direct Settings are changed for \\\"Users \u0026 Groups\\\" and for \\\"Applications\\\".\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8955c0fb-3408-47b0-a3b9-a1faec41e427\",\"name\":\"8955c0fb-3408-47b0-a3b9-a1faec41e427\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^\u0027]*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange Server Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types on an Exchange Server. This could indicate attempted deployment of webshells. \\nThis query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nThis log is commonly found at C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\Logging\\\\OABGeneratorLog on the Exchange server. Details on collecting custom logs into Sentinel\\ncan be found here: https://learn.microsoft.com/azure/sentinel/connect-custom-logs\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"name\":\"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.3\",\"severity\":\"Medium\",\"query\":\"// Define the lookback periods for time-based filters\\nlet dt_lookBack = 1h; // Look back 1 hour for DNS events\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to domains\\nlet Domain_Indicators = ThreatIntelligenceIndicator\\n // Filter out indicators without domain names\\n | where isnotempty(DomainName)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now()\\n | extend TI_DomainEntity = DomainName;\\n// Create a list of TLDs in our threat feed for later validation\\nlet maxListSize = 100000; // Define the maximum allowed size for each list\\nlet list_tlds = Domain_Indicators\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | project tld\\n | summarize make_list(tld, maxListSize);\\n// Perform a join between domain indicators and DNS events to identify potential malicious activity\\nDomain_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n // Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n ) on $left.TI_DomainEntity==$right.Name\\n // Filter out DNS events that occurred after the expiration of the corresponding indicator\\n | where DNS_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and Name, and keep the DNS event with the latest timestamp\\n | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated, *) by IndicatorId, Name\\n // Select the desired output fields\\n | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType, Type, TI_DomainEntity\\n // Extract hostname and DNS domain from the Computer field\\n | extend HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\\n // Rename the timestamp field\\n | extend timestamp = DNS_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map Domain entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1080fc1-13d1-479b-8340-255f0290d96c\",\"name\":\"a1080fc1-13d1-479b-8340-255f0290d96c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | where TargetResources has \\\"AppAddress\\\"\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend AddedBy = iif(isnotempty(InitiatingUserPrincipalName), InitiatingUserPrincipalName, InitiatingAppName)\\n | extend TargetAppName = tostring(TargetResources.displayName)\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, TargetAppName, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, AddedUrls, AddedBy, UserAgent\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application Redirect URL Update\",\"description\":\"Detects the redirect URL of an app being changed.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"name\":\"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where isnotempty(FileHashValue)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| extend FileHashValue = toupper(FileHashValue)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique ( union isfuzzy=true\\n (SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(FileHash)\\n ),\\n (WindowsEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(EventData.FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(EventData.FileHash)\\n )\\n)\\non $left.FileHashValue == $right.FileHash\\n| where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, FileHash\\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nProcess, FileHash, Computer, Account, Event, FileHashValue, FileHashType\\n| extend NTDomain = tostring(split(Account, \u0027\\\\\\\\\u0027, 0)[0]), Name = tostring(split(Account, \u0027\\\\\\\\\u0027, 1)[0])\\n| extend HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027)) \\n| extend timestamp = SecurityEvent_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map File Hash to Security Event\",\"description\":\"Identifies a match in Security Event data from any File Hash IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"name\":\"a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Extracts plaintext IPv4 addresses\\nlet ipv4_plaintext_extraction_regex = @\\\"((?:(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(?:\\\\.)){3}(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]){1,3})\\\";\\n// Identified base64 encoded IPv4 addresses\\nlet ipv4_encoded_identification_regex = @\\\"\\\\=([a-zA-Z0-9\\\\/\\\\+]*(?:(?:MC|Au|wL|MS|Eu|xL|Mi|Iu|yL|My|Mu|zL|NC|Qu|0L|NS|Uu|1L|Ni|Yu|2L|Ny|cu|3L|OC|gu|4L|OS|ku|5L){1}[a-zA-Z0-9\\\\/\\\\+]{2,4}){3}[a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Extractes IPv4 addresses as hex values\\nlet ipv4_decoded_hex_extract = @\\\"((?:(?:61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|2f|2b|3d),){7,15})\\\";\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n// Identify requests with encoded IPv4 addresses\\n| where RequestURL matches regex ipv4_encoded_identification_regex\\n| project TimeGenerated, RequestURL\\n// Extract IP candidates in their base64 encoded format, significantly reducing the dataset\\n| extend extracted_encoded_ip_candidate = extract_all(ipv4_encoded_identification_regex, RequestURL)\\n// We could have more than one candidate, expand them out\\n| mv-expand extracted_encoded_ip_candidate to typeof(string)\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), make_set(RequestURL) by extracted_encoded_ip_candidate\\n// Pad if we need to\\n| extend extracted_encoded_ip_candidate = iff(strlen(extracted_encoded_ip_candidate) % 2 == 0, extracted_encoded_ip_candidate, strcat(extracted_encoded_ip_candidate, \\\"=\\\"))\\n// Now decode the candidate to a long array, we cannot go straight to string as it cannot handle non-UTF8, we need to strip that first\\n| extend extracted_encoded_ip_candidate = tostring(base64_decode_toarray(extracted_encoded_ip_candidate))\\n// Extract the IP candidates from the array\\n| extend hex_extracted = extract_all(ipv4_decoded_hex_extract, extracted_encoded_ip_candidate)\\n// Expand, it\u0027s still possible that we might have more than 1 IP\\n| mv-expand hex_extracted\\n// Now we should have a clean string. We need to put it back into a dynamic array to convert back to a string.\\n| extend hex_extracted = trim_end(\\\",\\\", tostring(hex_extracted))\\n| extend hex_extracted = strcat(\\\"[\\\",hex_extracted,\\\"]\\\")\\n| extend hex_extracted = todynamic(hex_extracted)\\n| extend extracted_encoded_ip_candidate = todynamic(extracted_encoded_ip_candidate)\\n// Convert the array back into a string\\n| extend decoded_ip_candidate = make_string(hex_extracted)\\n| summarize by decoded_ip_candidate, tostring(set_RequestURL), Start, End\\n// Now the IP candidates will be in plaintext, extract the IPs using a regex\\n| extend ipmatch = extract_all(ipv4_plaintext_extraction_regex, decoded_ip_candidate)\\n// If it\u0027s not an IP, throw it out\\n| where isnotnull(ipmatch)\\n| mv-expand ipmatch to typeof(string)\\n// Join with DeviceNetworkEvents to find instances where an IP of a machine in our MDE estate sent it\u0027s IP in a base64 encoded string\\n| join (\\n DeviceNetworkEvents\\n | summarize make_set(DeviceId), make_set(DeviceName) by RemoteIP\\n) on $left.ipmatch == $right.RemoteIP\\n| project Start, End, IPmatch=ipmatch, RequestURL=set_RequestURL, DeviceNames=set_DeviceName, DeviceIds=set_DeviceId, RemoteIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPmatch\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"IP address of Windows host encoded in web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded IP addresses. After identifying candidates the query joins with DeviceNetworkEvents to idnetify any machine within the network using that IP address. Alerts indicate that the IP address of a machine within your network was seen with it\u0027s IP address base64 encoded in an outbound web request. This method of egressing the IP was seen used in POLONIUM\u0027s RunningRAT tool, however the detection is generic.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"name\":\"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, \\ntimekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n| where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, FileEditDomain = InitiatingProcessAccountDomain, FileEditUpn = InitiatingProcessAccountUpn, \\nDeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, DeviceName\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess) by timekey, DeviceName, BuildParentProcess, BuildProcess, FileEditAccount, FileEditDomain, FileEditUpn\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"FileEditUpn\"},{\"identifier\":\"Name\",\"columnName\":\"FileEditAccount\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"FileEditDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise - MDE\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\"name\":\"2560515c-07d1-434e-87fb-ebe3af267760\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\") \\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\" and array_length(TargetResource.modifiedProperties) \u003e 0 and isnotnull(TargetResource.displayName)\\n | extend props = TargetResource.modifiedProperties,\\n Type = tostring(TargetResource.type),\\n PermissionsAddedTo = tostring(TargetResource.displayName)\\n )\\n| mv-apply Property = props on \\n (\\n where Property.displayName =~ \\\"DelegatedPermissionGrant.Scope\\\"\\n | extend DisplayName = tostring(Property.displayName), Permissions = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend InitiatingUserAgent = tostring(AdditionalDetail.value)\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| project-away props, TargetResource, AdditionalDetail, Property\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName has \\\"Consent to application\\\"\\n | mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend AppName = tostring(TargetResource.displayName),\\n AppId = tostring(TargetResource.id)\\n )\\n| project AppName, AppId, CorrelationId) on CorrelationId\\n| project-away CorrelationId1\\n| project-reorder TimeGenerated, OperationName, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, InitiatingUserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\\n| extend Name = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Mail.Read Permissions Granted to Application\",\"description\":\"This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.\",\"lastUpdatedDateUTC\":\"2024-01-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"name\":\"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),\\n modProps = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = modProps on \\n (\\n where Property.displayName =~ \\\"Role.WellKnownObjectName\\\"\\n | extend DisplayName = trim(\u0027\\\"\u0027,tostring(Property.displayName)),\\n GroupName = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| extend InitiatingAppId = InitiatedBy.app.appId\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingAppServicePrincipalName = tostring(InitiatedBy.app.servicePrincipalName)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingUserRoles = InitiatedBy.user.roles\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatingAppName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppId, InitiatingAppName, InitiatingAppServicePrincipalName, InitiatingAppServicePrincipalId, InitiatingIpAddress, DisplayName, GroupName, InitiatingUserRoles, TargetUserPrincipalName\\n| extend AccountName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), AccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\\n| extend TargetName = tostring(split(TargetUserPrincipalName,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User added to Microsoft Entra ID Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Microsoft Entra ID please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a779e2d5-9109-4f0a-a75e-f3d4f3c58560\",\"name\":\"a779e2d5-9109-4f0a-a75e-f3d4f3c58560\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let sha256Hashes = dynamic([\\\"78c255a98003a101fa5ba3f49c50c6922b52ede601edac5db036ab72efc57629\\\", \\\"0588f61dc7e4b24554cffe4ea56d043d8f6139d2569bc180d4a77cf75b68792f\\\", \\\"441a3810b9e89bae12eea285a63f92e98181e9fb9efd6c57ef6d265435484964\\\", \\\"cbae79f66f724e0fe1705d6b5db3cc8a4e89f6bdf4c37004aa1d45eeab26e84b\\\", \\\"fd6515a71530b8329e2c0104d0866c5c6f87546d4b44cc17bbb03e64663b11fc\\\", \\\"5d169e083faa73f2920c8593fb95f599dad93d34a6aa2b0f794be978e44c8206\\\", \\\"7f29b69eb1af1cc6c1998bad980640bfe779525fd5bb775bc36a0ce3789a8bfc\\\", \\\"02a59fe2c94151a08d75a692b550e66a8738eb47f0001234c600b562bf8c227d\\\", \\\"7f84bf6a016ca15e654fb5ebc36fd7407cb32c69a0335a32bfc36cb91e36184d\\\", \\\"afab2e77dc14831f1719e746042063a8ec107de0e9730249d5681d07f598e5ec\\\", \\\"894138dfeee756e366c65a197b4dbef8816406bc32697fac6621601debe17d53\\\", \\\"4611340fdade4e36f074f75294194b64dcf2ec0db00f3d958956b4b0d6586431\\\", \\\"c96ae21b4cf2e28eec222cfe6ca903c4767a068630a73eca58424f9a975c6b7d\\\", \\\"fa30be45c5c5a8f679b42ae85410f6099f66fe2b38eb7aa460bcc022babb41ca\\\", \\\"e64bea4032cf2694e85ede1745811e7585d3580821a00ae1b9123bb3d2d442d6\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\\n| where (Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = tostring(Hashes[1])\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"[Deprecated] - Denim Tsunami File Hashes July 2022\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"name\":\"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\" \\n| where Operation =~ \\\"New-InboxRule\\\" and (ResultStatus =~ \\\"True\\\" or ResultStatus =~ \\\"Succeeded\\\")\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\\n| extend OriginatingServerName = tostring(split(OriginatingServer, \\\" \\\")[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"OriginatingServerName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.\\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\"name\":\"bf07ca9c-e408-443a-8939-6860a45a929e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps New Extension Added\",\"description\":\"Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \\nThis query looks for new extensions that are not from a configurable list of approved publishers.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"name\":\"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 1102 and EventSourceName =~ \\\"Microsoft-Windows-Eventlog\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n),\\n(\\nWindowsEvent\\n| where EventID == 1102 and Provider =~ \\\"Microsoft-Windows-Eventlog\\\"\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend Activity= \\\"1102 - The audit log was cleared.\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n)\\n)\\n| extend Name=tostring(split(Account, \\\"@\\\")[0]), UPNSuffix=tostring(split(Account, \\\"@\\\")[1])\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared.\\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"name\":\"d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n| join (\\n DuoSecurityAuthentication_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(access_device_ip_s)\\n // renaming time column so it is clear the log this came from\\n | extend Duo_TimeGenerated = isotimestamp_t\\n)\\non $left.TI_ipEntity == $right.access_device_ip_s\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\\n| extend timestamp = Duo_TimeGenerated, Name = tostring(split(user_name_s, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(user_name_s, \u0027@\u0027, 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"user_name_s\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"access_device_ip_s\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to Duo Security\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DuoSecurity.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"CiscoDuoSecurity\",\"dataTypes\":[\"CiscoDuo\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"name\":\"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"let cmdTokens0 = dynamic([\u0027vbscript\u0027,\u0027jscript\u0027]);\\nlet cmdTokens1 = dynamic([\u0027mshtml\u0027,\u0027RunHTMLApplication\u0027]);\\nlet cmdTokens2 = dynamic([\u0027Execute\u0027,\u0027CreateObject\u0027,\u0027RegRead\u0027,\u0027window.close\u0027]);\\n(union isfuzzy=true \\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688 and EventData has_all(cmdTokens2) and EventData has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(EventData has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId)\\n| extend Name = tostring(split(Account, \\\"\\\\\\\\\\\")[1]), NTDomain = tostring(split(Account, \\\"\\\\\\\\\\\")[0])\\n| extend DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027)), HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Midnight Blizzard - Script payload stored in Registry\",\"description\":\"This query identifies when a process execution command-line indicates that a registry value is written to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"name\":\"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents\\n| where TimeGenerated \u003e ago(endtime)\\n| where Name has \\\"in-addr.arpa\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name), ReverseDNSLookup_List = make_set(Name,100) by ClientIP\\n| where dcount_Name \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name, ReverseDNSLookup_List\\n// Filter out previously seen IPs\\n// Returns all the records from the left side that don\u0027t have matches from the right\\n| join kind=leftanti (DnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name has \\\"in-addr.arpa\\\"\\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name \u003e threshold\\n | project ClientIP , dcount_Name\\n) on ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Rare client observed with high reverse DNS lookup count\",\"description\":\"Identifies clients with a high reverse DNS counts that could be carrying out reconnaissance or discovery activity.\\nAlerts are generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\"name\":\"46ac55ae-47b8-414a-8f94-89ccd1962178\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let queryperiod = 1d;\\nlet mode = dynamic([\u0027Blocked\u0027, \u0027Detected\u0027]);\\nlet successCode = dynamic([\u0027200\u0027, \u0027101\u0027,\u0027204\u0027, \u0027400\u0027,\u0027504\u0027,\u0027304\u0027,\u0027401\u0027,\u0027500\u0027]);\\nlet sessionBin = 30m;\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where ResourceProvider == \u0027MICROSOFT.NETWORK\u0027 and Category =~ \u0027ApplicationGatewayFirewallLog\u0027 and action_s in (mode)\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\\n| extend SessionBlockedStarted = row_window_session(TimeGenerated, queryperiod, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| summarize SessionBlockedEnded = max(TimeGenerated), SessionBlockedCount = count() by hostname_s, clientIp_s, SessionBlockedStarted\\n| extend TimeKey = range(bin(SessionBlockedStarted, sessionBin), bin(SessionBlockedEnded, sessionBin), sessionBin)\\n| mv-expand TimeKey to typeof(datetime)\\n| join kind = inner(\\n AzureDiagnostics\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where Category =~ \u0027ApplicationGatewayAccessLog\u0027 and (isempty(httpStatus_d) or httpStatus_d in (successCode))\\n | extend TimeKey = bin(TimeGenerated, sessionBin)\\n | extend hostname_s = coalesce(hostname_s,host_s), clientIp_s = coalesce(clientIp_s,clientIP_s)\\n) on TimeKey, hostname_s , clientIp_s\\n| where TimeGenerated between (SessionBlockedStarted..SessionBlockedEnded)\\n| extend\\n originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", \\\"\\\"),\\n serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", \\\"\\\")\\n| summarize\\n SuccessfulAccessCount = count(),\\n UserAgents = make_set(userAgent_s, 250),\\n RequestURIs = make_set(requestUri_s, 250),\\n OriginalRequestURIs = make_set(originalRequestUriWithArgs_s, 250),\\n SuccessCodes = make_set(httpStatus_d, 250),\\n SuccessCodes_BackendServer = make_set(serverStatus_s, 250),\\n take_any(SessionBlockedEnded, SessionBlockedCount)\\n by hostname_s, clientIp_s, SessionBlockedStarted\\n| where SessionBlockedCount \u003e SuccessfulAccessCount\\n| extend BlockvsSuccessRatio = SessionBlockedCount/toreal(SuccessfulAccessCount)\\n| sort by BlockvsSuccessRatio desc, SessionBlockedStarted asc\\n| project-reorder SessionBlockedStarted, SessionBlockedEnded, hostname_s, clientIp_s, SessionBlockedCount, SuccessfulAccessCount, BlockvsSuccessRatio, SuccessCodes, RequestURIs, OriginalRequestURIs, UserAgents\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"clientIp_s\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"A potentially malicious web request was executed against a web server\",\"description\":\"Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the ratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric).\\nA high ratio value for a given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number of blocked requests and a few unobstructed logs that may be malicious but have passed undetected through the WAF. The successCode variable defines what the detection thinks is a successful status code and should be altered to fit the environment.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"name\":\"6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.6\",\"severity\":\"High\",\"query\":\"let IPList = externaldata(IPAddress:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//Network logs\\nlet CSlogSourceIP = CommonSecurityLog | summarize by IPAddress = SourceIP, Type;\\nlet CSlogDestIP = CommonSecurityLog | summarize by IPAddress = DestinationIP, Type;\\nlet CSlogMsgIP = CommonSecurityLog | extend MessageIP = extract(IPRegex, 0, Message) | summarize by IPAddress = MessageIP, Type;\\nlet DnsIP = DnsEvents | summarize by IPAddress = IPAddresses, Type;\\n// If you have enabled the _Im_Dns and/or imNetworkSession normalization in your workspace, you can uncomment one or both below. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let imDnsIP = _Im_Dns (response_has_any_prefix=IPList) | summarize by IPAddress = ResponseName, Type;\\n//let imNetSessIP = imNetworkSession (dstipaddr_has_any_prefix=IPList) | summarize by IPAddress = DstIpAddr, Type;\\n//Cloud service logs\\nlet officeIP = OfficeActivity | summarize by IPAddress = ClientIP, Type;\\nlet signinIP = SigninLogs | summarize by IPAddress, Type;\\nlet nonintSigninIP = AADNonInteractiveUserSignInLogs | summarize by IPAddress, Type;\\nlet azureActIP = AzureActivity | summarize by IPAddress = CallerIpAddress, Type;\\nlet awsCtIP = AWSCloudTrail | summarize by IPAddress = SourceIpAddress, Type;\\n//Device logs\\nlet vmConnSourceIP = VMConnection | summarize by IPAddress = SourceIp, Type;\\nlet vmConnDestIP = VMConnection | summarize by IPAddress = DestinationIp, Type;\\nlet iisLogIP = W3CIISLog | summarize by IPAddress = cIP, Type;\\nlet devNetIP = DeviceNetworkEvents | summarize by IPAddress = RemoteIP, Type;\\n//need to parse to get IP\\nlet azureDiagIP = AzureDiagnostics | where ResourceType == \\\"AZUREFIREWALLS\\\" | where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\")\\n| where msg_s has_any (IPList) | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action | summarize by IPAddress = DestinationHost, Type;\\nlet sysEvtIP = Event | where Source == \\\"Microsoft-Windows-Sysmon\\\" | where EventID == 3 | where EventData has_any (IPList) | extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) | extend IPAddress = iff(SourceIP in (IPList), SourceIP, DestinationIP) | summarize by IPAddress, Type;\\n// If you have enabled the _Im_DNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP, imDnsIP, imNetSessIP\\n// If you uncomment above, then comment out the line below\\nlet ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP\\n| summarize by IPAddress\\n| where isnotempty(IPAddress) | where not(ipv4_is_private(IPAddress)) and IPAddress !in (\u00270.0.0.0\u0027,\u0027127.0.0.1\u0027);\\nlet ipMatch = ipsort | where IPAddress in (IPList);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch) or Message has_any (ipMatch)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", MessageIP in (ipMatch), \\\"Message\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"No Match\\\")\\n),\\n(OfficeActivity\\n| where ClientIP in (ipMatch)\\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| extend timestamp = TimeGenerated , IPEntity = SourceIPAddress , AccountEntity = Account\\n),\\n(DnsEvents\\n| where IPAddresses has_any (ipMatch)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress, HostEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (ipMatch) or DestinationIp in (ipMatch)\\n| project TimeGenerated, Computer, SourceIp, DestinationIp, Type\\n| extend IPMatch = case( SourceIp in (ipMatch), \\\"SourceIP\\\", DestinationIp in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| where EventData has_any (ipMatch)\\n| project TimeGenerated, EventData, UserName, Computer, Type\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch)\\n| extend IPMatch = case( SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountEntity = UserName, HostEntity = Computer , IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountEntity = UserPrincipalName, IPEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountEntity = UserPrincipalName, IPEntity = IPAddress\\n),\\n(W3CIISLog\\n| where cIP in (ipMatch)\\n| project TimeGenerated, Computer, cIP, csUserName, Type\\n| extend timestamp = TimeGenerated, IPEntity = cIP, HostEntity = Computer, AccountEntity = csUserName\\n),\\n(AzureActivity\\n| where CallerIpAddress in (ipMatch)\\n| project TimeGenerated, CallerIpAddress, Caller, Type\\n| extend timestamp = TimeGenerated, IPEntity = CallerIpAddress, AccountEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where SourceIpAddress in (ipMatch)\\n| project TimeGenerated, SourceIpAddress, UserIdentityUserName, Type\\n| extend timestamp = TimeGenerated, IPEntity = SourceIpAddress, AccountEntity = UserIdentityUserName\\n),\\n(\\nDeviceNetworkEvents\\n| where RemoteIP in (ipMatch)\\n| where ActionType =~ \\\"InboundConnectionAccepted\\\"\\n| project TimeGenerated, RemoteIP, DeviceName, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, HostEntity = DeviceName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\")\\n| where msg_s has_any (ipMatch)\\n| project TimeGenerated, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceIP \u0027:\u0027 SourcePort \u0027to \u0027 DestinationIP \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationIP has_any (ipMatch)\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIP\\n)\\n// If you have enabled the _Im_Dns and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//,\\n//(_Im_Dns (response_has_any_prefix=IPList)\\n//| project TimeGenerated, ResponseName, SrcIpAddr, Type\\n//| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr\\n//| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress, HostEntity = Host\\n//),\\n//(imNetworkSession (dstipaddr_has_any_prefix=IPList)\\n//| project TimeGenerated, DstIpAddr, SrcIpAddr, Type\\n//| extend timestamp = TimeGenerated, IPEntity = DstIpAddr, HostEntity = SrcIpAddr\\n//)\\n)\\n| extend Name = tostring(split(AccountEntity, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(AccountEntity, \u0027@\u0027, 1)[0])\\n| extend HostName = tostring(split(HostEntity, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(HostEntity, \u0027.\u0027), 1, -1), \u0027.\u0027))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Log4j vulnerability exploit aka Log4Shell IP IOC\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228.\\n References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228\",\"lastUpdatedDateUTC\":\"2024-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoAsaAma\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"name\":\"32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"// Enter a reference list of malicious file artifacts\\nlet MaliciousFileArtifacts = dynamic ([\\\"lsass.dmp\\\",\\\"test.pwd\\\",\\\"lsremora.dll\\\",\\\"lsremora64.dll\\\",\\\"fgexec.exe\\\",\\\"pwdump\\\",\\\"kirbi\\\",\\\"wce_ccache\\\",\\\"wce_krbtkts\\\",\\\"wceaux.dll\\\",\\\"PwHashes\\\",\\\"SAM.out\\\",\\\"SECURITY.out\\\",\\\"SYSTEM.out\\\",\\\"NTDS.out\\\" \\\"DumpExt.dll\\\",\\\"DumpSvc.exe\\\",\\\"cachedump64.exe\\\",\\\"cachedump.exe\\\",\\\"pstgdump.exe\\\",\\\"servpw64.exe\\\",\\\"servpw.exe\\\",\\\"pwdump.exe\\\",\\\"fgdump-log\\\"]);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==11\\n| parse EventData with * \u0027TargetFilename\\\"\u003e\u0027 TargetFilename \\\"\u003c\\\" *\\n| where TargetFilename has_any (MaliciousFileArtifacts)\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, Image, ProcessGuid, TargetFilename\\n| extend HostName = split(Computer, \u0027.\u0027, 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027)\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetFilename\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Image\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - File Artifacts\",\"description\":\"This query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names.\\nRef: https://jpcertcc.github.io/ToolAnalysisResultSheet/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"name\":\"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"let opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\n| summarize make_set(Operation, 500);\\nOfficeActivity\\n// Only admin or global-admin can disable/remove policy\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Office Policy Tampering\",\"description\":\"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"name\":\"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(domain_lookBack) and TimeGenerated \u003c ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to unpopular website (possible malicious payload delivery)\\\"\\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlOriginal\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Connection to Unpopular Website Detected\",\"description\":\"Detects first connection to an unpopular website (possible malicious payload delivery).\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"name\":\"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"High\",\"query\":\"// We can use this configuration TimeDeltaInMinutes if you want to chnage the time window that we try to match the alerts\\nlet TimeDeltaInMinutes = 10;\\nlet Alert_UnfamiliarSignInProps = \\nSecurityAlert\\n| where TimeGenerated \u003e ago(1d)\\n| where ProductName =~ \\\"Azure Active Directory Identity Protection\\\"\\n| where AlertName =~ \\\"Unfamiliar sign-in properties\\\"\\n| mv-expand Entity = todynamic(Entities)\\n| where Entity.Type =~ \\\"account\\\"\\n| extend AadTenantId = tostring(Entity.AadTenantId)\\n| extend AadUserId = tostring(Entity.AadUserId)\\n| join kind=inner (\\nIdentityInfo\\n| distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName\\n| extend UserName = AccountDisplayName\\n| extend UserAccount = AccountUPN\\n| where isnotempty(AccountDisplayName) and isnotempty(UserAccount)\\n| project AccountTenantId, AccountObjectId, UserAccount, UserName\\n)\\non\\n$left.AadTenantId == $right.AccountTenantId,\\n$left.AadUserId == $right.AccountObjectId\\n| extend CompromisedEntity = iff(CompromisedEntity == \\\"N/A\\\" or isempty(CompromisedEntity), UserAccount, CompromisedEntity)\\n| extend Alert_UnfamiliarSignInProps_Time = TimeGenerated\\n| extend Alert_UnfamiliarSignInProps_Name = AlertName\\n| extend Alert_UnfamiliarSignInProps_Severity = AlertSeverity\\n| project AadTenantId, AadUserId, AccountTenantId, AccountObjectId, Alert_UnfamiliarSignInProps_Name, Alert_UnfamiliarSignInProps_Severity, Alert_UnfamiliarSignInProps_Time, UserAccount, UserName\\n;\\nlet Alert_AtypicalTravels = \\nSecurityAlert\\n| where TimeGenerated \u003e ago(1d)\\n| where ProductName =~ \\\"Azure Active Directory Identity Protection\\\"\\n| where AlertName =~ \\\"Atypical travel\\\"\\n| mv-expand Entity = todynamic(Entities)\\n| where Entity.Type =~ \\\"account\\\"\\n| extend AadTenantId = tostring(Entity.AadTenantId)\\n| extend AadUserId = tostring(Entity.AadUserId)\\n| join kind=inner (\\nIdentityInfo\\n| distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName\\n| extend UserName = AccountDisplayName\\n| extend UserAccount = AccountUPN\\n| where isnotempty(AccountDisplayName) and isnotempty(UserAccount)\\n| project AccountTenantId, AccountObjectId, UserAccount, UserName\\n)\\non\\n$left.AadTenantId == $right.AccountTenantId,\\n$left.AadUserId == $right.AccountObjectId\\n| extend CompromisedEntity = iff(CompromisedEntity == \\\"N/A\\\" or isempty(CompromisedEntity), UserAccount, CompromisedEntity)\\n| extend Alert_AtypicalTravels_Time = TimeGenerated\\n| extend Alert_AtypicalTravels_Name = AlertName\\n| extend Alert_AtypicalTravels_Severity = AlertSeverity\\n| extend ExtendedProperties_json= parse_json(ExtendedProperties)\\n| extend CurrentLocation = tostring(ExtendedProperties_json.[\\\"Current Location\\\"])\\n| extend PreviousLocation = tostring(ExtendedProperties_json.[\\\"Previous Location\\\"])\\n| extend CurrentIPAddress = tostring(ExtendedProperties_json.[\\\"Current IP Address\\\"])\\n| extend PreviousIPAddress = tostring(ExtendedProperties_json.[\\\"Previous IP Address\\\"])\\n| project AadTenantId, AadUserId, AccountTenantId, AccountObjectId, Alert_AtypicalTravels_Name, Alert_AtypicalTravels_Severity, Alert_AtypicalTravels_Time, CurrentIPAddress, PreviousIPAddress, CurrentLocation, PreviousLocation, UserAccount, UserName, CompromisedEntity\\n;\\nAlert_UnfamiliarSignInProps\\n| join kind=inner Alert_AtypicalTravels on UserAccount\\n| where abs(datetime_diff(\u0027minute\u0027, Alert_UnfamiliarSignInProps_Time, Alert_AtypicalTravels_Time)) \u003c= TimeDeltaInMinutes\\n| extend TimeDelta = Alert_UnfamiliarSignInProps_Time - Alert_AtypicalTravels_Time\\n| project UserAccount, Alert_UnfamiliarSignInProps_Name, Alert_UnfamiliarSignInProps_Severity, Alert_UnfamiliarSignInProps_Time, Alert_AtypicalTravels_Name, Alert_AtypicalTravels_Severity, Alert_AtypicalTravels_Time, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress, UserName\\n| extend UserEmailName = split(UserAccount,\u0027@\u0027)[0], UPNSuffix = split(UserAccount,\u0027@\u0027)[1]\",\"customDetails\":{\"Alert1_Name\":\"Alert_UnfamiliarSignInProps_Name\",\"Alert1_Time\":\"Alert_UnfamiliarSignInProps_Time\",\"Alert1_Severity\":\"Alert_UnfamiliarSignInProps_Severity\",\"Alert2_Name\":\"Alert_AtypicalTravels_Name\",\"Alert2_Time\":\"Alert_AtypicalTravels_Time\",\"Alert2_Severity\":\"Alert_AtypicalTravels_Severity\",\"TimeDelta\":\"TimeDelta\",\"CurrentLocation\":\"CurrentLocation\",\"PreviousLocation\":\"PreviousLocation\",\"CurrentIPAddress\":\"CurrentIPAddress\",\"PreviousIPAddress\":\"PreviousIPAddress\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"},{\"identifier\":\"Name\",\"columnName\":\"UserEmailName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CurrentIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PreviousIPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Correlate Unfamiliar sign-in properties \u0026 atypical travel alerts\",\"description\":\"The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.\",\"lastUpdatedDateUTC\":\"2023-04-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/05eca115-c4b5-48e4-ba6e-07db57695be2\",\"name\":\"05eca115-c4b5-48e4-ba6e-07db57695be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let baseline_time = 7d;\\nlet detection_time = 1d;\\nDynamics365Activity\\n| where TimeGenerated between(ago(baseline_time)..ago(detection_time-1d))\\n| where OriginalObjectId contains \u0027ExportToExcel\u0027\\n| extend numQueryCount = todouble(QueryResults)\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), \u0027,\u0027) + 1), numQueryCount)\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\n| summarize sum(QueryCount) by UserId\\n| extend HistoricalBaseline = sum_QueryCount\\n| join (Dynamics365Activity\\n| where TimeGenerated \u003e ago(detection_time)\\n| where OriginalObjectId contains \u0027ExportToExcel\u0027\\n| extend numQueryCount = todouble(QueryResults)\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), \u0027,\u0027) + 1), numQueryCount)\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\n| summarize sum(QueryCount) by UserId\\n| extend CurrentExportRate = sum_QueryCount) on UserId\\n| where CurrentExportRate \u003e HistoricalBaseline\\n| project UserId, HistoricalBaseline, CurrentExportRate\\n| join kind=inner(Dynamics365Activity\\n| where TimeGenerated \u003e ago(detection_time)\\n| where OriginalObjectId contains \u0027ExportToExcel\u0027\\n| extend numQueryCount = todouble(QueryResults)\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), \u0027,\u0027) + 1), numQueryCount)\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))) on UserId\\n| project TimeGenerated, UserId, QueryCount, UserAgent, OriginalObjectId, ClientIP, HistoricalBaseline, CurrentExportRate, CorrelationId, CrmOrganizationUniqueName\\n| summarize QuerySizes = make_set(QueryCount), MostRecentQuery = max(TimeGenerated), IPs = make_set(ClientIP), UserAgents = make_set(UserAgent) by UserId, CrmOrganizationUniqueName, HistoricalBaseline, CurrentExportRate\\n| extend timestamp = MostRecentQuery, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Mass Export of Dynamics 365 Records to Excel\",\"description\":\"The query detects user exporting a large amount of records from Dynamics 365 to Excel, significantly more records exported than any other recent activity by that user.\",\"lastUpdatedDateUTC\":\"2022-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Dynamics365\",\"dataTypes\":[\"Dynamics365Activity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\"name\":\"327cd4ed-ca42-454b-887c-54e1c91363c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Defender Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Endpoint alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Endpoint\",\"lastUpdatedDateUTC\":\"2019-10-24T00:00:00Z\",\"createdDateUTC\":\"2019-10-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"name\":\"0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated \u003e ago(1d)\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname\\n | extend HostName = tostring(split(DvcHostname, \\\".\\\")[0]), DomainIndex = toint(indexof(DvcHostname, \u0027.\u0027))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(DvcHostname, DomainIndex + 1), DvcHostname)\\n | project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\n A threat actor may use these policies to deploy files or scripts to all hosts in a domain.\\n This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"name\":\"066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\nWindowsEvent\\n| where EventID == 4688 and (EventData has_any (file_path1) or EventData has_any (file_path2) or EventData has_any (file_path3) or EventData has_any (\u0027reg add\u0027) or EventData has_any (reg_key) )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where (CommandLine has_any (file_path1)) or\\n (CommandLine has_any (file_path3)) or\\n (CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or \\n (NewProcessName has_any (file_path1)) or\\n (NewProcessName has_any (file_path3)) or\\n (ParentProcessName has_any (file_path1)) or \\n (ParentProcessName has_any (file_path3)) \\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| extend IPCustomEntity = tostring(EventData.IpAddress)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, IPCustomEntity\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Caramel Tsunami Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as Caramel Tsunami\",\"lastUpdatedDateUTC\":\"2023-07-18T00:00:00Z\",\"createdDateUTC\":\"2022-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"name\":\"1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let PortScanThreshold = 50;\\n_Im_NetworkSession\\n| where ipv4_is_private(SrcIpAddr) == False\\n| where SrcIpAddr !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize AttemptedPortsCount=dcount(DstPortNumber), AttemptedPorts=make_set(DstPortNumber, 100), ReportedBy=make_set(strcat(EventVendor, \\\"/\\\", EventProduct), 20) by SrcIpAddr, bin(TimeGenerated, 5m)\\n| where AttemptedPortsCount \u003e PortScanThreshold\",\"customDetails\":{\"AttemptedPortsCount\":\"AttemptedPortsCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential port scan from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"A port scan has been performed from address {{SrcIpAddr}} over {{AttemptedPortsCount}} ports within 5 minutes. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Discovery\"],\"displayName\":\"Port scan detected (ASIM Network Session schema)\",\"description\":\"This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"AzureNSG\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoAsaAma\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"AIVectraStream\",\"dataTypes\":[\"VectraStream\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoMeraki\",\"dataTypes\":[\"Syslog\",\"CiscoMerakiNativePoller\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"name\":\"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where CommandLine has_all (cmdList)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountEntity = Account, HostEntity = Computer\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where EventData has_all (cmdList)\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_all (cmdList)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountEntity = Account, HostEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessCommandLine has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName, HostEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, AccountEntity = User, HostEntity = Computer\\n)\\n)\\n| extend HostName = tostring(split(HostEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(HostEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(HostEntity, DomainIndex + 1), HostEntity)\\n| extend AccountName = tostring(split(AccountEntity, @\u0027\\\\\u0027)[1]), AccountDomain = tostring(split(AccountEntity, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountEntity\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Email access via active sync\",\"description\":\"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\n- Note that this query can be changed to use the KQL \\\"has_all\\\" operator, which hasn\u0027t yet been documented officially, but will be soon.\\n In short, \\\"has_all\\\" will only match when the referenced field has all strings in the list.\\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps \",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-02-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\"name\":\"f041e01d-840d-43da-95c8-4188f6cef546\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | distinct Country, Actor, TimeGenerated\\n) on Actor \\n| where set_Country !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"GitHub Activites from a New Country\",\"description\":\"Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"name\":\"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| where OldE2ESetting =~ \u0027false\u0027 and NewE2ESetting =~ \u0027true\u0027\\n| extend AccountName = tostring(split(User, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(User, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"tactics\":[\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Zoom E2E Encryption Disabled\",\"description\":\"This alerts when end to end encryption is disabled for Zoom meetings.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"name\":\"b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.3\",\"severity\":\"High\",\"query\":\"let UA_threats = dynamic([\\\"FoxBlade\\\", \\\"WhisperGate\\\", \\\"Lasainraw\\\", \\\"SonicVote\\\", \\\"CaddyWiper\\\", \\\"AprilAxe\\\", \\\"FiberLake\\\", \\\"Industroyer\\\", \\\"DesertBlade\\\"]);\\nSecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatFamilyName in~ (UA_threats)\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Ukraine threats\",\"description\":\"This query looks for Microsoft Defender AV detections for malware observed in relation to the war in Ukraine.\\n Ref: https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/ \",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"name\":\"ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1d;\\nlet TotalEventsThreshold = 25;\\nlet TimeSeriesData = AzureActivity \\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now())) \\n| where OperationNameValue endswith \\\"delete\\\" \\n| project TimeGenerated, Caller \\n| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Caller;\\nTimeSeriesData \\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, \u0027linefit\u0027) \\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long) \\n| where TimeGenerated \u003e= startofday(ago(endtime)) \\n| where anomalies \u003e 0 \\n| project Caller, TimeGenerated, Total, baseline, anomalies, score \\n| where Total \u003e TotalEventsThreshold and baseline \u003e 0 \\n| join (AzureActivity \\n| where TimeGenerated \u003e startofday(ago(endtime)) \\n| where OperationNameValue endswith \\\"delete\\\" \\n| summarize count(), make_set(OperationNameValue,100), make_set(_ResourceId,100) by bin(TimeGenerated, timeframe), Caller ) on TimeGenerated, Caller \\n| extend Name = iif(Caller has \u0027@\u0027,tostring(split(Caller,\u0027@\u0027,0)[0]),\\\"\\\")\\n| extend UPNSuffix = iif(Caller has \u0027@\u0027,tostring(split(Caller,\u0027@\u0027,1)[0]),\\\"\\\")\\n| extend AadUserId = iif(Caller !has \u0027@\u0027,Caller,\\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AadUserId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Mass Cloud resource deletions Time Series Anomaly\",\"description\":\"This query generates the baseline pattern of cloud resource deletions by an individual and generates an anomaly when any unusual spike is detected. These anomalies from unusual or privileged users could be an indication of a cloud infrastructure takedown by an adversary.\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11c3d541-5fa5-49df-8218-d1c98584473b\",\"name\":\"11c3d541-5fa5-49df-8218-d1c98584473b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Retrieve SecurityAlerts generated within the last day\\n SecurityAlert \\n // Filter alerts for Azure Active Directory Identity Protection and High severity\\n | where ProductName has \\\"Azure Active Directory Identity Protection\\\"\\n | where AlertSeverity == \\\"High\\\"\\n // Extract IP address entities from the \u0027Entities\u0027 field\\n | extend ipAddress = extract(@\u0027\\\\b(?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\b\u0027, 0, Entities)\\n // Filter out alerts without IP address entities\\n | where isnotempty(ipAddress)\\n // Summarize entities per unique combination of attributes\\n | summarize make_set(Entities)\\n by\\n AlertTime = TimeGenerated,\\n ipAddress,\\n AlertName,\\n ProductName,\\n AlertSeverity\\n // Perform an inner join with AWS CloudTrail events\\n | join kind=inner (\\n AWSCloudTrail\\n | where isempty(ErrorMessage)\\n | extend UserType = tostring(parse_json(RequestParameters).userType) \\n | where EventName in~ (\\\"CreateRole\\\", \\\"DeleteRole\\\", \\\"CreateUser\\\", \\\"CreateAccessKey\\\", \\\"DeleteAccessKey\\\", \\\"CreateGroup\\\", \\\"AddUserToGroup\\\", \\\"ChangePassword\\\", \\\"DeleteGroup\\\", \\\"DeleteUser\\\", \\\"RemoveUserFromGroup\\\", \\\"CreateVirtualMFADevice\\\", \\\"DeleteLoginProfile\\\") \\n | summarize\\n make_set(RequestParameters),\\n make_set(ResponseElements)\\n by\\n SourceIpAddress,\\n UserIdentityArn,\\n UserIdentityType,\\n EventName,\\n EventTime = TimeGenerated\\n )\\n on $left.ipAddress == $right.SourceIpAddress \\n // Filter results based on temporal correlation\\n | where AlertTime between ((EventTime - 1h) .. (EventTime + 1h))\",\"customDetails\":{\"AWSUser\":\"UserIdentityArn\",\"AlertIp\":\"ipAddress\",\"AlertName\":\"AlertName\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"User impersonation by Identity Protection alerts\",\"description\":\"This detection focuses on identifying user-related events involving IAM roles, groups, user access, and password changes. It examines instances where the user\u0027s IP address matches and alerts generated by Identity Protection share the same IP address. The analysis occurs within a time window of 1 hour, helping to flag potential cases of user impersonation.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2023-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"name\":\"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet AuthorizedBypassers = dynamic([\u0027foo@baz.com\u0027, \u0027test@foo.com\u0027]);\\nlet historicBypassers = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| parse ScopeDisplayName with OrganizationName \u0027(Organization)\u0027\\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name,\\n BypassReason = Data.BypassReason, PRLink = strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_git/\u0027, Data.RepoName, \u0027/pullrequest/\u0027, Data.PullRequestId)\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"PRLink\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Pull Request Policy Bypassing - Historic allow list\",\"description\":\"This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\"name\":\"f2eb15bd-8a88-4b24-9281-e133edfba315\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.8\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet Signins = materialize(union isfuzzy=true\\n (SigninLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)),\\n (AADNonInteractiveUserSignInLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)));\\nlet SigninIPs = Signins | summarize make_list(IPAddress);\\nlet TI = materialize(ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = coalesce(NetworkIP, EmailSourceIpAddress, NetworkDestinationIP, NetworkSourceIP)\\n | where TI_ipEntity in (SigninIPs)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now()\\n | where Description !contains_cs \\\"State: inactive;\\\" and Description !contains_cs \\\"State: falsepos;\\\");\\nTI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (Signins) on $left.TI_ipEntity == $right.IPAddress\\n| project-rename SigninLogs_TimeGenerated = TimeGenerated\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = SigninLogs_TimeGenerated, Name = tostring(split(UserPrincipalName, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(UserPrincipalName, \u0027@\u0027, 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to SigninLogs\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SigninLogs.\",\"lastUpdatedDateUTC\":\"2023-07-18T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"name\":\"8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.4\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Cryptominer\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| summarize N_Events=count() by SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername\\n| extend AccountName = tostring(split(SrcUsername, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(SrcUsername, \\\"@\\\")[1])\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The host {{SrcIpAddr}} is potentially running a crypto miner\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by crypto miners and indicates crypto mining activity on the client.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"A host is potentially running a crypto miner (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.\u003cbr\u003eYou can add custom crypto mining indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5db427b2-f406-4274-b413-e9fcb29412f8\",\"name\":\"5db427b2-f406-4274-b413-e9fcb29412f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~ \u0027Add member to role request denied (PIM activation)\u0027\\n| mv-apply ResourceItem = TargetResources on \\n (\\n where ResourceItem.type =~ \\\"Role\\\"\\n | extend Role = trim(@\u0027\\\"\u0027,tostring(ResourceItem.displayName))\\n )\\n| mv-apply ResourceItem = TargetResources on \\n (\\n where ResourceItem.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = trim(@\u0027\\\"\u0027,tostring(ResourceItem.userPrincipalName))\\n )\\n| where ResultReason != \\\"RoleAssignmentExists\\\"\\n| where isnotempty(InitiatedBy.user)\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend TargetName = tostring(split(TargetUserPrincipalName,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,\u0027@\u0027,1)[0])\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\\n| project-reorder TimeGenerated, TargetUserPrincipalName, Role, OperationName, Result, ResultDescription\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NRT PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2024-08-19T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"name\":\"4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-38647\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend HostName = tostring(split(VirtualMAchine, \\\".\\\")[0]), DomainIndex = toint(indexof(VirtualMAchine, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(VirtualMAchine, DomainIndex + 1), VirtualMAchine)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"VirtualMAchine\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to OMIGOD CVE-2021-38647\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647.\\nOMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"name\":\"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Low\",\"query\":\"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold\\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated \u003e ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction\\n// where destination IPs are public\\n| where ipv4_is_private(DestinationIP) == false\\n// sort into source-\u003edestination \u0027sessions\u0027\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds \u003e TimeDeltaThresholdInSeconds\\n// summarize the deltas by source-\u003edestination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers \u003e 1.5 or outliers \u003c -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev \u003c MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount \u003e TotalBeaconsThreshold and (sum_SentBytes \u003e 0 or sum_ReceivedBytes \u003e 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity \u003e= (10*TimeDeltaThresholdInSeconds)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Fortinet - Beacon pattern detected\",\"description\":\"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"name\":\"3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.5\",\"severity\":\"Medium\",\"query\":\"let riskScoreCutoff = 20; //Adjust this based on volume of results\\nlet starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 50;\\nlet aadFunc = (tableName:string){\\n // Failed Signins attempts with reasoning related to conditional access policies.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultDescription has_any (\\\"conditional access\\\", \\\"CA\\\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\nallSignins\\n| make-series DailyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1d by UserPrincipalName\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(DailyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand DailyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n// Filtering low count events per baselinethreshold\\n| where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n| extend AnomalyHour = TimeGenerated\\n| project UserPrincipalName, AnomalyHour, TimeGenerated, DailyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\\n| extend UserPrincipalName = tolower(UserPrincipalName)\\n| join kind=leftouter (\\n IdentityInfo\\n | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\\n | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled\\n | summarize\\n Tags = make_set(Tags, 1000),\\n GroupMembership = make_set(GroupMembership, 1000),\\n AssignedRoles = make_set(AssignedRoles, 1000),\\n UserType = make_set(UserType, 1000),\\n UserAccountControl = make_set(UserType, 1000)\\n by AccountUPN\\n | extend UserPrincipalName=tolower(AccountUPN)\\n) on UserPrincipalName\\n| join kind=leftouter (\\n BehaviorAnalytics\\n | where ActivityType in (\\\"FailedLogOn\\\", \\\"LogOn\\\")\\n | where isnotempty(SourceIPAddress)\\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress\\n | project-rename IPAddress = SourceIPAddress\\n | summarize\\n UsersInsights = make_set(UsersInsights, 1000),\\n DevicesInsights = make_set(DevicesInsights, 1000),\\n IPInvestigationPriority = sum(InvestigationPriority)\\n by IPAddress)\\non IPAddress\\n| extend UEBARiskScore = IPInvestigationPriority\\n| where UEBARiskScore \u003e riskScoreCutoff\\n| sort by UEBARiskScore desc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Accounts - Sign in Failure due to CA Spikes\",\"description\":\" Identifies spike in failed sign-ins from user accounts due to conditional access policied.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.\",\"lastUpdatedDateUTC\":\"2024-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"name\":\"cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName =~ \\\"Add owner to application\\\"\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend TargetUserPrincipalName = TargetResources[0].userPrincipalName\\n | extend TargetAadUserId = tostring(TargetResources[0].id)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | mv-expand mod_props\\n | where mod_props.displayName =~ \\\"Application.DisplayName\\\"\\n | extend TargetAppName = tostring(parse_json(tostring(mod_props.newValue)))\\n | extend AddedUser = TargetUserPrincipalName\\n | extend UpdatedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | extend TargetAccountName = tostring(split(TargetUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingAadUserId, InitiatingUserPrincipalName, InitiatingIPAddress, TargetAppName, AddedUser, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"TargetAadUserId\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Ownership\",\"description\":\"Detects changes to the ownership of an appplicaiton.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://learn.microsoft.com/en-gb/entra/architecture/security-operations-applications#new-owner\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"name\":\"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Office 365 Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Office 365 alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Office 365\",\"lastUpdatedDateUTC\":\"2020-09-01T00:00:00Z\",\"createdDateUTC\":\"2020-04-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"name\":\"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"CommonSecurityLog\\n| where isempty(CommunicationDirection)\\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - threat detection message fired\",\"description\":\"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd78a122-d377-415a-afe9-f22e08d2112c\",\"name\":\"dd78a122-d377-415a-afe9-f22e08d2112c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"// Add other permissions to this list as needed\\nlet permissions = dynamic([\\\".All\\\", \\\"ReadWrite\\\", \\\"Mail.\\\", \\\"offline_access\\\", \\\"Files.Read\\\", \\\"Notes.Read\\\", \\\"ChannelMessage.Read\\\", \\\"Chat.Read\\\", \\\"TeamsActivity.Read\\\",\\n\\\"Group.Read\\\", \\\"EWS.AccessAsUser.All\\\", \\\"EAS.AccessAsUser.All\\\"]);\\nlet auditList = \\nAuditLogs\\n| where OperationName =~ \\\"Add app role assignment to service principal\\\"\\n| mv-expand TargetResources[0].modifiedProperties\\n| extend TargetResources_0_modifiedProperties = column_ifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n| where isnotempty(TargetResources_0_modifiedProperties)\\n;\\nlet detailsList = auditList\\n| where TargetResources_0_modifiedProperties.displayName =~ \\\"AppRole.Value\\\" or TargetResources_0_modifiedProperties.displayName =~ \\\"DelegatedPermissionGrant.Scope\\\"\\n| extend Permissions = split((parse_json(tostring(TargetResources_0_modifiedProperties.newValue))), \\\" \\\")\\n| where Permissions has_any (permissions)\\n| summarize AddedPermissions=make_set(Permissions,200) by CorrelationId\\n| join kind=inner auditList on CorrelationId\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend InitiatedBy = tostring(iff(isnotempty(InitiatingUserPrincipalName),InitiatingUserPrincipalName, InitiatingAppName))\\n| extend displayName = tostring(TargetResources_0_modifiedProperties.displayName), newValue = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\\n| where displayName == \\\"ServicePrincipal.ObjectID\\\" or displayName == \\\"ServicePrincipal.DisplayName\\\"\\n| extend displayName = case(displayName == \\\"ServicePrincipal.ObjectID\\\", \\\"ServicePrincipalObjectID\\\", displayName == \\\"ServicePrincipal.DisplayName\\\", \\\"ServicePrincipalDisplayName\\\", displayName)\\n| project TimeGenerated, CorrelationId, Id, AddedPermissions = tostring(AddedPermissions), InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIPAddress, InitiatingUserPrincipalName, InitiatedBy, displayName, newValue\\n;\\ndetailsList | project Id, displayName, newValue\\n| evaluate pivot(displayName, make_set(newValue))\\n| join kind=inner detailsList on Id\\n| extend ServicePrincipalObjectID = todynamic(column_ifexists(\\\"ServicePrincipalObjectID\\\", \\\"\\\")), ServicePrincipalDisplayName = todynamic(column_ifexists(\\\"ServicePrincipalDisplayName\\\", \\\"\\\"))\\n| mv-expand ServicePrincipalObjectID, ServicePrincipalDisplayName\\n| project-away Id1, displayName, newValue\\n| extend ServicePrincipalObjectID = tostring(ServicePrincipalObjectID), ServicePrincipalDisplayName = tostring(ServicePrincipalDisplayName)\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), EventIds = make_set(Id,200) by CorrelationId, AddedPermissions, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIPAddress, InitiatingUserPrincipalName, InitiatedBy, ServicePrincipalDisplayName, ServicePrincipalObjectID\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"ServicePrincipalObjectID\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned App Role With Sensitive Access\",\"description\":\"Detects a Service Principal being assigned an app role that has sensitive access such as Mail.Read.\\n A threat actor who compromises a Service Principal may assign it an app role to allow it to access sensitive data, or to perform other actions.\\n Ensure that any assignment to a Service Principal is valid and appropriate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions\",\"lastUpdatedDateUTC\":\"2023-12-30T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/defe4855-0d33-4362-9557-009237623976\",\"name\":\"defe4855-0d33-4362-9557-009237623976\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let query_frequency = 1h;\\nlet query_period = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(query_frequency)\\n| where Category =~ \\\"UserManagement\\\" and OperationName =~ \\\"Delete user\\\"\\n| mv-expand TargetResource = TargetResources\\n| where TargetResource[\\\"type\\\"] == \\\"User\\\" and TargetResource[\\\"userPrincipalName\\\"] has \\\"#EXT#\\\"\\n| extend ParsedDeletedUserPrincipalName = extract(@\\\"^[0-9a-f]{32}([^\\\\#]+)\\\\#EXT\\\\#\\\", 1, tostring(TargetResource[\\\"userPrincipalName\\\"]))\\n| extend\\n Initiator = iif(isnotempty(InitiatedBy[\\\"app\\\"]), tostring(InitiatedBy[\\\"app\\\"][\\\"displayName\\\"]), tostring(InitiatedBy[\\\"user\\\"][\\\"userPrincipalName\\\"])),\\n InitiatorId = iif(isnotempty(InitiatedBy[\\\"app\\\"]), tostring(InitiatedBy[\\\"app\\\"][\\\"servicePrincipalId\\\"]), tostring(InitiatedBy[\\\"user\\\"][\\\"id\\\"])),\\n Delete_IPAddress = tostring(InitiatedBy[tostring(bag_keys(InitiatedBy)[0])][\\\"ipAddress\\\"])\\n| project Delete_TimeGenerated = TimeGenerated, Category, Identity, Initiator, Delete_IPAddress, OperationName, Result, ParsedDeletedUserPrincipalName, InitiatedBy, AdditionalDetails, TargetResources, InitiatorId, CorrelationId\\n| join kind=inner (\\n SigninLogs\\n | where TimeGenerated \u003e ago(query_period)\\n | where ResultType == 0\\n | summarize take_any(*) by UserPrincipalName\\n | extend ParsedUserPrincipalName = translate(\\\"@\\\", \\\"_\\\", UserPrincipalName)\\n | project SigninLogs_TimeGenerated = TimeGenerated, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, IPAddress, LocationDetails, AppDisplayName, ResourceDisplayName, ClientAppUsed, UserAgent, DeviceDetail, UserId, UserType, OriginalRequestId, ParsedUserPrincipalName\\n ) on $left.ParsedDeletedUserPrincipalName == $right.ParsedUserPrincipalName\\n| where SigninLogs_TimeGenerated \u003e Delete_TimeGenerated\\n| project-away ParsedDeletedUserPrincipalName, ParsedUserPrincipalName\\n| extend\\n AccountName = tostring(split(UserPrincipalName, \\\"@\\\")[0]),\\n AccountUPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Suspicious Login from deleted guest account\",\"description\":\" This query will detect logins from guest account which was recently deleted. \\nFor any successful logins from deleted identities should be investigated further if any existing user accounts have been altered or linked to such identity prior deletion\",\"lastUpdatedDateUTC\":\"2024-01-03T00:00:00Z\",\"createdDateUTC\":\"2022-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/017e095a-94d8-430c-a047-e51a11fb737b\",\"name\":\"017e095a-94d8-430c-a047-e51a11fb737b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let domains =\\n SigninLogs\\n | where ResultType == 0\\n | extend domain = split(UserPrincipalName, \\\"@\\\")[1]\\n | extend domain = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tolower(tostring(domain));\\n AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend InitiatedBy = tostring(iff(isnotempty(InitiatingUserPrincipalName),InitiatingUserPrincipalName, InitiatingAppName))\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | where isnotempty(AddedUrls)\\n | mv-expand AddedUrls\\n | extend AddedUrls = trim(@\u0027\\\"\u0027, tostring(AddedUrls))\\n | extend Domain = extract(\\\"^(?:https?:\\\\\\\\/\\\\\\\\/)?(?:[^@\\\\\\\\/\\\\\\\\n]+@)?(?:www\\\\\\\\.)?([^:\\\\\\\\/?\\\\\\\\n]+)/\\\", 1, replace_string(tolower(AddedUrls), \u0027\\\"\u0027, \\\"\\\"))\\n | where isnotempty(Domain)\\n | extend Domain = strcat(split(Domain, \\\".\\\")[-2], \\\".\\\", split(Domain, \\\".\\\")[-1])\\n | where Domain !in (domains)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, InitiatedBy, UserAgent, InitiatingIPAddress\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"URL Added to Application from Unknown Domain\",\"description\":\"Detects a URL being added to an application where the domain is not one that is associated with the tenant.\\n The query uses domains seen in sign in logs to determine if the domain is associated with the tenant.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://learn.microsoft.com/en-gb/entra/architecture/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/16da3a2a-af29-48a0-8606-d467c180fe18\",\"name\":\"16da3a2a-af29-48a0-8606-d467c180fe18\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let Threshold = 1;\\nAzureDiagnostics\\n| where Category =~ \\\"FrontDoorWebApplicationFirewallLog\\\"\\n| where action_s =~ \\\"AnomalyScoring\\\"\\n| where details_msg_s has \\\"SQL Injection\\\"\\n| parse details_data_s with MessageText \\\"Matched Data:\\\" MatchedData \\\"AND \\\" * \\\"table_name FROM \\\" TableName \\\" \\\" *\\n| project trackingReference_s, host_s, requestUri_s, TimeGenerated, clientIP_s, details_matches_s, details_msg_s, details_data_s, TableName, MatchedData\\n| join kind = inner(\\nAzureDiagnostics\\n| where Category =~ \\\"FrontDoorWebApplicationFirewallLog\\\"\\n| where action_s =~ \\\"Block\\\") on trackingReference_s\\n| summarize URI_s = make_set(requestUri_s,100), Table = make_set(TableName,100), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TrackingReference = make_set(trackingReference_s,100), Matched_Data = make_set(MatchedData,100), Detail_Data = make_set(details_data_s,100), Detail_Message = make_set(details_msg_s,100), Total_TrackingReference = dcount(trackingReference_s) by clientIP_s, host_s, action_s\\n| where Total_TrackingReference \u003e= Threshold\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URI_s\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"clientIP_s\"}]}],\"tactics\":[\"DefenseEvasion\",\"Execution\",\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Front Door Premium WAF - SQLi Detection\",\"description\":\"Identifies a match for a SQL Injection attack in the Front Door Premium WAF logs. The threshold value in the query can be changed as per your infrastructure\u0027s requirements.\\nReferences: https://owasp.org/Top10/A03_2021-Injection/\",\"lastUpdatedDateUTC\":\"2023-12-20T00:00:00Z\",\"createdDateUTC\":\"2022-10-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"name\":\"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host, AccountCustomEntity=User\\n),\\n(_Im_WebSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(SigninLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (IPList) \\n| extend DestinationIP = Fqdn \\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWNetworkRule\\n| where isnotempty(DestinationIp)\\n| where DestinationIp has_any (IPList) \\n| extend DestinationIP = DestinationIp \\n| extend IPCustomEntity = SourceIp\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Known Seashell Blizzard IP\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWNetworkRule\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"name\":\"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName: string) {\\n table(tableName)\\n | where ResultType == 500121\\n | where Status has \\\"MFA Denied; user declined the authentication\\\" or Status has \\\"MFA denied; Phone App Reported Fraud\\\"\\n | extend Type = Type, PublicIP = IPAddress\\n | extend\\n Name = tostring(split(UserPrincipalName, \u0027@\u0027, 0)[0]),\\n UPNSuffix = tostring(split(UserPrincipalName, \u0027@\u0027, 1)[0])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet dvcInfo = DeviceInfo\\n | extend SensorHealthState = column_ifexists(\\\"SensorHealthState\\\", \\\"\\\")\\n | where OnboardingStatus == \\\"Onboarded\\\" and SensorHealthState == \\\"Active\\\"\\n | project PublicIP, AadDeviceId;\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| join kind=leftouter dvcInfo on PublicIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AppDisplayName\"},{\"identifier\":\"AppId\",\"columnName\":\"AppId\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"[Deprecated] Explicit MFA Deny\",\"description\":\"User explicitly denies MFA push, indicating that login was not expected and the account\u0027s password may be compromised.\\nThis rule is deprecated as of July-2024. Alternative rule with similar logic and contex from more data source \\nis available at https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/MFARejectedbyUser.yaml\",\"lastUpdatedDateUTC\":\"2024-07-25T00:00:00Z\",\"createdDateUTC\":\"2020-10-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\"name\":\"2391ce61-8c8d-41ac-9723-d945b2e90720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Low\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\\n| join kind=leftouter (\\n SecurityEvent\\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday \u003e= coalesce(CountPrev7day,0)*threshold and CountToday \u003e= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027,\\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027,\\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName)\\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day)\\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\\n| order by sum_CountToday desc nulls last\\n| extend timestamp = StartTime, NTDomain = tostring(split(Account, \u0027\\\\\\\\\u0027, 0)[0]), Name = tostring(split(Account, \u0027\\\\\\\\\u0027, 1)[0]), HostName = tostring(split(WorkstationName, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(WorkstationName, \u0027.\u0027), 1, -1), \u0027.\u0027))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"WorkstationName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Process\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Windows Logon Failures\",\"description\":\"This query identifies user accounts which has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"name\":\"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend HashAlgorithm = \\\"MD5\\\"\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingProcessAccountDomain\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"MD5\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"name\":\"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Low\",\"query\":\"let threshold = 1; // Modify this threshold value to reduce false positives based on your environment\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| mv-apply CAP = parse_json(ConditionalAccessPolicies) on (\\n project ConditionalAccessPoliciesName = CAP.displayName, result = CAP.result\\n | where result =~ \\\"failure\\\"\\n)\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status,10), StatusDetails = make_list(StatusDetails,50), IPAddresses = make_list(IPAddress,100), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId,100), ConditionalAccessPoliciesName = make_list(ConditionalAccessPoliciesName,100)\\nby UserPrincipalName, UserId, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, Type\\n| where IPAddressCount \u003e threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mv-expand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = make_set(IPAddresses,100), Status = make_set(Status,10), CorrelationIds = make_set(CorrelationIds,100), ConditionalAccessPoliciesName = make_set(ConditionalAccessPoliciesName,100)\\nby StartTime, EndTime, UserPrincipalName, UserId, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, IPAddressCount, Type\\n| extend IPAddressFirst = tostring(IPAddresses[0]), Name = tostring(split(UserPrincipalName, \\\"@\\\")[0]), UPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddressFirst\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Attempt to bypass conditional access rule in Microsoft Entra ID\",\"description\":\"Identifies an attempt to Bypass conditional access rule(s) in Microsoft Entra ID.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access or if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences:\\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"name\":\"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| where Data.NewValue == 1 or Data.NewValue \u003c Data.OldValue/2\\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Retention Reduced\",\"description\":\"AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"name\":\"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount \u003e triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated \u003e ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Name\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Possible contact with a domain generated by a DGA\",\"description\":\"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance.\\nThis detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\\nNOTE - The top1M csv zip file used in the query is dynamic and may produce different results over various time periods. It\u0027s important to cross-check the events against the entities involved in the incident.\",\"lastUpdatedDateUTC\":\"2024-10-17T00:00:00Z\",\"createdDateUTC\":\"2020-03-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"name\":\"d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"// Administrative roles to look for, default is all admin roles\\nlet roles = dynamic([\\\"Administrator\\\", \\\"Admin\\\"]);\\n// The maximum distances between and invite and acceptance\\nlet maxTimeBetweenInviteAccept = 30min;\\n// The delta (minutes) between the invite being sent and the account being escalated\\nlet deltaBetweenInviteEscalation = 60;\\n// Collect external user invitations\\nlet invite = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Invite external user\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"userPrincipalName\\\"])\\n| extend InviteInitiator = tostring(InitiatedBy.[\\\"user\\\"].[\\\"userPrincipalName\\\"])\\n| where isnotempty(InviteInitiator);\\n// Collect redeem events\\nlet redeem = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Redeem external user invite\\\"\\n| where Result =~ \\\"success\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"displayName\\\"]) | extend Target = tostring(extract(@\\\"UPN\\\\:\\\\s(.+)\\\\,\\\\sEmail\\\",1,Target))\\n| where isnotempty(Target);\\n// Union the inivtation and redeem data then run the sequence_detect kusto plugin\\ninvite\\n| union redeem\\n| order by TimeGenerated\\n| project TimeGenerated, Target, InviteInitiator, OperationName, TenantId\\n| evaluate sequence_detect(TimeGenerated, maxTimeBetweenInviteAccept, maxTimeBetweenInviteAccept, invite=(OperationName has \\\"Invite external user\\\"), redeem=(OperationName has \\\"Redeem external user invite\\\"), Target)\\n| join kind=innerunique (\\nAuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in~ (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n// Limit to external accounts\\n| where TargetResources.userPrincipalName has \\\"EXT\\\"\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n// Perform check for admin roles\\n| where RoleName has_any(roles)\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by TimeGenerated, OperationName, RoleName, Target, Initiator, Result\\n) on Target\\n// Calculate delta between the invite and the account escalation\\n| extend delta = datetime_diff(\\\"minute\\\", TimeGenerated, invite_TimeGenerated)\\n| where delta \u003c= deltaBetweenInviteEscalation\\n| project InvitationTime=invite_TimeGenerated, RedeemTime=redeem_TimeGenerated, GrantTime=TimeGenerated, ExternalUser=Target, RoleGranted=RoleName, AdminInitiator=Initiator, MinsBetweenInviteAndEscalation=delta\\n| extend ExternalUserName = tostring(split(ExternalUser, \u0027@\u0027, 0)[0]), ExternalUserUPNSuffix = tostring(split(ExternalUser, \u0027@\u0027, 1)[0])\\n| extend AdminInitiatorName = tostring(split(AdminInitiator, \u0027@\u0027, 0)[0]), AdminInitiatorUPNSuffix = tostring(split(AdminInitiator, \u0027@\u0027, 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ExternalUserName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"ExternalUserUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AdminInitiatorName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AdminInitiatorUPNSuffix\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"New External User Granted Admin Role\",\"description\":\"This query will detect instances where a newly invited external user is granted an administrative role.\\nBy default this query will alert on any granted administrative role, however this can be modified using the roles variable if false positives occur in your environment. The maximum delta between invite and escalation to admin is 60 minues, this can be configured using the deltaBetweenInviteEscalation variable.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-06-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"name\":\"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center\",\"severitiesFilter\":[\"Low\",\"Medium\",\"High\"],\"displayName\":\"Create incidents based on Microsoft Defender for Cloud\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud\",\"lastUpdatedDateUTC\":\"2021-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"name\":\"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Active Directory Identity Protection\",\"displayName\":\"Create incidents based on Azure Active Directory Identity Protection alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\"name\":\"a357535e-f722-4afe-b375-cff362b2b376\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation\\n| parse ExtendedProperties with * \u0027User-Agent\\\\\\\\\\\":\\\\\\\\\\\"\u0027 UserAgent2 \u0027\\\\\\\\\u0027 *\\n| parse ExtendedProperties with * \u0027UserAgent\\\", \\\"Value\\\": \\\"\u0027 UserAgent1 \u0027\\\"\u0027 *\\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == \u0027AzureActiveDirectoryStsLogon\u0027, UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\"\\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\"\\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != \u0027-\u0027\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \u0027\\\\\\\"\u0027\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent contains_cs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent contains_cs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend AccountName = split(Account, \\\"@\\\")[0], UPNSuffix = split(Account, \\\"@\\\")[1]\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"Malformed user agent\",\"description\":\"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"name\":\"56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4657\\n | parse ObjectName with \\\"\\\\\\\\REGISTRY\\\\\\\\\\\" KeyPrefix \\\"\\\\\\\\\\\" RegistryKey\\n | project-reorder RegistryKey\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (\\n SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Computer\\n | extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n | extend AccountName = tostring(split(TargetAccount, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(TargetAccount, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1cc0ba27-c5ca-411a-a779-fbc89e26be83\",\"name\":\"1cc0ba27-c5ca-411a-a779-fbc89e26be83\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"// Filter alerts from specific Microsoft security products with medium and high severity\\nSecurityAlert \\n| where ProductName in (\\\"Microsoft 365 Defender\\\", \\\"Azure Active Directory\\\", \\\"Microsoft Defender Advanced Threat Protection\\\", \\\"Microsoft Cloud App Security\\\", \\\"Azure Active Directory Identity Protection\\\", \\\"Microsoft Defender ATP\\\")\\n| where AlertSeverity has_any (\\\"Medium\\\", \\\"High\\\")\\n// Parse JSON entities and extend AlertTimeGenerated\\n| extend Entities = parse_json(Entities), AlertTimeGenerated=TimeGenerated\\n// Extract and process IP entities\\n| mv-apply Entity = Entities on \\n ( \\n where Entity.Type == \u0027ip\u0027 \\n | extend EntityIp = tostring(Entity.Address) \\n ) \\n// Extract and process account entities\\n| mv-apply Entity = Entities on \\n ( \\n where Entity.Type == \u0027account\u0027 \\n | extend AccountObjectId = tostring(Entity.AadUserId)\\n )\\n// Filter out records with empty EntityIp\\n| where isnotempty(EntityIp)\\n// Summarize data and create sets of entities and system alert IDs\\n| summarize Entitys=make_set(Entity), SystemAlertIds=make_set(SystemAlertId)\\n by \\n AlertName,\\n ProductName,\\n AlertSeverity,\\n EntityIp,\\n Tactics,\\n Techniques,\\n ProviderName,\\n AlertTime= bin(AlertTimeGenerated, 1d),\\n AccountObjectId\\n// Join with GCPAuditLogs for VM instance creation\\n| join kind=inner (\\n GCPAuditLogs\\n | where ServiceName == \\\"compute.googleapis.com\\\" and MethodName endswith \\\"instances.insert\\\"\\n | extend\\n GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),\\n GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),\\n GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),\\n VMStatus = tostring(parse_json(Response).status),\\n VMOperation=tostring(parse_json(Response).operationType),\\n VMName= tostring(parse_json(Request).name),\\n VMType = tostring(split(parse_json(Request).machineType, \\\"/\\\")[-1])\\n | where GCPUserUPN !has \\\"gserviceaccount.com\\\"\\n | where VMOperation == \\\"insert\\\" and isnotempty(GCPUserIp) and GCPUserIp != \\\"private\\\"\\n | project\\n GCPOperationTime=TimeGenerated,\\n VMName,\\n VMStatus,\\n MethodName,\\n GCPUserUPN,\\n ProjectId,\\n GCPUserIp,\\n GCPUserUA,\\n VMOperation,\\n VMType\\n )\\n on $left.EntityIp == $right.GCPUserIp \\n// Join with IdentityInfo to enrich user identity details\\n| join kind=inner (IdentityInfo \\n | distinct AccountObjectId, AccountUPN, JobTitle\\n )\\n on AccountObjectId \\n// Calculate the time difference between the alert and VM creation for further analysis\\n| extend TimeDiff= datetime_diff(\u0027day\u0027, AlertTime, GCPOperationTime),Name = split(GCPUserUPN, \\\"@\\\")[0], UPNSuffix = split(GCPUserUPN, \\\"@\\\")[1]\",\"customDetails\":{\"AlertName\":\"AlertName\",\"AlertProDuctName\":\"ProductName\",\"AlertUserName\":\"AccountUPN\",\"AlertUserObjectId\":\"AccountObjectId\",\"AlertIds\":\"SystemAlertIds\",\"AlertIp\":\"EntityIp\",\"GCPUserAgent\":\"GCPUserUA\",\"GCPVMName\":\"VMName\",\"GCPProjectId\":\"ProjectId\",\"GCPVMType\":\"VMType\",\"CorrelationWith\":\"GCPAuditLogs\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"GCPUserIp\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GCPUserUPN\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"IP address {{GCPUserIp}} Assocated with {{AlertName}} found in GCP VM creation event by {{GCPUserUPN}}\",\"alertDescriptionFormat\":\"This detection correlates \u0027{{ProductName}}\u0027 Alert IP addresse Entity found in VM instance creation in GCP {{ProjectId}}. It identifies successful compute instance creation, from suspicious IP addresse. By joining these datasets on network entities and IP addresses, it detects unauthorized Initial access attempts across GCP environments.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":\"AlertSeverity\"},\"tactics\":[\"InitialAccess\",\"Execution\",\"Discovery\"],\"displayName\":\"Suspicious VM Instance Creation Activity Detected\",\"description\":\"This detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2023-10-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"GCPAuditLogsDefinition\",\"dataTypes\":[\"GCPAuditLogs\"]},{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"name\":\"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for AzureActivity logs\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n // Filter out indicators without relevant IP address fields\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n // Select the IP entity based on availability of different IP fields\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and AzureActivity logs to identify potential malicious activity\\nIP_Indicators\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, CallerIpAddress\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, \\nCaller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = AzureActivity_TimeGenerated\\n| extend Name = iif(Caller has \u0027@\u0027, tostring(split(Caller,\u0027@\u0027,0)[0]), \\\"\\\")\\n| extend UPNSuffix = iif(Caller has \u0027@\u0027, tostring(split(Caller,\u0027@\u0027,1)[0]), \\\"\\\")\\n| extend AadUserId = iif(Caller !has \u0027@\u0027, tostring(Caller), \\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to AzureActivity\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in AzureActivity.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"name\":\"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet compressedTypes = dynamic([\u0027zip\u0027, \u0027rar\u0027, \u0027tar\u0027, \u0027x-7z-compressed\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType has_any (compressedTypes)\\n| summarize count(), make_set(attachedMimeType) by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple archived attachments to the same recipient\",\"description\":\"Detects when multiple emails where sent to the same recipient with large archived attachments.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"name\":\"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\\nlet allowed_sources = dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// Look for feeds created or modified at either the organization or project level\\n| where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and locations in the allow list\\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"External Upstream Source Added to Azure DevOps Feed\",\"description\":\"The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \\nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\"name\":\"ab4b6944-a20d-42ab-8b63-238426525801\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated \u003e= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = VMProcess\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n | project-away exePathArr;\\nlet computers = VMComputer\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind = inner (processes) on AgentId, Machine, Process\\n | join kind = inner (computers) on AgentId, Machine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"FirstPid\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Directory\",\"columnName\":\"DirectoryName\"},{\"identifier\":\"Name\",\"columnName\":\"Filename\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Solorigate Domains Found in VM Insights\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMProcess\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMComputer\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9f9c1e51-4fb1-4510-a675-c7c2fb32f47e\",\"name\":\"9f9c1e51-4fb1-4510-a675-c7c2fb32f47e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let knotweed_sigs = dynamic([\\\"JumplumpDropper\\\", \\\"Jumplump\\\", \\\"Corelump\\\", \\\"Medcerc\\\", \\\"SuspModuleLoad\\\", \\\"Mexlib\\\"]);\\n let mde_data = (DeviceInfo\\n | extend DeviceName = tolower(DeviceName)\\n | join kind=rightouter ( SecurityAlert\\n | where ProviderName =~ \\\"MDATP\\\"\\n | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n | where ThreatFamilyName in~ (knotweed_sigs)\\n | extend CompromisedEntity = tolower(CompromisedEntity)\\n ) on $left.DeviceName == $right.CompromisedEntity);\\n let event_data = ( Event\\n | where EventID in (1006, 1009, 1116, 1119)\\n | extend ThreatData = parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_xml(EventData).DataItem)).EventData)).Data))\\n | mv-expand ThreatData\\n | where tostring(ThreatData.[\\\"@Name\\\"]) == \\\"Threat Name\\\"\\n | extend EventData = parse_xml(EventData)\\n | where tostring(ThreatData.[\\\"#text\\\"]) has_any (knotweed_sigs));\\n union mde_data, event_data\\n | extend ThreatName = iif(isnotempty(ThreatName), ThreatName, tostring(ThreatData.[\\\"#text\\\"]))\\n | extend ThreatFamilyName = iif(isnotempty(ThreatFamilyName), ThreatFamilyName, split(tostring(ThreatData.[\\\"#text\\\"]), \\\"/\\\")[-1])\\n | extend TimeGenerated = iif(isnotempty(TimeGenerated), TimeGenerated, TimeGenerated1)\\n | extend DeviceName = iif(isnotempty(DeviceName), DeviceName, Computer)\\n | project-reorder TimeGenerated, CompromisedEntity, ThreatName, ThreatFamilyName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"[Deprecated] - Denim Tsunami AV Detection\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"name\":\"c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let auditList =\\nAuditLogs\\n| where TimeGenerated \u003e= ago(14d)\\n| where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n| where Result =~ \\\"success\\\"\\n| extend TargetUserPrincipalName = tostring(TargetResources[2].userPrincipalName)\\n| extend displayName = tostring(TargetResources[0].displayName)\\n| extend displayName2 = tostring(TargetResources[3].displayName)\\n| extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n;\\nlet lookbackList = auditList\\n| where TimeGenerated between(ago(14d)..ago(1d))\\n;\\nlet recentList = auditList\\n| where TimeGenerated \u003e ago(1d)\\n;\\nlet newlyElevated = recentList\\n| join kind = leftanti lookbackList on ElevatedRole, TargetUserPrincipalName\\n;\\nnewlyElevated | project Id, AdditionalDetails\\n| mv-expand bagexpansion=array AdditionalDetails\\n| evaluate bag_unpack(AdditionalDetails)\\n| extend key = column_ifexists(\\\"key\\\", \u0027\u0027), value = column_ifexists(\\\"value\\\", \u0027\u0027)\\n| evaluate pivot(key, make_set(value))\\n| extend ipaddr = todynamic(column_ifexists(\\\"ipaddr\\\", \\\"\\\"))\\n| mv-expand ipaddr\\n| project Id, InitiatingIPAddress = tostring(ipaddr)\\n| join kind=rightouter newlyElevated on Id\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIPAddress = iff(isnotempty(tostring(InitiatedBy.user.ipAddress)), tostring(InitiatedBy.user.ipAddress), InitiatingIPAddress)\\n| extend ElevatedBy = iff(isnotempty(InitiatingUserPrincipalName), InitiatingUserPrincipalName, InitiatingAppName)\\n| extend ElevatedUser = TargetUserPrincipalName\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n| extend TargetAccountName = tostring(split(TargetUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \\\"@\\\")[1])\\n| project-reorder ElevatedUser, ElevatedRole, ResultReason, ElevatedBy, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, TargetUserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account Elevated to New Role\",\"description\":\"Detects an account that is elevated to a new role where that account has not had that role in the last 14 days.\\n Role elevations are a key mechanism for gaining permissions, monitoring which users have which roles, and for anomalies in those roles is useful for finding suspicious activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"name\":\"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Low\",\"query\":\"let threshold = 15;\\nSyslog\\n| where ProcessName =~ \\\"sshd\\\"\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| parse kind=relaxed SyslogMessage with * \\\"invalid user \\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\" *\\n// using distinct below as it has been seen that Syslog can duplicate entries depending on implementation\\n| distinct TimeGenerated, Computer, user, ip, port, SyslogMessage, _ResourceId\\n| summarize EventTimes = make_list(TimeGenerated), PerHourCount = count() by bin(TimeGenerated,4h), ip, Computer, user, _ResourceId\\n| where PerHourCount \u003e threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes)\\n| summarize StartTime = min(EventTimes), EndTime = max(EventTimes), UserList = make_set(user), ComputerList = make_set(Computer), ResourceIdList = make_set(_ResourceId), sum(PerHourCount) by IPAddress = ip\\n// bringing through single computer and user if array only has 1, otherwise, referencing the column and hashing the ComputerList or UserList so we don\u0027t get accidental entity matches when reviewing alerts\\n| extend HostName = iff(array_length(ComputerList) == 1, tostring(ComputerList[0]), strcat(\\\"SeeComputerListField\\\",\\\"_\\\", tostring(hash(tostring(ComputerList)))))\\n| extend Account = iff(array_length(ComputerList) == 1, tostring(UserList[0]), strcat(\\\"SeeUserListField\\\",\\\"_\\\", tostring(hash(tostring(UserList)))))\\n| extend ResourceId = iff(array_length(ResourceIdList) == 1, tostring(ResourceIdList[0]), strcat(\\\"SeeResourceIdListField\\\",\\\"_\\\", tostring(hash(tostring(ResourceIdList)))))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Account\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SSH - Potential Brute Force\",\"description\":\"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\\n Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur.\\n As an example - ComputerList is an array that we check for a single value and write that into the HostName field for use in the entity mapping within Sentinel.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"SyslogAma\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"name\":\"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Low\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add =\\n(union isfuzzy=true\\n(SecurityEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account\\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n),\\n(WindowsEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend AddingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupAddedTo = TargetUserName\\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n)\\n);\\nlet AC_Remove =\\n( union isfuzzy=true\\n(SecurityEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" *\\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, AccountRemoved = tolower(AccountRemoved),\\nRemovingAccount, RemovingAccountLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n),\\n(WindowsEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" *\\n| where isnotempty(AccountRemoved)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend RemovingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupRemovedFrom = TargetUserName\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| extend RemovedAccountLogonId= tostring(EventData.SubjectLogonId)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, AccountRemoved = tolower(AccountRemoved),\\nRemovingAccount, RemovedAccountLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n));\\nAC_Add\\n| join kind = inner AC_Remove \\non $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend DurationinSecondAfter_Removed = datetime_diff (\u0027second\u0027, AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed \u003e 0\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend RemovedAccountName = tostring(split(AccountRemoved, @\\\"\\\\\\\")[1]), RemovedAccountNTDomain = tostring(split(AccountRemoved, @\\\"\\\\\\\")[0])\\n| extend RemovingAccountName = tostring(split(RemovingAccount, @\\\"\\\\\\\")[1]), RemovingAccountNTDomain = tostring(split(RemovingAccount, @\\\"\\\\\\\")[0])\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountRemoved\"},{\"identifier\":\"Name\",\"columnName\":\"RemovedAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"RemovedAccountNTDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"RemovingAccount\"},{\"identifier\":\"Name\",\"columnName\":\"RemovingAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"RemovingAccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Account added and removed from privileged groups\",\"description\":\"Identifies accounts that are added to a privileged group and then quickly removed, which could be a sign of compromise.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2019-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\"name\":\"79566f41-df67-4e10-a703-c38a6213afd8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"Application\\\"\\n | extend targetDisplayName = tostring(TargetResource.displayName),\\n targetId = tostring(TargetResource.id),\\n targetType = tostring(TargetResource.type),\\n keyEvents = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = keyEvents on \\n (\\n where Property.displayName =~ \\\"KeyDescription\\\"\\n | extend new_value_set = parse_json(tostring(Property.newValue)),\\n old_value_set = parse_json(tostring(Property.oldValue))\\n )\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage =~ \\\"Verify\\\"\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend UserAgent = tostring(AdditionalDetail.value)\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend Name = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\"name\":\"5f0d80db-3415-4265-9d52-8466b7372e3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps PAT used with Browser\",\"description\":\"Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \\nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \\nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"name\":\"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.8\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet URLRegex = \\\"((https?|ftp|ldap|wss?|file):\\\\\\\\/\\\\\\\\/(([\\\\\\\\:\\\\\\\\%\\\\\\\\w\\\\\\\\_\\\\\\\\-]+(\\\\\\\\.|@))*((xn--)?[a-zA-Z0-9\\\\\\\\-]+\\\\\\\\.)+(xn--[a-z0-9]+|[A-Za-z]+)|\\\\\\\\d{1,3}\\\\\\\\.\\\\\\\\d{1,3}\\\\\\\\.\\\\\\\\d{1,3}\\\\\\\\.\\\\\\\\d{0,3})[.,:\\\\\\\\w@?^=%\u0026\\\\\\\\/~+#-]*[\\\\\\\\w@?^=%\u0026\\\\\\\\/~+#-])\\\";\\nlet SecurityEvents = materialize(SecurityAlert\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Extract URL from JSON data\\n | mv-expand parse_json(Entities)\\n | where isnotempty(Entities.Url) or isnotempty(Entities.Urls)\\n | extend Url = coalesce(Entities.Url, Entities.Urls)\\n | mv-expand Url\\n | extend Url = tolower(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated);\\nlet EventUrls = materialize(SecurityEvents | distinct Url | summarize make_list(Url));\\nThreatIntelligenceIndicator\\n| where isnotempty(Url)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| extend Url = tolower(Url)\\n| where tolower(Url) in (EventUrls)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n| where Description !contains_cs \\\"State: inactive;\\\" and Description !contains_cs \\\"State: falsepos;\\\" \\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (SecurityEvents) on Url\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project timestamp = Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Compromised_Host\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map URL Entity to SecurityAlert Data\",\"description\":\"This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in SecurityAlert data.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"name\":\"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action its unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"name\":\"a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Low\",\"query\":\"let error403_count_threshold=200;\\n_Im_WebSession(eventresultdetails_in=dynamic([\\\"403\\\"]))\\n| extend ParsedUrl=parse_url(Url)\\n| extend UrlHost=tostring(ParsedUrl[\\\"Host\\\"]), UrlSchema=tostring(ParsedUrl[\\\"Schema\\\"])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr\\n| where NumberOfErrors \u003e error403_count_threshold\\n| sort by NumberOfErrors desc\\n| extend Url=tostring(Urls[0])\",\"customDetails\":{\"NumberOfErrors\":\"NumberOfErrors\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of HTTP authentication failures from {{SrcIpAddr}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Persistence\",\"CredentialAccess\"],\"displayName\":\"Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)\",\"description\":\"This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\\nThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d714ef62-1a56-4779-804f-91c4158e528d\",\"name\":\"d714ef62-1a56-4779-804f-91c4158e528d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let ImagesList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\"]); \\nlet OriginalFileNameList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\",\\\"SR.exe\\\",\\\"utilman2.exe\\\",\\\"ScreenMagnifier.exe\\\"]); \\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027ProcessId\\\"\u003e\u0027 ProcessId \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where Image has_any (ImagesList) and not (OriginalFileName has_any (OriginalFileNameList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessId, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(User, \\\"\\\\\\\\\\\")[1]), AccountNTDomain = tostring(split(User, \\\"\\\\\\\\\\\")[0])\\n| extend ImageFileName = tostring(split(Image, \\\"\\\\\\\\\\\")[-1])\\n| extend ImageDirectory = replace_string(Image, ImageFileName, \\\"\\\")\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"},{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessId\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ImageFileName\"},{\"identifier\":\"Directory\",\"columnName\":\"ImageDirectory\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Modification of Accessibility Features\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\\nTwo common accessibility programs are C:\\\\Windows\\\\System32\\\\sethc.exe, launched when the shift key is pressed five times and C:\\\\Windows\\\\System32\\\\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as \\\"sticky keys\\\", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1]\\nRef: https://attack.mitre.org/techniques/T1546/008/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"name\":\"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Low\",\"query\":\"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 25;\\nlet TotalEventsThreshold = 30;\\nlet MostFrequentTimeDeltaThreshold = 25;\\nlet PercentBeaconThreshold = 80;\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where ipv4_is_private(DestinationIP)== false\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold\\n| summarize count(), sum(ReceivedBytes), sum(SentBytes)\\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes)\\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents \u003e TotalEventsThreshold and MostFrequentTimeDeltaCount \u003e MostFrequentTimeDeltaThreshold\\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Palo Alto - potential beaconing detected\",\"description\":\"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns.\\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing.\\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586\",\"lastUpdatedDateUTC\":\"2024-11-07T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CefAma\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"name\":\"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Low\",\"query\":\"let match_window = 3m;\\nAzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\")\\n| where ActivityStatusValue =~ \\\"Success\\\"\\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\\n| join kind = inner\\n(AzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/write\\\")\\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\\n) on Caller, TimeKey\\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, \u0027 , \u0027, OperationNameValue1)\\n| extend Name = tostring(split(Caller,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Caller,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UserIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New CloudShell User\",\"description\":\"Identifies when a user creates an Azure CloudShell for the first time.\\nMonitor this activity to ensure only the expected users are using CloudShell.\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50eb4cbd-188f-44f4-b964-bab84dcdec10\",\"name\":\"50eb4cbd-188f-44f4-b964-bab84dcdec10\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let timeframe = 1d;\\nlet time_window = 5m;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4688\\n| where Process has_any (\\\"java.exe\\\", \\\"javaw.exe\\\") and CommandLine has \\\"SysAidServer\\\" \\n| summarize by ParentProcessName,Process, Account, Computer, CommandLine, timekey= bin(TimeGenerated, time_window), TimeGenerated, SubjectLogonId\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4663\\n| where Process has_any (\\\"java.exe\\\", \\\"javaw.exe\\\")\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| where ObjectName endswith \\\".jsp\\\" \\n| summarize by ParentProcessName, Account, Computer, ObjectName, ProcessName, timekey= bin(TimeGenerated, time_window), TimeGenerated, SubjectLogonId)\\n on timekey, Computer, SubjectLogonId\\n),\\n(DeviceFileEvents \\n| where InitiatingProcessFileName has_any (\\\"java.exe\\\", \\\"javaw.exe\\\") \\n| where InitiatingProcessCommandLine has \\\"SysAidServer\\\" \\n| where FileName endswith \\\".jsp\\\" \\n| extend Account = strcat(InitiatingProcessAccountDomain, @\u0027\\\\\u0027, InitiatingProcessAccountName), Computer = DeviceName\\n),\\n(imFileEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"java.exe\\\", \\\"javaw.exe\\\") \\n| where ActingProcessCommandLine has \\\"SysAidServer\\\" \\n| where FilePath endswith \\\".jsp\\\" \\n| extend Account = ActorUsername, Computer = DvcHostname\\n)\\n)\\n| extend AccountName = tostring(split(Account, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(Account, @\u0027\\\\\u0027)[0])\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Identify SysAid Server web shell creation\",\"description\":\"This query looks for potential webshell creation by the threat actor Mercury after the sucessful exploitation of SysAid server. \\nReference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"name\":\"bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where OperationName =~ \\\"Delete user\\\"\\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type == \\\"User\\\"\\n | extend UserPrincipalName = extract(@\u0027([a-f0-9]{32})?(.*)\u0027, 2, tostring(TargetResource.userPrincipalName))\\n )\\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\\n| join kind=inner (\\n AuditLogs\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where OperationName =~ \\\"Add user\\\" \\n | mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type == \\\"User\\\"\\n | extend UserPrincipalName = trim(@\u0027\\\"\u0027,tostring(TargetResource.userPrincipalName))\\n )\\n | project-rename Creation_TimeGenerated = TimeGenerated\\n) on UserPrincipalName\\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\\n| where TimeDelta between (time(0s) .. queryperiod)\\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\\n| extend timestamp = Deletion_TimeGenerated, Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletedByIPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account Created and Deleted in Short Timeframe\",\"description\":\"Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95543d6d-f00d-4193-a63f-4edeefb7ec36\",\"name\":\"95543d6d-f00d-4193-a63f-4edeefb7ec36\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZincOctober2022IOCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet useragents = (iocs | where Type =~ \\\"useragent\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains) or SourceIP has_any (IPList) or DestinationIP has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend timestamp = TimeGenerated, AccountEntity = SourceUserID, UrlEntity = RequestURL , IPEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains) or IPAddresses has_any (IPList)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer\\n| extend timestamp = TimeGenerated, HostEntity = Host, DNSCustomEntity = DNSName, IPEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains) or SourceIp has_any (IPList) or DestinationIp has_any (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIp, HostEntity = Computer, ProcessEntity = ProcessName, DNSCustomEntity = DNSName\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP has_any (IPList) or DestinationIP has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountEntity = UserName, ProcessEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostEntity = Computer , IPEntity = DestinationIP\\n), \\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP has_any (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, HostEntity = DeviceName, UrlEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where Category =~ \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP has_any (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where Category =~ \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationHost has_any (domains) or SourceHost has_any (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostEntity = Computer , AccountEntity = UserName, ProcessEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmEntity = \\\"SHA256\\\", FileHashEntity = SHA256\\n), \\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName , AccountEntity = InitiatingProcessAccountName, ProcessEntity = InitiatingProcessFileName, AlgorithmEntity = \\\"SHA256\\\", FileHashEntity = InitiatingProcessSHA256\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName , AccountEntity = RequestAccountName, ProcessEntity = InitiatingProcessFileName, AlgorithmEntity = \\\"SHA256\\\", FileHashEntity = InitiatingProcessSHA256\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName , AccountEntity = InitiatingProcessAccountName, ProcessEntity = InitiatingProcessFileName, AlgorithmEntity = \\\"SHA256\\\", FileHashEntity = InitiatingProcessSHA256\\n),\\n(OfficeActivity\\n| where ClientIP has_any (IPList) or UserAgent has_any (useragents)\\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, AccountEntity = UserId\\n)\\n)\\n| extend HostName = tostring(split(HostEntity, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(HostEntity, \u0027.\u0027), 1, -1), \u0027.\u0027))\\n| extend Name = tostring(split(AccountEntity, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(AccountEntity, \u0027@\u0027, 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"[Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022\",\"description\":\"Use Microsoft\u0027s up-to-date Threat Intelligence solution from the Content Hub to replace the deprecated query with outdated IoCs. Install it from: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoAsaAma\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CefAma\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsFirewallAma\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\"name\":\"223db5c1-1bf8-47d8-8806-bed401b356a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Low\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet aadFunc = (tableName:string){\\nlet azPortalSignins = materialize(table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70044\\\", \\\"70043\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins\\n) on UserPrincipalName\\n| where TimeGenerated \u003e TimeGenerated1 or isempty(TimeGenerated1)\\n| project-away TimeGenerated1, UserPrincipalName1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup\\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend FullLocation = strcat(Region,\u0027|\u0027, State, \u0027|\u0027, City) \\n| summarize TimeGenerated = make_list(TimeGenerated,100), Status = make_list(Status,100), IPAddresses = make_list(IPAddress,100), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\\n| where (IPAddressCount \u003e= threshold_IPAddressCount and FailedLogonCount \u003e= threshold_Failed) or FailedLogonCount \u003e= threshold_FailedwithSingleIP\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed login attempts to Azure Portal\",\"description\":\"Identifies failed login attempts in the Microsoft Entra ID SigninLogs to the Azure Portal. Many failed logon attempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack.\\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to \u0027Keep me signed in\u0027 interrupt when the user was signing-in.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6b652b4f-9810-4eec-9027-7aa88ce4db23\",\"name\":\"6b652b4f-9810-4eec-9027-7aa88ce4db23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where CommandLine has \\\"wmic computersystem get domain\\\" and ParentProcessName has \\\"dllhost.exe\\\"\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(DeviceProcessEvents \\n| where ProcessCommandLine has \\\"wmic computersystem get domain\\\" and InitiatingProcessFileName =~ \\\"dllhost.exe\\\" and InitiatingProcessCommandLine has \\\"dllhost.exe\\\"\\n| extend Account = strcat(InitiatingProcessAccountDomain, @\u0027\\\\\u0027, InitiatingProcessAccountName), Computer = DeviceName\\n)\\n)\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(Account, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Dev-0270 WMIC Discovery\",\"description\":\"The query below identifies dllhost.exe using WMIC to discover additional hosts and associated domains in the environment.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-09-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\"name\":\"910124df-913c-47e3-a7cd-29e1643fa55e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5;\\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails)\\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountName = tostring(split(UserPrincipalName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AWS Console logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Microsoft Entra ID logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\"name\":\"80733eb7-35b2-45b6-b2b8-3c51df258206\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\",\\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\",\\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\",\\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\",\\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\",\\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage),\\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage),\\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage),\\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend AccountName = tostring(split(User, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(User, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools. This query presumes the default Squid log format is being used.\\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2024-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"SyslogAma\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"name\":\"9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet querystarttime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the cisco umbrella top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n | extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n | extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n | mvexpand Trigram=AllTriGrams to typeof(string)\\n | summarize triCount=count() by Trigram\\n | sort by triCount desc\\n | where triCount \u003e triThreshold\\n | distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = _Im_WebSession\\n| where isnotempty(Url)\\n| extend Name = tolower(tostring(parse_url(Url)[\\\"Host\\\"]))\\n| summarize NameCount=count() by Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n _Im_WebSession\\n | where isnotempty(Url)\\n | extend Url = tolower(Url)\\n | summarize arg_max(TimeGenerated, EventVendor, SrcIpAddr) by Url\\n | extend Name=tostring(parse_url(Url)[\\\"Host\\\"])\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SrcIpAddr, Url\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SrcIpAddr, Url, NameCount\",\"customDetails\":{\"DGAPattern\":\"DGADomain\",\"NameCount\":\"NameCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential communication from {{SrcIpAddr}} with a Domain Generation Algorithm (DGA) based host {{Name}}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} communicated with host {{Name}} that have a domain name that might have been generated by a Domain Generation Algorithm (DGA), identified by the pattern {{DGADomain}}. DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like and uses the model to identify domains that may have been randomly generated by an algorithm.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema)\",\"description\":\"This rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA).\\nDGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like nad uses the model to identify domains that may have been randomly generated by an algorithm. You can modify the triThreshold and dgaLengthThreshold query parameters to change Analytic Rule sensitivity. The higher the numbers, the less noisy the rule is.\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"name\":\"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime \u003e= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime \u003c ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime\\n| extend Name = tostring(split(Account, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(Account, \u0027@\u0027, 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"New UserAgent observed in last 24 hours\",\"description\":\"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments, these new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are usually stable with low numbers of detections.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e95aef3-a1e0-4063-8e74-cd59aa59f245\",\"name\":\"6e95aef3-a1e0-4063-8e74-cd59aa59f245\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\\\"\\n| summarize\\n TimeGenerated = arg_max(TimeGenerated, Properties),\\n ActivityStatusValue = make_set(ActivityStatusValue, 5),\\n take_any(Caller, CallerIpAddress, OperationName, ResourceGroup, Resource)\\n by CorrelationId, _ResourceId, OperationNameValue\\n| extend ResourceHierarchy = split(_ResourceId, \\\"/\\\")\\n| extend MonitoredResourcePath = strcat_array(array_slice(ResourceHierarchy, 0, array_length(ResourceHierarchy)-5), \\\"/\\\")\\n| join kind=leftanti (\\n AzureActivity\\n | where OperationNameValue !~ \\\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\\\" and OperationNameValue endswith \\\"/DELETE\\\" and ActivityStatusValue has_any (\\\"Success\\\", \\\"Succeeded\\\")\\n | project _ResourceId\\n) on $left.MonitoredResourcePath == $right._ResourceId\\n| extend\\n Name = iif(Caller has \\\"@\\\", tostring(split(Caller, \\\"@\\\")[0]), \\\"\\\"),\\n UPNSuffix = iif(Caller has \\\"@\\\", tostring(split(Caller, \\\"@\\\")[1]), \\\"\\\"),\\n AadUserId = iif(Caller has \\\"@\\\", \\\"\\\", Caller)\\n| project TimeGenerated, Caller, CallerIpAddress, OperationNameValue, OperationName, ActivityStatusValue, ResourceGroup, MonitoredResourcePath, Resource, Properties, Name, UPNSuffix, AadUserId, _ResourceId, CorrelationId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Diagnostic settings removed from a resource\",\"description\":\"This query looks for diagnostic settings that are removed from a resource.\\nThis could indicate an attacker or malicious internal trying to evade detection before malicious act is performed.\\nIf the diagnostic settings are being deleted as part of a parent resource deletion, the event is ignores.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-06-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\"name\":\"3ff0fffb-d963-40c0-b235-3404f915add7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"GitHubAuditData\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, Repository\\n| extend Name = iif(Actor contains \\\"@\\\", split(Actor, \\\"@\\\")[0], Actor)\\n| extend UPNSuffix = iif(Actor contains \\\"@\\\", split(Actor, \\\"@\\\")[1], \\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Actor\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/825991eb-ea39-4590-9de2-ee97ef42eb93\",\"name\":\"825991eb-ea39-4590-9de2-ee97ef42eb93\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or (ProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ProcessCommandLine has (\u0027.wav\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\nor (ProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, InitiatingProcessFolderPath, ProcessId, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256, FileName\\n| extend Account = AccountName, Computer = DeviceName, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = FileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\"), AlgorithmCustomEntity = \\\"SHA256\\\"\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, Account = SourceUserID, AlgorithmCustomEntity = \\\"SHA256\\\"\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or (ActingProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ActingProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ActingProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ActingProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027.wav\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\n or (ActingProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = Hash\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash, AlgorithmCustomEntity = \\\"SHA256\\\"\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\\n| where (Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes)) or (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027) or (CommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = tostring(Hashes[1]), AlgorithmCustomEntity = \\\"SHA256\\\"\\n),\\n(DnsEvents\\n| where Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, File = ProcessName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = Fqdn, IPCustomEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = QueryName, IPCustomEntity = SourceIp\\n),\\n(DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) \\n| where RemoteUrl in~ (domains) \\n| project Type, TimeGenerated, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessAccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"[Deprecated] - Aqua Blizzard Actor IOCs - Feb 2022\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"name\":\"d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let threshold = 3;\\nPulseConnectSecure\\n| where Messages contains \\\"Unauthenticated request url /dana-na/\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Source_IP\\n| where count_ \u003e threshold\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"Source_IP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack\",\"description\":\"This query identifies exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893) to the VPN server\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-05-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d99cf5c3-d660-436c-895b-8a8f8448da23\",\"name\":\"d99cf5c3-d660-436c-895b-8a8f8448da23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Medium\",\"query\":\"let riskScoreCutoff = 3; //Adjust this score threshold based on volume of results. Activities identified as the most abnormal receive the highest scores (on a scale of 0-10)\\nSigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| extend UserPrincipalName = tolower(UserPrincipalName)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\" or additionalDetails_ has \\\"fraud\\\"\\n| summarize StartTime = min(TimeGenerated), EndTIme = max(TimeGenerated) by UserPrincipalName, UserId, AADTenantId, FailedIPAddress = IPAddress\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\\n| join kind=leftouter (\\n IdentityInfo\\n | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\\n | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled\\n | summarize\\n Tags = make_set(Tags, 1000),\\n GroupMembership = make_set(GroupMembership, 1000),\\n AssignedRoles = make_set(AssignedRoles, 1000),\\n UserType = make_set(UserType, 1000),\\n UserAccountControl = make_set(UserType, 1000)\\n by AccountUPN\\n | extend UserPrincipalName=tolower(AccountUPN)\\n) on UserPrincipalName\\n//Below it will be joined with BehaviorAnalytics table to the Failed IP Addresses\\n| join kind=leftouter (\\n BehaviorAnalytics\\n | where ActivityType in (\\\"FailedLogOn\\\", \\\"LogOn\\\")\\n | where isnotempty(SourceIPAddress)\\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress, UserName\\n | project-rename FailedIPAddress = SourceIPAddress, Name = UserName\\n | summarize\\n MaxInvestigationScore = max(InvestigationPriority) // Only retrieve maximum Investigation Property score for both FailedIP and User\\n by FailedIPAddress, Name)\\non FailedIPAddress, Name // Joining on both IP and User so as to only return context associated with same user\\n| extend UEBARiskScore = MaxInvestigationScore\\n| project-away *1 // removing duplicate columns post outer join from output\\n| where UEBARiskScore \u003e riskScoreCutoff\\n| sort by UEBARiskScore desc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"MFA Rejected by User\",\"description\":\"Identifies occurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results. \\nPlease note, MFA Failed logons from known IP ranges can be benign depending on the conditional access policies. In case of noisy behavior, consider tuning the source IP ranges or location filter after careful consideration\",\"lastUpdatedDateUTC\":\"2024-12-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"name\":\"caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\\n| where Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = tostring(Hashes[1])\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"[Deprecated] - Tarrask malware IOC - April 2022\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\"name\":\"155e9134-d5ad-4a6f-88f3-99c220040b66\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Medium\",\"query\":\"// Set the lookback to determine if user has created pipelines before\\nlet timeback = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a list of previous Release Pipeline creators to exclude\\nlet releaseusers = AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show results where the user as AADIdP alerts\\n//| where Alerts \u003e 0\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Pipeline modified by a new user\",\"description\":\"There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \\nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Microsoft Entra ID Protection in order to show if the user conducting the action has any associated Microsoft Entra ID Protection alerts. You can also choose to filter this detection to only alert when the user also has Microsoft Entra ID Protection alerts associated with them.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b7643904-5081-4920-917e-a559ddc3448f\",\"name\":\"b7643904-5081-4920-917e-a559ddc3448f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let Threshold = 1;\\nAzureDiagnostics\\n| where Category =~ \\\"FrontDoorWebApplicationFirewallLog\\\"\\n| where action_s =~ \\\"AnomalyScoring\\\"\\n| where details_msg_s has \\\"XSS\\\"\\n| parse details_data_s with MessageText \\\"Matched Data:\\\" MatchedData \\\"AND \\\" * \\\"table_name FROM \\\" TableName \\\" \\\" *\\n| project trackingReference_s, host_s, requestUri_s, TimeGenerated, clientIP_s, details_matches_s, details_msg_s, details_data_s, TableName, MatchedData\\n| join kind = inner(\\nAzureDiagnostics\\n| where Category =~ \\\"FrontDoorWebApplicationFirewallLog\\\"\\n| where action_s =~ \\\"Block\\\") on trackingReference_s\\n| summarize URI_s = make_set(requestUri_s,100), Table = make_set(TableName,100), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TrackingReference = make_set(trackingReference_s,100), Matched_Data = make_set(MatchedData,100), Detail_Data = make_set(details_data_s,100), Detail_Message = make_set(details_msg_s,100), Total_TrackingReference = dcount(trackingReference_s) by clientIP_s, host_s, action_s\\n| where Total_TrackingReference \u003e= Threshold\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URI_s\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"clientIP_s\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Front Door Premium WAF - XSS Detection\",\"description\":\"Identifies a match for an XSS attack in the Front Door Premium WAF logs. The threshold value in the query can be changed as per your infrastructure\u0027s requirements.\\n References: https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)\",\"lastUpdatedDateUTC\":\"2023-12-20T00:00:00Z\",\"createdDateUTC\":\"2022-10-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"name\":\"9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.3\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where NumberOfInfectedFiles \u003e 0\\n| extend timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"AzureID\",\"columnName\":\"_ResourceId\"}]}],\"displayName\":\"AppServices AV Scan with Infected Files\",\"description\":\"Identifies if an AV scan finds infected files in Azure App Services.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/422ca2bf-598b-4872-82bb-5f7e8fa731e7\",\"name\":\"422ca2bf-598b-4872-82bb-5f7e8fa731e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| extend FileName=tostring(split(NewProcessName, @\u0027\\\\\u0027)[(-1)]), ProcessCommandLine = CommandLine, InitiatingProcessFileName=ParentProcessName\\n| where (FileName =~ \\\"powershell.exe\\\" and ProcessCommandLine has_all(\\\"try\\\", \\\"Add-MpPreference\\\", \\\"-ExclusionPath\\\", \\\"ProgramData\\\", \\\"catch\\\")) or (FileName =~ \u0027powershell.exe\u0027 and ProcessCommandLine has_all(\u0027Add-PSSnapin\u0027, \u0027Get-Recipient\u0027, \u0027-ExpandProperty\u0027, \u0027EmailAddresses\u0027, \u0027SmtpAddress\u0027, \u0027-hidetableheaders\u0027) )\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, InitiatingProcessFileName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(DeviceProcessEvents \\n| where (FileName =~ \\\"powershell.exe\\\" and ((ProcessCommandLine has_all(\\\"try\\\", \\\"Add-MpPreference\\\", \\\"-ExclusionPath\\\", \\\"ProgramData\\\", \\\"catch\\\")) or (ProcessCommandLine has_all(\u0027Add-PSSnapin\u0027, \u0027Get-Recipient\u0027, \u0027-ExpandProperty\u0027, \u0027EmailAddresses\u0027, \u0027SmtpAddress\u0027, \u0027-hidetableheaders\u0027))))\\nor ( InitiatingProcessFileName =~ \u0027powershell.exe\u0027 and (((InitiatingProcessCommandLine has_all(\u0027$file=\u0027, \u0027dllhost.exe\u0027, \u0027Invoke-WebRequest\u0027, \u0027-OutFile\u0027)) or ((InitiatingProcessCommandLine has_all(\u0027$admins=\u0027, \u0027System.Security.Principal.SecurityIdentifier\u0027, \u0027Translate\u0027, \u0027-split\u0027, \u0027localgroup\u0027, \u0027/add\u0027, \u0027$rdp=\u0027))))))\\n| extend Account = strcat(InitiatingProcessAccountDomain, @\u0027\\\\\u0027, InitiatingProcessAccountName), Computer = DeviceName\\n)\\n)\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(Account, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Exfiltration\",\"DefenseEvasion\"],\"displayName\":\"Dev-0270 Malicious Powershell usage\",\"description\":\"DEV-0270 heavily uses powershell to achieve their objective at various stages of their attack. To locate powershell related activity tied to the actor, Microsoft Sentinel customers can run the following query.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-09-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb8a9c1c-f532-4630-817c-1ecd8a60ed80\",\"name\":\"eb8a9c1c-f532-4630-817c-1ecd8a60ed80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P2D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has \\\"Delete partner specific cross-tenant access setting\\\"\\n| mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type =~ \\\"Policy\\\"\\n | extend Properties = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = Properties on\\n (\\n where Property.displayName =~ \\\"tenantId\\\"\\n | extend ExtTenantDeleted = trim(\u0027\\\"\u0027,tostring(Property.oldValue))\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Cross-tenant Access Settings Organization Deleted\",\"description\":\"Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is deleted from the Microsoft Entra ID Cross-tenant Access Settings.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"name\":\"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Agent Pool Created Then Deleted\",\"description\":\"As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this detection focuses on the creation of new self-hosted pools.\\nTo further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), as an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"name\":\"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"//Collect the alert events\\nlet alertData = SecurityAlert\\n| where DisplayName has \\\"Potential malware uploaded to\\\"\\n| extend Entities = parse_json(Entities)\\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData\\n| where Entities[\u0027Type\u0027] =~ \\\"ip\\\"\\n| extend AttackerIP = tostring(Entities[\u0027Address\u0027]), AttackerCountry = tostring(Entities[\u0027Location\u0027][\u0027CountryName\u0027]);\\n//Parse the file data\\nlet FileData = alertData\\n| where Entities[\u0027Type\u0027] =~ \\\"file\\\"\\n| extend MaliciousFileDirectory = tostring(Entities[\u0027Directory\u0027]), MaliciousFileName = tostring(Entities[\u0027Name\u0027]), MaliciousFileHashes = tostring(Entities[\u0027FileHashes\u0027]);\\n//Combine the File and IP data together\\nipData\\n| join (FileData) on VendorOriginalId\\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create a type column so we can track if it was a File storage or blobl storage upload\\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\")\\n| join (\\n union\\n StorageFileLogs,\\n StorageBlobLogs\\n //File upload operations\\n | where OperationName =~ \\\"PutBlob\\\" or OperationName =~ \\\"PutRange\\\"\\n //Parse out the uploader IP\\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename from the Uri\\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don\u0027t work\\n //We can work around this by making it an array then converting it to hex from an int\\n | extend base64Char = base64_decode_toarray(ResponseMd5)\\n | mv-expand base64Char\\n | extend hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) \u003c 2, strcat(\\\"0\\\", hexChar), hexChar)\\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\")\\n | summarize make_list(hexChar, 1000) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable\\n | extend Md5Hash = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the summarise into a ClientIP row\\n | extend p = pack(\\\"FileName\\\", FileName, \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable)\\n | summarize UploadedFileInfo=make_list(p, 10000), FilesUploaded=count() by ClientIP\\n | join kind=leftouter (\\n union\\n StorageFileLogs,\\n StorageBlobLogs\\n | where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\"\\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\")\\n | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable)\\n | summarize DeletedFileInfo=make_list(p, 10000), FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP == $right.ClientIP\\n| mvexpand UploadedFileInfo\\n| extend LinkedMaliciousFileName = tostring(UploadedFileInfo.FileName)\\n| extend LinkedMaliciousFileHash = tostring(UploadedFileInfo.Md5Hash)\\n| extend HashAlgorithm = \\\"MD5\\\"\\n| project AlertTimeGenerated = TimeGenerated, LinkedMaliciousFileName, LinkedMaliciousFileHash, HashAlgorithm, AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"AttackerIP\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"LinkedMaliciousFileHash\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Linked Malicious Storage Artifacts\",\"description\":\"This query identifies the additional files uploaded by the same IP address which triggered a malware alert for malicious content upload on Azure Blob or File Storage Container.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"name\":\"94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer\\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = EventDetail.[4].[\\\"#text\\\"]\\n| where Image has_any (file_path1) or Image has_any (file_path3)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = DestinationIP\\n), \\n(DeviceNetworkEvents\\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, UrlCustomEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(AZFWDnsQuery\\n| where QueryName has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = QueryName, IPCustomEntity = SourceIp\\n),\\n(AZFWApplicationRule\\n| where Fqdn has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Fqdn, IPCustomEntity = SourceIp\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\\n),\\n(DeviceRegistryEvents\\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"[Deprecated] - Caramel Tsunami Actor IOC - July 2021\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceRegistryEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"name\":\"f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let query_frequency = 1h;\\nlet query_period = 2h;\\nAuditLogs\\n| where TimeGenerated \u003e ago(query_period)\\n| where Category =~ \\\"ApplicationManagement\\\" and LoggedByService =~ \\\"Core Directory\\\"\\n| where OperationName =~ \\\"Add app role assignment to service principal\\\"\\n| mv-expand TargetResource = TargetResources\\n| mv-expand modifiedProperty = TargetResource[\\\"modifiedProperties\\\"]\\n| where tostring(modifiedProperty[\\\"displayName\\\"]) == \\\"AppRole.Value\\\"\\n| extend PermissionGrant = tostring(modifiedProperty[\\\"newValue\\\"])\\n| where PermissionGrant has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| mv-apply modifiedProperty = TargetResource[\\\"modifiedProperties\\\"] on (\\n summarize modifiedProperties = make_bag(\\n bag_pack(tostring(modifiedProperty[\\\"displayName\\\"]),\\n bag_pack(\\\"oldValue\\\", trim(@\u0027[\\\\\\\"\\\\s]+\u0027, tostring(modifiedProperty[\\\"oldValue\\\"])),\\n \\\"newValue\\\", trim(@\u0027[\\\\\\\"\\\\s]+\u0027, tostring(modifiedProperty[\\\"newValue\\\"])))), 100)\\n)\\n| project\\n PermissionGrant_TimeGenerated = TimeGenerated,\\n PermissionGrant_OperationName = OperationName,\\n PermissionGrant_Result = Result,\\n PermissionGrant,\\n AppDisplayName = tostring(modifiedProperties[\\\"ServicePrincipal.DisplayName\\\"][\\\"newValue\\\"]),\\n AppServicePrincipalId = tostring(modifiedProperties[\\\"ServicePrincipal.ObjectID\\\"][\\\"newValue\\\"]),\\n PermissionGrant_InitiatedBy = InitiatedBy,\\n PermissionGrant_TargetResources = TargetResources,\\n PermissionGrant_AdditionalDetails = AdditionalDetails,\\n PermissionGrant_CorrelationId = CorrelationId\\n| join kind=inner (\\n AuditLogs\\n | where TimeGenerated \u003e ago(query_frequency)\\n | where Category =~ \\\"RoleManagement\\\" and LoggedByService =~ \\\"Core Directory\\\" and AADOperationType =~ \\\"Assign\\\"\\n | where isnotempty(InitiatedBy[\\\"app\\\"])\\n | mv-expand TargetResource = TargetResources\\n | mv-expand modifiedProperty = TargetResource[\\\"modifiedProperties\\\"]\\n | where tostring(modifiedProperty[\\\"displayName\\\"]) in (\\\"Role.DisplayName\\\", \\\"RoleDefinition.DisplayName\\\")\\n | extend RoleAssignment = tostring(modifiedProperty[\\\"newValue\\\"])\\n | where RoleAssignment contains \\\"Admin\\\"\\n | project\\n RoleAssignment_TimeGenerated = TimeGenerated,\\n RoleAssignment_OperationName = OperationName,\\n RoleAssignment_Result = Result,\\n RoleAssignment,\\n TargetType = tostring(TargetResources[0][\\\"type\\\"]),\\n Target = iff(isnotempty(TargetResources[0][\\\"displayName\\\"]), tostring(TargetResources[0][\\\"displayName\\\"]), tolower(TargetResources[0][\\\"userPrincipalName\\\"])),\\n TargetId = tostring(TargetResources[0][\\\"id\\\"]),\\n RoleAssignment_InitiatedBy = InitiatedBy,\\n RoleAssignment_TargetResources = TargetResources,\\n RoleAssignment_AdditionalDetails = AdditionalDetails,\\n RoleAssignment_CorrelationId = CorrelationId,\\n AppServicePrincipalId = tostring(InitiatedBy[\\\"app\\\"][\\\"servicePrincipalId\\\"])\\n ) on AppServicePrincipalId\\n| where PermissionGrant_TimeGenerated \u003c RoleAssignment_TimeGenerated\\n| extend\\n TargetName = tostring(split(Target, \\\"@\\\")[0]),\\n TargetUPNSuffix = tostring(split(Target, \\\"@\\\")[1])\\n| project PermissionGrant_TimeGenerated, PermissionGrant_OperationName, PermissionGrant_Result, PermissionGrant, AppDisplayName, AppServicePrincipalId, PermissionGrant_InitiatedBy, PermissionGrant_TargetResources, PermissionGrant_AdditionalDetails, PermissionGrant_CorrelationId, RoleAssignment_TimeGenerated, RoleAssignment_OperationName, RoleAssignment_Result, RoleAssignment, TargetType, Target, TargetName, TargetUPNSuffix, TargetId, RoleAssignment_InitiatedBy, RoleAssignment_TargetResources, RoleAssignment_AdditionalDetails, RoleAssignment_CorrelationId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AppDisplayName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"Persistence\"],\"displayName\":\"Admin promotion after Role Management Application Permission Grant\",\"description\":\"This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).\\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission allows an app to manage permission grants for application permissions to any API.\\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c37711a4-5f44-4472-8afc-0679bc0ef966\",\"name\":\"c37711a4-5f44-4472-8afc-0679bc0ef966\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"3.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type == \\\"sha256\\\" | project IoC);\\nlet FilePaths = (iocs | where Type =~ \\\"FilePath\\\" | project IoC);\\nlet POST_URI = (iocs | where Type =~ \\\"URI1\\\" | project IoC);\\nlet GET_URI = (iocs | where Type =~ \\\"URI2\\\" | project IoC);\\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\\nlet ADFS_Servers1 = datatable(Computer:string)\\n[ \\\"\u003cADFS01\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\",\\n\\\"\u003cADFS02\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\"\\n];\\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \\\"Microsoft.IdentityServer.ServiceHost.exe\\\".\\nlet ADFS_Servers2 = \\n(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( WindowsEvent\\n| where EventID == 4688 and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"// and not(EventData has \\\"0x3e4\\\")\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName == \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| distinct Computer\\n),\\n(DeviceProcessEvents\\n| where InitiatingProcessFileName == \u0027Microsoft.IdentityServer.ServiceHost.exe\u0027\\n| extend Computer = DeviceName\\n| distinct Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n);\\nlet ADFS_Servers =\\nADFS_Servers1\\n| union (ADFS_Servers2 | distinct Computer);\\n(union isfuzzy=true\\n(DeviceNetworkEvents\\n| where DeviceName in (ADFS_Servers)\\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" and EventID == \u00277\u0027\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ImageLoaded = EventDetail.[5].[\\\"#text\\\"], Hashes = EventDetail.[11].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\\n| extend Type = strcat(Type,\\\":\\\",EventID, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where DeviceName in (ADFS_Servers)\\n| extend FilePath = strcat(FolderPath, \u0027\\\\\\\\\u0027, FileName)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceImageLoadEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where EventDetail has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(W3CIISLog \\n| where ( csMethod == \u0027GET\u0027 and csUriStem has_any (GET_URI)) or (csMethod == \u0027POST\u0027 and csUriStem has_any (POST_URI))\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \\nby cIP, cIP_MethodCountType = \\\"Count of repeated entries, this is to reduce rowsets returned\\\", csMethod, \\ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\\n),\\n(imFileEvent\\n| where DvcHostname in (ADFS_Servers)\\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"[Deprecated] - Midnight Blizzard IOCs related to FoggyWeb backdoor\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-09-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f3e2d35f-1202-4215-995c-4654ef07d1d8\",\"name\":\"f3e2d35f-1202-4215-995c-4654ef07d1d8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let BEC_Keywords = dynamic([ \u0027invoice\u0027,\u0027payment\u0027,\u0027paycheck\u0027,\u0027transfer\u0027,\u0027bank statement\u0027,\u0027bank details\u0027,\u0027closing\u0027,\u0027funds\u0027,\u0027bank account\u0027,\u0027account details\u0027,\u0027remittance\u0027,\u0027purchase\u0027,\u0027deposit\u0027,\\\"PO#\\\",\\\"Zahlung\\\",\\\"Rechnung\\\",\\\"Paiement\\\", \\\"virement bancaire\\\",\\\"Bankuberweisung\\\",\u0027hacked\u0027,\u0027phishing\u0027]);\\n// Adjust this threshold based on your environment\\nlet sensitivity = 2.5;\\nlet Events = materialize(AWSCloudTrail\\n| where TimeGenerated between (ago(14d)..ago(0d))\\n| where UserIdentityAccountId != \\\"anonymous\\\"\\n| where EventSource startswith \\\"s3.\\\"\\n| where EventName =~ \\\"GetObject\\\"\\n| extend FilePath = tostring(parse_json(RequestParameters).key)\\n| where FilePath has_any(BEC_Keywords)\\n);\\nEvents\\n| summarize dcount(FilePath) by UserIdentityPrincipalid, bin(startofday(TimeGenerated), 1d)\\n| summarize CountOfDocs = make_list(dcount_FilePath, 10000), TimeStamp = make_list(TimeGenerated, 10000) by UserIdentityPrincipalid\\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(CountOfDocs, sensitivity, -1, \u0027linefit\u0027)\\n| mv-expand CountOfDocs to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double),Score to typeof(double), Baseline to typeof(long)\\n| where Anomalies \u003e 0\\n| project TimeStamp, CountOfDocs, Baseline, Score, Anomalies, UserIdentityPrincipalid\\n| join kind=inner(Events | extend TimeStamp = startofday(TimeGenerated)) on TimeStamp, UserIdentityPrincipalid\\n| extend Name = iif(UserIdentityUserName contains \\\"@\\\", split(UserIdentityUserName, \\\"@\\\")[0], UserIdentityUserName)\\n| extend UPNSuffix = iif(UserIdentityUserName contains \\\"@\\\", split(UserIdentityUserName, \\\"@\\\")[1], \\\"\\\")\\n| project-reorder TimeGenerated, UserIdentityType, UserIdentityPrincipalid, UserIdentityUserName, FilePath, EventName, UserAgent, SourceIpAddress, CountOfDocs, Baseline, Score\",\"customDetails\":{\"UserType\":\"UserIdentityType\",\"Event\":\"EventName\",\"UserAgent\":\"UserAgent\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserIdentityUserName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FilePath\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Suspicious access of {{CountOfDocs}} BEC related documents in AWS S3 buckets by {{UserIdentityUserName}}\",\"alertDescriptionFormat\":\"This query looks for users (in this case {{UserIdentityUserName}}) with suspicious spikes in the number of files accessed (in this case {{CountOfDocs}})that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks. The query looks for access to files in AWS S3 storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. \\nThis query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities.\\n\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Collection\"],\"displayName\":\"Suspicious access of BEC related documents in AWS S3 buckets\",\"description\":\"This query looks for users with suspicious spikes in the number of files accessed that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks.\\nThe query looks for access to files in AWS S3 storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. \\nThis query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2023-02-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"name\":\"9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"beesweiserdog.com\\\", \\n \\\"bluehostfit.com\\\", \\n \\\"business-toys.com\\\", \\n \\\"cleanskycloud.com\\\", \\n \\\"cumberbat.com\\\", \\n \\\"czreadsecurity.com\\\", \\n \\\"dgtresorgouv.com\\\", \\n \\\"dimediamikedask.com\\\", \\n \\\"diresitioscon.com\\\", \\n \\\"elcolectador.com\\\", \\n \\\"elperuanos.org\\\", \\n \\\"eprotectioneu.com\\\", \\n \\\"fheacor.com\\\", \\n \\\"followthewaterdata.com\\\", \\n \\\"francevrteepress.com\\\", \\n \\\"futtuhy.com\\\", \\n \\\"gardienweb.com\\\", \\n \\\"heimflugaustr.com\\\", \\n \\\"ivpsers.com\\\", \\n \\\"jkeducation.org\\\", \\n \\\"micrlmb.com\\\", \\n \\\"muthesck.com\\\", \\n \\\"netscalertech.com\\\", \\n \\\"newgoldbalmap.com\\\", \\n \\\"news-laestrella.com\\\", \\n \\\"noticialif.com\\\", \\n \\\"opentanzanfoundation.com\\\", \\n \\\"optonlinepress.com\\\", \\n \\\"palazzochigi.com\\\", \\n \\\"pandemicacre.com\\\", \\n \\\"papa-ser.com\\\", \\n \\\"pekematclouds.com\\\", \\n \\\"pipcake.com\\\", \\n \\\"popularservicenter.com\\\", \\n \\\"projectsyndic.com\\\", \\n \\\"qsadtv.com\\\", \\n \\\"sankreal.com\\\", \\n \\\"scielope.com\\\", \\n \\\"seoamdcopywriting.com\\\", \\n \\\"slidenshare.com\\\", \\n \\\"somoswake.com\\\", \\n \\\"squarespacenow.com\\\", \\n \\\"subapostilla.com\\\", \\n \\\"suzukicycles.net\\\", \\n \\\"tatanotakeeps.com\\\", \\n \\\"tijuanazxc.com\\\", \\n \\\"transactioninfo.net\\\", \\n \\\"eurolabspro.com\\\", \\n \\\"adelluminate.com\\\", \\n \\\"headhunterblue.com\\\", \\n \\\"primenuesty.com\\\" \\n ]);\\nlet SHA256Hashes = dynamic ([\\\"02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2\\\", \\n \\\"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c\\\", \\n \\\"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c\\\", \\n \\\"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95\\\", \\n \\\"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21\\\", \\n \\\"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49\\\", \\n \\\"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844\\\", \\n \\\"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef\\\", \\n \\\"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822\\\", \\n \\\"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2\\\", \\n \\\"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838\\\", \\n \\\"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65\\\", \\n \\\"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6\\\", \\n \\\"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1\\\", \\n \\\"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90\\\", \\n \\\"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b\\\", \\n \\\"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce\\\", \\n \\\"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0\\\", \\n \\\"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c\\\", \\n \\\"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a\\\", \\n \\\"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b\\\", \\n \\\"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a\\\", \\n \\\"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124\\\", \\n \\\"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa\\\", \\n \\\"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda\\\", \\n \\\"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94\\\", \\n \\\"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6\\\", \\n \\\"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce\\\", \\n \\\"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6\\\", \\n \\\"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba\\\"\\n ]);\\nlet SigNames = dynamic([\\\"Backdoor:Win32/Leeson\\\", \\\"Trojan:Win32/Kechang\\\", \\\"Backdoor:Win32/Nightimp!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"TrojanSpy:Win32/KeyLogger\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns(domain_has_any = DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(_Im_WebSession(url_has_any = DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hashes) \\n| extend Account = UserName\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hashes)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Known Nylon Typhoon domains and hashes\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"name\":\"c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.4\",\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\n_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n| where isnotempty(DnsResponseCodeName)\\n//| where DnsResponseCodeName =~ \\\"NXDOMAIN\\\"\\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n ) on SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2023-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"name\":\"09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nimAuthentication\\n| where TimeGenerated \u003e timeframe\\n| where EventType == \u0027Logon\u0027\\n and EventResult == \u0027Success\u0027\\n| where isnotempty(SrcGeoCountry)\\n| summarize\\n StartTime = min(TimeGenerated)\\n , EndTime = max(TimeGenerated)\\n , Vendors = make_set(EventVendor, 128)\\n , Products = make_set(EventProduct, 128)\\n , NumOfCountries = dcount(SrcGeoCountry)\\n , Countries = make_set(SrcGeoCountry, 128)\\n by TargetUserId, TargetUsername, TargetUserType\\n| where NumOfCountries \u003e= threshold\\n| where TargetUserType !in (\\\"Application\\\", \\\"Service\\\", \\\"System\\\", \\\"Other\\\", \\\"Machine\\\", \\\"ServicePrincipal\\\")\\n| extend\\n Name = iif(\\n TargetUsername contains \\\"@\\\"\\n , tostring(split(TargetUsername, \u0027@\u0027, 0)[0])\\n , TargetUsername\\n ),\\n UPNSuffix = iif(\\n TargetUsername contains \\\"@\\\"\\n , tostring(split(TargetUsername, \u0027@\u0027, 1)[0])\\n , \\\"\\\"\\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User login from different countries within 3 hours (Uses Authentication Normalization)\",\"description\":\"This query searches for successful user logins from different countries within 3 hours.\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2024-06-28T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed8c9153-6f7a-4602-97b4-48c336b299e1\",\"name\":\"ed8c9153-6f7a-4602-97b4-48c336b299e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let guids = dynamic([\\\"{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\",\\\"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\",\\\"{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\", \\\"{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\", \\\"{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\"]);\\n let mde_data = DeviceRegistryEvents\\n | where ActionType =~ \\\"RegistryValueSet\\\"\\n | where RegistryKey contains \\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Classes\\\\\\\\CLSID\\\"\\n | where RegistryKey has_any (guids)\\n | where RegistryValueData has \\\"System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\";\\n let event_data = SecurityEvent\\n | where EventID == 4657\\n | where ObjectName contains \\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Classes\\\\\\\\CLSID\\\"\\n | where ObjectName has_any (guids)\\n | where NewValue has \\\"System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\"\\n | extend RegistryKey = ObjectName, RegistryValueData = NewValue, DeviceName=Computer, InitiatingProcessFileName = Process, InitiatingProcessAccountName=SubjectUserName, InitiatingProcessAccountDomain = SubjectDomainName;\\n union mde_data, event_data\\n | extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"RegistryKey\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"InitiatingProcessFileName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"InitiatingProcessAccountName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"COM Registry Key Modified to Point to File in Color Profile Folder\",\"description\":\"This query looks for changes to COM registry keys to point to files in C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\.\\n This can be used to enable COM hijacking for persistence.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceRegistryEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"name\":\"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlOriginal\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Crypto Miner User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by crypto miners in proxy logs.\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/677da133-e487-4108-a150-5b926591a92b\",\"name\":\"677da133-e487-4108-a150-5b926591a92b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256s = (iocs | where Type =~ \\\"SHA256\\\"| project IoC);\\nlet ips = (iocs | where Type =~ \\\"IP\\\"| project IoC);\\nlet IPList = dynamic([\\\"192.99.221.77\\\",\\\"83.171.237.173\\\"]);\\nlet ips_list=toscalar(ips | summarize makeset(IoC));\\nlet full_ip_list= array_concat(ips_list, IPList);\\nlet domains = (iocs | where Type =~ \\\"Domain\\\"| project IoC);\\nlet domain_list=toscalar(domains | summarize make_set(IoC));\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = dynamic([\\\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\\\",\\n\\\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\\\",\\n\\\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\\\",\\n\\\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\\\",\\n\\\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\\\",\\n\\\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (domains), \\\"RequestUrl\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=todynamic(domain_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=todynamic(full_ip_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList) or ClientIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(_Im_NetworkSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"SourceIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = SrcIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_NetworkSession(dstipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"DestinationIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = DstIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_WebSession(url_has_any=domains)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(_Im_WebSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (domains)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = Fqdn\\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (domains)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = QueryName\\n| extend IPCustomEntity = SourceIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"[Deprecated] - Midnight Blizzard - Domain, Hash and IP IOCs - May 2021\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d8b5a18-b7db-4c23-84a6-95febaf7e1e4\",\"name\":\"9d8b5a18-b7db-4c23-84a6-95febaf7e1e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Europium_September2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\")\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer \\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress, HostEntity = Computer\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), File = ProcessName, HostEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\"), \\nHostEntity = Computer, AccountName = tostring(split(UserName, @\u0027\\\\\u0027)[1]), AccountDomain = tostring(split(UserName, @\u0027\\\\\u0027)[0])\\n| extend InitiatingProcessAccount = UserName\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountDomain = tostring(split(UserId, \\\"@\\\")[1])\\n| extend InitiatingProcessAccount = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, \\nInitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, HostEntity = Computer, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain\\n| extend InitiatingProcessAccount = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostEntity = Computer, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, IPEntity = IPAddress, HostEntity = Computer, Algorithm = \\\"SHA256\\\", FileHash = tostring(FileHash)\\n| extend AccountName = tostring(split(Account, @\u0027\\\\\u0027)[1]), AccountDomain = tostring(split(Account, @\u0027\\\\\u0027)[0])\\n| extend InitiatingProcessAccount = Account\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, \\nInitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain, \\nAlgorithm = \\\"SHA256\\\", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n| extend InitiatingProcessAccount = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, \\nInitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain, \\nAlgorithm = \\\"SHA256\\\", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n| extend InitiatingProcessAccount = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", dynamic([\\\"\\\", \\\"\\\"])), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| mv-expand Hashes\\n| where Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostEntity = Computer, AccountName = tostring(split(UserName, @\u0027\\\\\u0027)[1]), AccountUPNSuffix = tostring(split(UserName, @\u0027\\\\\u0027)[0]), FileHash = tostring(Hashes[1])\\n| extend InitiatingProcessAccount = UserName\\n)\\n)\\n| extend HostName = tostring(split(HostEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(HostEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(HostEntity, DomainIndex + 1), HostEntity)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"Algorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHash\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Europium - Hash and IP IOCs - September 2022\",\"description\":\"Identifies a match across various data feeds for hashes and IP IOC related to Europium\\n Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"name\":\"f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let known_locations = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | summarize by LocationDetail);\\nlet known_asn = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\nSigninLogs\\n| where TimeGenerated \u003e ago(1d)\\n| where ResultType == 0\\n| where isempty(DeviceDetail.deviceId)\\n| where AuthenticationRequirement == \\\"singleFactorAuthentication\\\"\\n| extend LocationParsed = parse_json(LocationDetails), DeviceParsed = parse_json(DeviceDetail)\\n| extend City = tostring(LocationParsed.city), State = tostring(LocationParsed.state)\\n| extend LocationDetail = strcat(Location, \\\"-\\\", State)\\n| extend DeviceId = tostring(DeviceParsed.deviceId), DeviceName=tostring(DeviceParsed.displayName), OS=tostring(DeviceParsed.operatingSystem), Browser=tostring(DeviceParsed.browser)\\n| where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)\\n| project TimeGenerated, Type, UserId, UserDisplayName, UserPrincipalName, IPAddress, Location, State, City, ResultType, ResultDescription, AppId, AppDisplayName, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, ClientAppUsed, Identity, HomeTenantId, ResourceTenantId, Status, UserAgent, DeviceId, DeviceName, OS, Browser, MfaDetail\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"AppId\",\"columnName\":\"AppId\"},{\"identifier\":\"Name\",\"columnName\":\"AppDisplayName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous Single Factor Signin\",\"description\":\"Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.\\n Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2024-06-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cfc1ae62-db63-4a3e-b88b-dc04030c2257\",\"name\":\"cfc1ae62-db63-4a3e-b88b-dc04030c2257\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"// change the starttime value for a longer period of known OIDs\\nlet starttime = 1d;\\n// change the lookback value for a longer period of lookback for suspicious/abnormal\\nlet lookback = 1h;\\nlet OIDList = SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventSourceName == \u0027AD FS Auditing\u0027\\n| where EventID == 501\\n| where EventData has \u0027/eku\u0027\\n| extend OIDs = extract_all(@\\\"\u003cData\u003e([\\\\d+\\\\.]+)\u003c/Data\u003e\\\", EventData)\\n| mv-expand OIDs\\n| extend OID = tostring(OIDs)\\n| extend OID_Length = strlen(OID)\\n| project TimeGenerated, Computer, EventSourceName, EventID, OID, OID_Length, EventData\\n;\\nOIDList\\n| where TimeGenerated \u003e= ago(lookback)\\n| join kind=leftanti (\\nOIDList\\n| where TimeGenerated between (ago(starttime) .. ago(lookback))\\n| summarize by OID\\n) on OID\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"AD FS Abnormal EKU object identifier attribute\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious object identifiers (OIDs) as part EventID 501 and specifically part of the Enhanced Key Usage attributes.\\nThis query checks to see if you have any new OIDs in the last hour that have not been seen in the previous day. New OIDs should be validated and OIDs that are very long, as indicated\\nby the OID_Length field, could also be an indicator of malicious activity.\\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReferences:\\nhttps://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/\\nhttps://docs.microsoft.com/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging\\n\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\"name\":\"19e01883-15d8-4eb6-a7a5-3276cd668388\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus)\\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status))\\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\",\\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\",\\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\",\\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\",\\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\",\\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\",\\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\",\\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\",\\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\",\\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"cIP\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed attempts from same client IP\",\"description\":\"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, potentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device that is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"name\":\"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details of operations conducted by user soon after elevation of permissions\\n| join (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\\n| extend AddingUserAccountName = tostring(split(AddingUser, \\\"@\\\")[0]), AddingUserAccountUPNSuffix = tostring(split(AddingUser, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddingUser\"},{\"identifier\":\"Name\",\"columnName\":\"AddingUserAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AddingUserAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New PA, PCA, or PCAS added to Azure DevOps\",\"description\":\"In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \\nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of users granted these permissions should be small. Note that permissions can also be granted via Microsoft Entra ID Protection groups and monitoring of these should also be conducted.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"name\":\"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\")\\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\"\\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535))\\n| where Computer != \\\"\\\"\\n| where ipv4_is_private(DestinationIP) == false\\n| extend Reason = coalesce(\\n column_ifexists(\\\"Reason\\\", \\\"\\\"),\\n extract(\\\"reason=(.+?)(;|$)\\\", 1, AdditionalExtensions),\\n \\\"\\\"\\n )\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out.\\n| where Reason !has \\\"aged-out\\\"\\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where Reason !has \\\"tcp-fin\\\"\\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\"\\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\"\\n// Already performed\\n//| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ \u003e= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Palo Alto - possible internal to external port scanning\",\"description\":\"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which results in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication of internal to external port scanning or probing attack.\\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\"lastUpdatedDateUTC\":\"2024-11-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CefAma\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/af435ca1-fb70-4de1-92c1-7435c48482a9\",\"name\":\"af435ca1-fb70-4de1-92c1-7435c48482a9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let admin_asn = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by AutonomousSystemNumber);\\n let admin_locations = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by Location);\\n let admin_devices = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where isnotempty(deviceId)\\n | summarize by deviceId);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where AutonomousSystemNumber !in (admin_asn) and deviceId !in (admin_devices) and Location !in (admin_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentications of Privileged Accounts Outside of Expected Controls\",\"description\":\"Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days.\\n Privileged accounts are a key target for threat actors, monitoring for logins from these accounts that deviate from normal activity can help identify compromised accounts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"name\":\"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nlet ReasontoSubStatus = datatable(SubStatus: string, Reason: string) [\\n \\\"0xc000005e\\\", \\\"There are currently no logon servers available to service the logon request.\\\",\\n \\\"0xc0000064\\\", \\\"User logon with misspelled or bad user account\\\",\\n \\\"0xc000006a\\\", \\\"User logon with misspelled or bad password\\\",\\n \\\"0xc000006d\\\", \\\"Bad user name or password\\\",\\n \\\"0xc000006e\\\", \\\"Unknown user name or bad password\\\",\\n \\\"0xc000006f\\\", \\\"User logon outside authorized hours\\\",\\n \\\"0xc0000070\\\", \\\"User logon from unauthorized workstation\\\",\\n \\\"0xc0000071\\\", \\\"User logon with expired password\\\",\\n \\\"0xc0000072\\\", \\\"User logon to account disabled by administrator\\\",\\n \\\"0xc00000dc\\\", \\\"Indicates the Sam Server was in the wrong state to perform the desired operation\\\",\\n \\\"0xc0000133\\\", \\\"Clocks between DC and other computer too far out of sync\\\",\\n \\\"0xc000015b\\\", \\\"The user has not been granted the requested logon type (aka logon right) at this machine\\\",\\n \\\"0xc000018c\\\", \\\"The logon request failed because the trust relationship between the primary domain and the trusted domain failed\\\",\\n \\\"0xc0000192\\\", \\\"An attempt was made to logon, but the Netlogon service was not started\\\",\\n \\\"0xc0000193\\\", \\\"User logon with expired account\\\",\\n \\\"0xc0000224\\\", \\\"User is required to change password at next logon\\\",\\n \\\"0xc0000225\\\", \\\"Evidently a bug in Windows and not a risk\\\",\\n \\\"0xc0000234\\\", \\\"User logon with account locked\\\",\\n \\\"0xc00002ee\\\", \\\"Failure Reason: An Error occurred during Logon\\\",\\n \\\"0xc0000413\\\", \\\"Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\\\"\\n];\\n(union isfuzzy=true\\n (SecurityEvent\\n | where EventID == 4625\\n | where AccountType =~ \\\"User\\\"\\n | where SubStatus !~ \u00270xc0000064\u0027 and Account !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n // SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n | extend\\n ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId),\\n SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId),\\n SubStatus = tolower(SubStatus)\\n | lookup ReasontoSubStatus on SubStatus\\n | extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by bin(TimeGenerated,10m), EventID,\\n Activity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName,\\n LogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n | where FailedLogonCount \u003e= threshold\\n ),\\n (\\n (WindowsEvent\\n | where EventID == 4625 and not(EventData has \u00270xc0000064\u0027)\\n | extend TargetAccount = strcat(tostring(EventData.TargetDomainName), \\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n | extend TargetUserSid = tostring(EventData.TargetUserSid)\\n | extend AccountType=case(EventData.TargetUserName endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n | where AccountType =~ \\\"User\\\"\\n | extend SubStatus = tostring(EventData.SubStatus)\\n | where SubStatus !~ \u00270xc0000064\u0027 and TargetAccount !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n // SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n | extend\\n ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId),\\n SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"\\\"),\\n SubStatus = tolower(SubStatus)\\n | lookup ReasontoSubStatus on SubStatus\\n | extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n | extend Activity=\\\"4625 - An account failed to log on.\\\"\\n | extend TargetUserName = tostring(EventData.TargetUserName)\\n | extend TargetDomainName = tostring(EventData.TargetDomainName)\\n | extend LogonType = tostring(EventData.LogonType)\\n | extend Status= tostring(EventData.Status)\\n | extend LogonProcessName = tostring(EventData.LogonProcessName)\\n | extend WorkstationName = tostring(EventData.WorkstationName)\\n | extend IpAddress = tostring(EventData.IpAddress)\\n | extend LogonTypeName=case(\\n LogonType == 2, \\\"2 - Interactive\\\",\\n LogonType == 3, \\\"3 - Network\\\",\\n LogonType == 4, \\\"4 - Batch\\\",\\n LogonType == 5, \\\"5 - Service\\\",\\n LogonType == 7, \\\"7 - Unlock\\\",\\n LogonType == 8, \\\"8 - NetworkCleartext\\\",\\n LogonType == 9, \\\"9 - NewCredentials\\\",\\n LogonType == 10, \\\"10 - RemoteInteractive\\\",\\n LogonType == 11, \\\"11 - CachedInteractive\\\",\\n tostring(LogonType)\\n )\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by bin(TimeGenerated,10m), EventID,\\n Activity, Computer, TargetAccount, TargetUserName, TargetDomainName,\\n LogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n | where FailedLogonCount \u003e= threshold\\n )))\\n| summarize arg_max(TimeGenerated, *) by Computer, TargetAccount, TargetUserName, TargetDomainName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"TargetDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts by valid accounts within 10 mins\",\"description\":\"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2de8abd6-a613-450e-95ed-08e503369fb3\",\"name\":\"2de8abd6-a613-450e-95ed-08e503369fb3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let log4jioc = dynamic([\\\"jndi\\\",\\\"ldap\\\",\\\"${::\\\"]);\\nAzureDiagnostics\\n| where ResourceProvider == \\\"MICROSOFT.NETWORK\\\" and Category in (\\\"ApplicationGatewayFirewallLog\\\", \\\"FrontdoorWebApplicationFirewallLog\\\")\\n| extend details_data_s = column_ifexists(\\\"details_data_s\\\", tostring(AdditionalFields.details_data))\\n|where requestUri_s has_any (log4jioc) or details_message_s has_any (log4jioc) or details_data_s has_any (log4jioc)\\n| extend Malicious = iff(isnotempty( details_data_s),details_data_s,iff(isnotempty( requestUri_s),requestUri_s,\\\"\\\"))\\n|parse Malicious with * \u0027${\u0027 MaliciousCommand \u0027}\u0027 * \\n| extend EncodeCmd = iff(MaliciousCommand has \u0027Base64/\u0027, split(split(MaliciousCommand, \\\"Base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend EncodeCmd1 = iff(MaliciousCommand has \u0027base64/\u0027, split(split(MaliciousCommand, \\\"base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend CmdLine = iff( isnotempty(EncodeCmd), EncodeCmd, EncodeCmd1)\\n| extend DecodedCmdLine = base64_decode_tostring(tostring(CmdLine))\\n| extend DecodedCmdLine = iff( isnotempty(DecodedCmdLine), DecodedCmdLine, \\\"Unable to decode/Doesn\u0027t need decoding\\\")\\n| project TimeGenerated, Target=column_ifexists(\\\"hostname_s\\\", tostring(AdditionalFields.hostname)), MaliciousHost = column_ifexists(\\\"clientIp_s\\\", tostring(AdditionalFields.clientIp)) , MaliciousCommand, details_data_s = column_ifexists(\\\"details_data_s\\\", tostring(AdditionalFields.details_data)), DecodedCmdLine, Message,\\nruleSetType_s = column_ifexists(\\\"ruleSetType_s\\\", tostring(AdditionalFields.ruleSetType)), OperationName, SubscriptionId, details_message_s = column_ifexists(\\\"details_message_s\\\", tostring(AdditionalFields.details_message)), \\ndetails_file_s = column_ifexists(\\\"details_message_s\\\", tostring(AdditionalFields.details_file))\\n| extend timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"MaliciousHost\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure WAF matching for Log4j vuln(CVE-2021-44228)\",\"description\":\"This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis.\\n Reference: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"name\":\"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.2\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet BinTime = 1h;\\nlet RunTime = 1h;\\nlet StartTime = 1h; \\nlet sensitivity = 2.5;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet aadFunc = (tableName:string){\\ntable(tableName) \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(EndRunTime))\\n| where AppDisplayName =~ \\\"GitHub.com\\\"\\n| where ResultType != 0\\n| make-series FailedLogins = count() on TimeGenerated from ago(LearningPeriod) to ago(EndRunTime) step BinTime by UserPrincipalName, Type\\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(FailedLogins, sensitivity, -1, \u0027linefit\u0027)\\n| mv-expand FailedLogins to typeof(double), TimeGenerated to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long) \\n| where TimeGenerated \u003e= ago(RunTime)\\n| where Anomalies \u003e 0 and Baseline \u003e 0\\n| join kind=inner (\\n table(tableName) \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | where AppDisplayName =~ \\\"GitHub.com\\\"\\n | where ResultType != 0\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddresses = make_set(IPAddress,100), Locations = make_set(LocationDetails,20), Devices = make_set(DeviceDetail,20) by UserPrincipalName, UserId, AppDisplayName\\n ) on UserPrincipalName\\n| project-away UserPrincipalName1\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\\n| extend IPAddressFirst = tostring(IPAddresses[0])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddressFirst\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute Force Attack against GitHub Account\",\"description\":\"Attackers who are trying to guess your users\u0027 passwords or use brute-force methods to get in. If your organization is using SSO with Microsoft Entra ID, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\"lastUpdatedDateUTC\":\"2024-04-05T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"name\":\"05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated \u003e ago(1d)\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n // This will likely apply to multiple hosts so summarize these data\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, NewProcessName, CommandLine, Computer\\n | extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\nA threat actor may use these policies to deploy files or scripts to all hosts in a domain.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"name\":\"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = dynamic([\\\"CreatePolicy\\\", \\\"CreatePolicyVersion\\\"]);\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName in (EventNameList) or EventName in (createPolicy)\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\");\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName in (createPolicy)\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName, RecipientAccountId, AccountName, AccountUPNSuffix\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, RecipientAccountId, AccountName, AccountUPNSuffix, PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"AccountName\\\", AccountName, \\\"AccountUPNSuffix\\\", AccountUPNSuffix, \\\"RecipientAccountId\\\", RecipientAccountId, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress)\\n| project EventSource, PolicyName, AttachEvent, RecipientAccountId, AccountName, AccountUPNSuffix, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"DefenseEvasion\"],\"displayName\":\"Full Admin policy created and then attached to Roles, Users or Groups\",\"description\":\"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html \\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2020-04-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"name\":\"1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let Tarrask_threats = dynamic([\\\"HackTool:Win64/Tarrask!MS\\\", \\\"HackTool:Win64/Ligolo!MSR\\\", \\\"Behavior:Win32/ScheduledTaskHide.A\\\", \\\"Tarrask\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=rightouter ( SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Tarrask_threats) or ThreatFamilyName in~ (Tarrask_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AV detections related to Tarrask malware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel, the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged-on users etc. \\n This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2559891-383c-4caf-ae67-55a008b9f89e\",\"name\":\"e2559891-383c-4caf-ae67-55a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n // As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n // Taking the first non-empty value based on potential IOC match availability\\n | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, \\\"NO_IP\\\")\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where TI_ipEntity != \\\"NO_IP\\\"\\n // Exclude local addresses, using the ipv4_is_private operator\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\nlet IP_TI_list = toscalar(IP_TI\\n | summarize NIoCs = dcount(TI_ipEntity), IoCs = make_set(TI_ipEntity)\\n | project IoCs = iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs));\\nIP_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind = innerunique (\\n _Im_WebSession (starttime = ago(dt_lookBack), srcipaddr_has_any_prefix = IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated\\n )\\n on $left.TI_ipEntity == $right.SrcIpAddr\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated, *) by IndicatorId, DstIpAddr\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, Url, Type\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The IP {{SrcIpAddr}} of the web request matches an IP IoC\",\"alertDescriptionFormat\":\"The source address {{SrcIpAddr}} of the web request for the URL {{Url}} matches a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence feed for more information about the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the source IP address is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"name\":\"99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let core_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where ResultType == 0\\n | extend domain = tolower(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n let alternative_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where isnotempty(AlternateSignInName)\\n | where ResultType == 0\\n | extend domain = tolower(split(AlternateSignInName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add User\\\"\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n | extend UserAdded = tostring(TargetResources[0].userPrincipalName)\\n | extend UserAddedDomain = case(\\n UserAdded has \\\"#EXT#\\\", tostring(split(tostring(split(UserAdded, \\\"#EXT#\\\")[0]), \\\"_\\\")[1]),\\n UserAdded !has \\\"#EXT#\\\", tostring(split(UserAdded, \\\"@\\\")[1]),\\n UserAdded)\\n | where UserAddedDomain !in (core_domains) and UserAddedDomain !in (alternative_domains)\\n | extend AddedByName = case(\\n InitiatingUserPrincipalName has \\\"#EXT#\\\", tostring(split(tostring(split(InitiatingUserPrincipalName, \\\"#EXT#\\\")[0]), \\\"_\\\")[0]),\\n InitiatingUserPrincipalName !has \\\"#EXT#\\\", tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]),\\n InitiatingUserPrincipalName)\\n | extend AddedByUPNSuffix = case(\\n InitiatingUserPrincipalName has \\\"#EXT#\\\", tostring(split(tostring(split(InitiatingUserPrincipalName, \\\"#EXT#\\\")[0]), \\\"_\\\")[1]),\\n InitiatingUserPrincipalName !has \\\"#EXT#\\\", tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1]),\\n InitiatingUserPrincipalName)\\n | extend UserAddedName = case(\\n UserAdded has \\\"#EXT#\\\", tostring(split(tostring(split(UserAdded, \\\"#EXT#\\\")[0]), \\\"_\\\")[0]),\\n UserAdded !has \\\"#EXT#\\\", tostring(split(UserAdded, \\\"@\\\")[0]),\\n UserAdded)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AddedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AddedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserAdded\"},{\"identifier\":\"Name\",\"columnName\":\"UserAddedName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UserAddedDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account created from non-approved sources\",\"description\":\"This query looks for an account being created from a domain that is not regularly seen in a tenant.\\n Attackers may attempt to add accounts from these sources as a means of establishing persistant access to an environment.\\n Created accounts should be investigated to confirm expected creation.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts\",\"lastUpdatedDateUTC\":\"2024-01-25T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"name\":\"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Define the time range to look back for syslog data (1 hour)\\nlet ioc_lookBack = 14d; // Define the time range to look back for threat intelligence indicators (14 days)\\n// Create a list of top-level domains (TLDs) from the threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where isnotempty(DomainName)\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now()\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n// Fetch the latest active domain indicators from the threat intelligence data within the specified time range\\nlet Domain_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(DomainName)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now()\\n | extend TI_DomainEntity = DomainName;\\n// Join the threat intelligence indicators with syslog data on matching domain entities\\nDomain_Indicators\\n | join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n // Extract domain patterns from syslog messages\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n // Split out the top-level domain (TLD)\\n | extend tld = parts[(array_length(parts)-1)]\\n // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n ) on $left.TI_DomainEntity==$right.domain\\n | where Syslog_TimeGenerated \u003c ExpirationDateTime\\n // Retrieve the latest syslog timestamp for each indicator and domain combination\\n | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated, *) by IndicatorId, domain\\n // Select the desired columns for the final result set\\n | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url, Type, TI_DomainEntity\\n // Extract the hostname from the Computer field\\n | extend HostName = tostring(split(Computer, \u0027.\u0027, 0)[0])\\n // Extract the DNS domain from the Computer field\\n | extend DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\\n // Assign the Syslog_TimeGenerated value to the timestamp field\\n | extend timestamp = Syslog_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"HostIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map Domain entity to Syslog\",\"description\":\"Identifies a match in Syslog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"name\":\"01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.4\",\"severity\":\"Medium\",\"query\":\"let discord=dynamic([\\\"cdn.discordapp.com\\\", \\\"media.discordapp.com\\\"]);\\n _Im_WebSession(url_has_any=discord, eventresult=\u0027Success\u0027)\\n | where Url has \\\"attachments\\\"\\n | extend DiscordServerId = extract(@\\\"\\\\/attachments\\\\/([0-9]+)\\\\/\\\", 1, Url)\\n | summarize dcount(Url), make_set(SrcUsername), make_set(SrcIpAddr), make_set(Url), min(TimeGenerated), max(TimeGenerated), make_set(EventResult) by DiscordServerId\\n | mv-expand set_SrcUsername to typeof(string), set_Url to typeof(string), set_EventResult to typeof(string), set_SrcIpAddr to typeof(string)\\n | summarize by DiscordServerId, dcount_Url, set_SrcUsername, min_TimeGenerated, max_TimeGenerated, set_EventResult, set_SrcIpAddr, set_Url\\n | project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, Result=set_EventResult, SourceUser=set_SrcUsername, SourceIP=set_SrcIpAddr, RequestURL=set_Url\\n | where RequestURL has_any (\\\".bin\\\",\\\".exe\\\",\\\".dll\\\",\\\".bin\\\",\\\".msi\\\")\\n | extend AccountName = tostring(split(SourceUser, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(SourceUser, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUser\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Discord CDN Risky File Download (ASIM Web Session Schema)\",\"description\":\"Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment. \\n Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads.\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/508cef41-2cd8-4d40-a519-b04826a9085f\",\"name\":\"508cef41-2cd8-4d40-a519-b04826a9085f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(Account, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared.\\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"name\":\"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Cloud App Security\",\"displayName\":\"Create incidents based on Microsoft Cloud App Security alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud Apps\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert (MCAS)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9367dff0-941d-44e2-8875-cb48570c7add\",\"name\":\"9367dff0-941d-44e2-8875-cb48570c7add\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog =~ \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has \\\"\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_DLLs\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppInit DLLs Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows or HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library.\\nRef: https://attack.mitre.org/techniques/T1546/010/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89a86f70-615f-4a79-9621-6f68c50f365f\",\"name\":\"89a86f70-615f-4a79-9621-6f68c50f365f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let starttime = 7d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet HistThreshold = 25; \\nlet CurrThreshold = 10; \\nlet HistoricalThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceVendor;\\nlet CurrentHourThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(timeframe)\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceProduct, DeviceVendor;\\nCurrentHourThreats \\n| where TotalEvents \u003c CurrThreshold\\n| join kind = leftanti (HistoricalThreats \\n| where TotalEvents \u003e HistThreshold) on SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"Discovery\",\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Palo Alto Threat signatures from Unusual IP addresses\",\"description\":\"Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. \\nThis detection is also leveraged and required for MDE and PAN Fusion scenario\\nhttps://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall\",\"lastUpdatedDateUTC\":\"2024-11-07T00:00:00Z\",\"createdDateUTC\":\"2022-03-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CefAma\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\"name\":\"aac495a9-feb1-446d-b08e-a1164a539452\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for VMConnection events\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\nThreatIntelligenceIndicator\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| where Action == true\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n| join (\\n GitHubAudit\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to GitHub_CL\",\"description\":\"Identifies a match in GitHub_CL table from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"name\":\"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet last1h = CommonSecurityLog\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where isempty(CommunicationDirection)\\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog\\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection)\\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec)\\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h\\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal \u003e 2*prev6hAvgCumTotal or last1hAvgRatePerSec \u003e 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec \u003e 2*prev6hAvgBurstRatePerSec\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - average attack detection rate increase\",\"description\":\"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\"name\":\"26a3b261-b997-4374-94ea-6c37f67f4f39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n( _Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA1=\u0027 SHA1 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames)\\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (DomainNames) \\n| extend DNSName = Fqdn \\n| extend IPAddress = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (DomainNames)\\n| extend DNSName = QueryName\\n| extend IPAddress = SourceIp\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"[Deprecated] - Known Granite Typhoon domains and hashes\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2019-12-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a356c8bd-c81d-428b-aa36-83be706be034\",\"name\":\"a356c8bd-c81d-428b-aa36-83be706be034\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"// AADJoined or Register Device Registry Keys\\nlet aadJoinRoot = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\CloudDomainJoin\\\\\\\\JoinInfo\\\\\\\\\\\";\\nlet aadRegisteredRoot = \\\"\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\WorkplaceJoin\\\";\\n// Transport Key Registry Key\\nlet keyTransportKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\Cryptography\\\\\\\\Ngc\\\\\\\\KeyTransportKey\\\\\\\\\\\";\\n(union isfuzzy=true\\n(\\n// Access to Object Requested\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadJoinRoot or EventData has aadRegisteredRoot\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadJoinRoot and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274656\u0027\\n | where EventData has keyTransportKey\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName startswith keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, tostring(Process), ProcessName, ProcessId, EventID\\n),\\n// Accessing Object\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where (ObjectName startswith aadJoinRoot or ObjectName contains aadRegisteredRoot) and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend Account = SubjectAccount\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274663\u0027\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName has keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend Account = SubjectAccount\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, Process, ProcessName, ProcessId, EventID\\n| extend HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Microsoft Entra ID Local Device Join Information and Transport Key Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts by the same process to registry keys that provide information about an Microsoft Entra ID joined or registered devices and Transport keys (tkpub / tkpriv).\\n This information can be used to export the Device Certificate (dkpub / dkpriv) and Transport key (tkpub/tkpriv).\\n These set of keys can be used to impersonate existing Microsoft Entra ID joined devices.\\n This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable objects:\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\CloudDomainJoin (Microsoft Entra ID joined devices)\\n HKCU:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\WorkplaceJoin (Microsoft Entra ID registered devices)\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Cryptography\\\\Ngc\\\\KeyTransportKey (Transport Key)\\n Make sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n Reference: https://o365blog.com/post/deviceidentity/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e42e889a-caaf-4dbb-aec6-371b37d64298\",\"name\":\"e42e889a-caaf-4dbb-aec6-371b37d64298\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"Application\\\"\\n | extend targetDisplayName = tostring(TargetResource.displayName),\\n targetId = tostring(TargetResource.id),\\n targetType = tostring(TargetResource.type),\\n keyEvents = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = keyEvents on \\n (\\n where Property.displayName =~ \\\"KeyDescription\\\"\\n | extend new_value_set = parse_json(tostring(Property.newValue)),\\n old_value_set = parse_json(tostring(Property.oldValue))\\n )\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where diff != \\\"[]\\\"\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage =~ \\\"Verify\\\"\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend UserAgent = tostring(AdditionalDetail.value)\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-03-06T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ae10c588-7ff7-486c-9920-ab8b0bdb6ede\",\"name\":\"ae10c588-7ff7-486c-9920-ab8b0bdb6ede\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Mercury_August2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\")\\n| extend IPAddress = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\")\\n| extend AccountName = tostring(split(SourceUserID, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(SourceUserID, \\\"@\\\")[1])\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend IPAddress = IPAddresses, DNSName = Name, Computer\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend IPAddress = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), File = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend AccountNT = UserName, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), IPAddress = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend IPAddress = ClientIP, AccountUPN = UserId, AccountUPNName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessSHA256, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend IPAddress = RemoteIP, FileHash = InitiatingProcessSHA256\\n| extend AccountUPN = InitiatingProcessAccountName, AccountUPNName = tostring(split(InitiatingProcessAccountName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(InitiatingProcessAccountName, \\\"@\\\")[1])\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend IPAddress = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) or DestinationHost has_any (domains) \\n| extend DNSName = DestinationHost, IPAddress = SourceHost\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| where msg_s has_any (IPList)\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" to \\\" TargetIP \\\":\\\" TargetPortInt:int *\\n| parse kind=regex flags=U msg_s with * \\\". Action\\\\\\\\: \\\" Action1a \\\"\\\\\\\\.\\\"\\n| parse msg_s with * \\\". Policy: \\\" Policy \\\". Rule Collection Group: \\\" RuleCollectionGroup \\\".\\\" *\\n| parse msg_s with * \\\" Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule \\n| extend IPAddress = SourceIP\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| where msg_s has_any (domains)\\n| parse msg_s with \\\"DNS Request: \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" - \\\" QueryID:int \\\" \\\" RequestType \\\" \\\" RequestClass \\\" \\\" hostname \\\". \\\" protocol \\\" \\\" details\\n| extend\\n ResponseDuration = extract(\\\"[0-9]*.?[0-9]+s$\\\", 0, msg_s),\\n SourcePort = tostring(SourcePortInt),\\n QueryID = tostring(QueryID)\\n| project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\\n| extend IPAddress = SourceIP\\n),\\n(AZFWApplicationRule\\n| where Fqdn has_any (domains) or Fqdn has_any (IPList)\\n| extend IPAddress = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (domains)\\n| extend DNSName = QueryName, IPAddress = SourceIp\\n),\\n(AZFWNetworkRule\\n| where DestinationIp has_any (IPList)\\n| extend IPAddress = SourceIp\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend Algorithm = \\\"SHA256\\\", FileHash = tostring(FileHash), AccountUPN = SourceUserID, AccountUPNName = tostring(split(SourceUserID, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(SourceUserID, \\\"@\\\")[1])\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend AccountNT = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, AccountNT, IPAddress, CommandLine, FileHash, Algorithm = \\\"SHA256\\\"\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Algorithm = \\\"SHA256\\\", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n| extend AccountUPN = InitiatingProcessAccountName, AccountUPNName = tostring(split(InitiatingProcessAccountName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(InitiatingProcessAccountName, \\\"@\\\")[1])\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Algorithm = \\\"SHA256\\\", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n| extend AccountUPN = InitiatingProcessAccountName, AccountUPNName = tostring(split(InitiatingProcessAccountName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(InitiatingProcessAccountName, \\\"@\\\")[1])\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", dynamic([\\\"\\\", \\\"\\\"])), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| mv-expand Hashes\\n| where Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, AccountNT = UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source), FileHash = tostring(Hashes[1]), Algorithm = tostring(Hashes[0])\\n)\\n)\\n| extend AccountNTName = tostring(split(AccountNT, \\\"\\\\\\\\\\\")[1]), AccountNTDomain = tostring(split(AccountNT, \\\"\\\\\\\\\\\")[0])\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountUPNName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountNT\"},{\"identifier\":\"Name\",\"columnName\":\"AccountNTName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"Algorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHash\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Mercury - Domain, Hash and IP IOCs - August 2022\",\"description\":\"Identifies a match across various data feeds for domains, hashes and IP IOC related to Mercury\\n Reference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/\",\"lastUpdatedDateUTC\":\"2023-12-28T00:00:00Z\",\"createdDateUTC\":\"2022-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7808c05a-3afd-4d13-998a-a59e2297693f\",\"name\":\"7808c05a-3afd-4d13-998a-a59e2297693f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Creating a list of successful sign-in by users in the last 7 days.\\nlet KnownUserCountry = (\\nSigninLogs\\n| where TimeGenerated between (ago(7d) .. ago(1d) ) \\n| where ResultType == 0\\n| summarize KnownCountry = make_set(Location,1048576) by UserPrincipalName\\n);\\n// Identify sign-ins that are no successful but have the auth details indicating a correct password.\\nSigninLogs\\n| where TimeGenerated \u003e= ago(1d)\\n| where ResultType != 0\\n| extend ParseAuth = parse_json(AuthenticationDetails)\\n| extend AuthMethod = tostring(ParseAuth.[0].authenticationMethod),\\n PasswordResult = tostring(ParseAuth.[0].authenticationStepResultDetail),\\n AuthSucceeded = tostring(ParseAuth.[0].succeeded)\\n| where PasswordResult == \\\"Correct Password\\\" or AuthSucceeded == \\\"true\\\"\\n| where AuthMethod == \\\"Password\\\"\\n| extend failureReason = tostring(Status.failureReason)\\n| summarize NewCountry = make_set(Location,1048576), LastObservedTime = max(TimeGenerated), AppName = make_set(AppDisplayName,1048576) by UserPrincipalName, PasswordResult, AuthSucceeded, failureReason\\n// Combining both tables by user\\n| join kind=inner KnownUserCountry on UserPrincipalName\\n// Compare both arrays and identify if the country has been observed in the past.\\n| extend CountryDiff = set_difference(NewCountry,KnownCountry)\\n| extend CountryDiffCount = array_length(CountryDiff)\\n// Count the new column to only alert if there is a difference between both arrays\\n| where CountryDiffCount != 0\\n| extend NewCountryEvent = CountryDiff\\n// Getting UserName and Domain\\n| extend Name = split(UserPrincipalName,\\\"@\\\",0),\\n Domain = split(UserPrincipalName,\\\"@\\\",1)\\n| mv-expand Name,Domain\",\"customDetails\":{\"LastObservedTime\":\"LastObservedTime\",\"AppName\":\"AppName\",\"NewCountryEvent\":\"NewCountryEvent\",\"PasswordResult\":\"PasswordResult\",\"AuthSucceeded\":\"AuthSucceeded\",\"failureReason\":\"failureReason\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"Domain\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"New country signIn with correct password\",\"description\":\"Identifies an interrupted sign-in session from a country the user has not sign-in before in the last 7 days, where the password was correct. Although the session is interrupted by other controls such as multi factor authentication or conditional access policies, the user credentials should be reset due to logs indicating a correct password was observed during sign-in.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2023-05-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\"name\":\"0bd65651-1404-438b-8f63-eecddcec87b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.3\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = ( union isfuzzy=true\\n( Event\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and EventData has \\\"0x3e4\\\" and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, \\\"\\\\\\\\\\\")[0]), AccountNTDomain = tostring(split(Account, \\\"\\\\\\\\\\\")[1])\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 and LogonType == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nWindowsEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where EventData has \u0027wmiprvse.exe\u0027 and EventData has_any (\u0027rundll32\u0027) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, \\\"\\\\\\\\\\\")[0]), AccountNTDomain = tostring(split(Account, \\\"\\\\\\\\\\\")[1])\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 3\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where Account !endswith \\\"$\\\"\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, Image, Computer, UserName\\n| extend timestamp = TimeGenerated\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(UserName, \\\"\\\\\\\\\\\")[0]), AccountNTDomain = tostring(split(UserName, \\\"\\\\\\\\\\\")[1])\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via Remote WMI Execution\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\n Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/22a320c2-e1e5-4c74-a35b-39fc9cdcf859\",\"name\":\"22a320c2-e1e5-4c74-a35b-39fc9cdcf859\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName=~ \\\"Update user\\\" \\n| where Result =~ \\\"success\\\" \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName = tostring(TargetResources_modifiedProperties.displayName), \\nTargetUPN_oldValue = tostring(parse_json(tostring(TargetResources_modifiedProperties.oldValue))[0]), \\nTargetUPN_newValue = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue))[0])\\n| where displayName == \\\"UserPrincipalName\\\" and TargetUPN_oldValue !has \\\"#EXT\\\" and TargetUPN_newValue has \\\"#EXT\\\"\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend InitiatedBy = tostring(iff(isnotempty(InitiatingUserPrincipalName),InitiatingUserPrincipalName, InitiatingAppName))\\n| summarize arg_max(TimeGenerated, *) by CorrelationId\\n| project-reorder TimeGenerated, InitiatedBy, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, TargetUPN_oldValue, TargetUPN_newValue\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n| extend TargetAccountName = tostring(split(TargetUPN_oldValue, \\\"@\\\")[0]), TargetUPNSuffix = tostring(split(TargetUPN_oldValue, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUPN_oldValue\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Suspicious linking of existing user to external User\",\"description\":\" This query will detect when an attempt is made to update an existing user and link it to an guest or external identity. These activities are unusual and such linking of external \\nidentities should be investigated. In some cases you may see internal Entra ID sync accounts (Sync_) do this which may be benign\",\"lastUpdatedDateUTC\":\"2023-12-30T00:00:00Z\",\"createdDateUTC\":\"2022-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"name\":\"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^\u0027]*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Silk Typhoon Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95407904-0131-4918-bc49-ebf282ce149a\",\"name\":\"95407904-0131-4918-bc49-ebf282ce149a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"135.125.147.170:80\\\",\\\"185.244.129.79:63047\\\",\\\"185.244.129.79:80\\\",\\\"45.80.149.108:63047\\\",\\\"45.80.149.108:80\\\",\\\"45.80.149.57:63047\\\",\\\"45.80.149.68:63047\\\",\\\"45.80.149.71:80\\\",\\\"185.244.129.109\\\",\\\"172.96.188.51\\\",\\\"51.83.246.73\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(AZFWNetworkRule\\n| where isnotempty(DestinationIp)\\n| where DestinationIp has_any (IPList) \\n| extend DestinationIP = DestinationIp \\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (IPList) \\n| extend DestinationIP = Fqdn \\n| extend IPCustomEntity = SourceIp\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Known Plaid Rain IP\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWNetworkRule\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acc4c247-aaf7-494b-b5da-17f18863878a\",\"name\":\"acc4c247-aaf7-494b-b5da-17f18863878a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OperationName in (\\\"Invite external user\\\", \\\"Bulk invite users - started (bulk)\\\", \\\"Invite external user with reset invitation status\\\")\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatedBy = iff(isnotempty(InitiatingUserPrincipalName), InitiatingUserPrincipalName, InitiatingAppName)\\n// Uncomment the following line to filter events where the inviting user was a guest user\\n//| where InitiatedBy has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend InvitedUser = tostring(TargetResource.userPrincipalName)\\n )\\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\\n| where UserToCompare has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend\\n parsedUser = replace_string(tolower(iff(UserToCompare startswith \\\"live.com#\\\", tostring(split(UserToCompare, \\\"#\\\")[1]), tostring(split(UserToCompare, \\\"#EXT#\\\")[0]))), \\\"@\\\", \\\"_\\\"),\\n InvitationTime = TimeGenerated\\n| join (\\n (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where UserType != \\\"Member\\\"\\n | where AppId has_any // This web may contain a list of these apps: https://msshells.net/\\n (\\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\",// Azure Active Directory PowerShell\\n \\\"04b07795-8ddb-461a-bbee-02f9e1bf7b46\\\",// Microsoft Azure CLI\\n \\\"1950a258-227b-4e31-a9cf-717495945fc2\\\",// Microsoft Azure PowerShell\\n \\\"a0c73c16-a7e3-4564-9a95-2bdf47383716\\\",// Microsoft Exchange Online Remote PowerShell\\n \\\"fb78d390-0c51-40cd-8e17-fdbfab77341b\\\",// Microsoft Exchange REST API Based Powershell\\n \\\"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\\\",// Microsoft Intune PowerShell\\n \\\"9bc3ab49-b65d-410a-85ad-de819febfddc\\\",// Microsoft SharePoint Online Management Shell\\n \\\"12128f48-ec9e-42f0-b203-ea49fb6af367\\\",// MS Teams Powershell Cmdlets\\n \\\"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\\\",// Power BI PowerShell\\n \\\"31359c7f-bd7e-475c-86db-fdb8c937548e\\\",// PnP Management Shell\\n \\\"90f610bf-206d-4950-b61d-37fa6fd1b224\\\",// Aadrm Admin Powershell\\n \\\"14d82eec-204b-4c2f-b7e8-296a70dab67e\\\",// Microsoft Graph PowerShell\\n \\\"9cee029c-6210-4654-90bb-17e6e9d36617\\\" // Power Platform CLI - pac\\\"\\n )\\n | summarize arg_min(TimeGenerated, *) by UserPrincipalName\\n | extend\\n parsedUser = replace_string(UserPrincipalName, \\\"@\\\", \\\"_\\\"),\\n SigninTime = TimeGenerated\\n )\\n on parsedUser\\n| project InvitationTime, InitiatedBy, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\\n| extend InvitedUserName = tostring(split(InvitedUser,\u0027@\u0027,0)[0]), InvitedUserUPNSuffix = tostring(split(InvitedUser,\u0027@\u0027,1)[0]), \\n InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InvitedUser\"},{\"identifier\":\"Name\",\"columnName\":\"InvitedUserName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InvitedUserUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"External guest invitation followed by Microsoft Entra ID PowerShell signin\",\"description\":\"By default guests have capability to invite more external guest users, guests also can do suspicious Microsoft Entra ID enumeration. This detection look at guest users, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\\nRef : \u0027https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c094384d-7ea7-4091-83be-18706ecca981\",\"name\":\"c094384d-7ea7-4091-83be-18706ecca981\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.5\",\"severity\":\"Low\",\"query\":\"let minersDomains=dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\"]);\\n_Im_Dns(domain_has_any=minersDomains)\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2024-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25a7f951-54b7-4cf5-9862-ebc04306c590\",\"name\":\"25a7f951-54b7-4cf5-9862-ebc04306c590\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let known_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | summarize by InitiatingUserPrincipalName);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppId = tostring(InitiatedBy.app.appId)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend CAPolicyName = tostring(TargetResources[0].displayName)\\n | where InitiatingUserPrincipalName !in (known_users)\\n | extend NewPolicyValues = TargetResources[0].modifiedProperties[0].newValue\\n | extend OldPolicyValues = TargetResources[0].modifiedProperties[0].oldValue\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, OperationName, CAPolicyName, InitiatingAppId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, NewPolicyValues, OldPolicyValues\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"AppId\",\"columnName\":\"InitiatingAppId\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Conditional Access Policy Modified by New User\",\"description\":\"Detects a Conditional Access Policy being modified by a user who has not modified a policy in the last 14 days.\\n A threat actor may try to modify policies to weaken the security controls in place.\\n Investigate any change to ensure they are approved.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"name\":\"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n// Look for specific Directory Service Changes and parse data\\n| where EventID == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where changes relate to Exchange OAB\\n| extend ObjectClass = column_ifexists(\\\"ObjectClass\\\", \\\"\\\")\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// Look for InternalHostName or ExternalHostName properties being changed\\n| extend AttributeLDAPDisplayName = column_ifexists(\\\"AttributeLDAPDisplayName\\\", \\\"\\\")\\n| where AttributeLDAPDisplayName in~ (\\\"msExchExternalHostName\\\", \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| extend AttributeValue = column_ifexists(\\\"AttributeValue\\\", \\\"\\\")\\n| where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| extend ObjectDN = column_ifexists(\\\"ObjectDN\\\", \\\"\\\")\\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| extend timestamp = LastSeen\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(Account, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange OAB Virtual Directory Attribute Containing Potential Webshell\",\"description\":\"This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services where the new objects contain potential webshell objects.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"name\":\"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P3D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some columns to make output clearer\\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some things to make the output clearer\\n| project-rename TimeDeleted = TimeGenerated,DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\\n| extend timestamp = TimeCreated\\n| extend CreatingUserAccountName = tostring(split(CreatingUser, \\\"@\\\")[0]), CreatingUserAccountUPNSuffix = tostring(split(CreatingUser, \\\"@\\\")[1])\\n| extend DeletingUserAccountName = tostring(split(DeletingUser, \\\"@\\\")[0]), DeletingUserAccountUPNSuffix = tostring(split(DeletingUser, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatingUser\"},{\"identifier\":\"Name\",\"columnName\":\"CreatingUserAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"CreatingUserAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeletingUser\"},{\"identifier\":\"Name\",\"columnName\":\"DeletingUserAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"DeletingUserAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CreatingIP\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletingIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Azure DevOps Pipeline Created and Deleted on the Same Day\",\"description\":\"An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, or to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \\nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines created and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"name\":\"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend EnforceLogin = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\")\\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\")\\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", \\\"\\\")\\n| where EnforceLogin == \u0027false\u0027 or EnforceLoginDomain == \u0027false\u0027 or GuestAlerts == \u0027false\u0027\\n| extend SettingChanged = case(EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"All settings changed\\\",\\n EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027, \\\"Enforced Logons and Restricted Domains Changed\\\",\\n EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"Enforced Domains Changed\\\",\\n EnforceLoginDomain == \u0027false\u0027, \\\"Enfored Domains Changed\\\",\\n GuestAlerts == \u0027false\u0027, \\\"Guest Join Alerts Changed\\\",\\n EnforceLogin == \u0027false\u0027, \\\"Enforced Logins Changed\\\",\\n \\\"No Changes\\\")\\n| extend AccountName = tostring(split(User, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(User, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"External User Access Enabled\",\"description\":\"This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"name\":\"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.6\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\" \\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\"\\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend AccountName = iff(UserId contains \u0027@\u0027, tostring(split(UserId, \u0027@\u0027)[0]), UserId)\\n| extend AccountUPNSuffix = iff(UserId contains \u0027@\u0027, tostring(split(UserId, \u0027@\u0027)[1]), \u0027\u0027)\\n| extend AccountName = iff(UserId contains \u0027\\\\\\\\\u0027, tostring(split(UserId, \u0027\\\\\\\\\u0027)[1]), AccountName)\\n| extend AccountNTDomain = iff(UserId contains \u0027\\\\\\\\\u0027, tostring(split(UserId, \u0027\\\\\\\\\u0027)[0]), \u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Exchange AuditLog Disabled\",\"description\":\"Identifies when the exchange audit logging has been disabled which may be an adversary attempt to evade detection or avoid other defenses.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"name\":\"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet binaryTypes = dynamic([\u0027zip\u0027, \u0027octet-stream\u0027, \u0027java-archive\u0027, \u0027rar\u0027, \u0027tar\u0027, \u0027x-7z-compressed\u0027, \u0027x-msdownload\u0027, \u0027portable-executable\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedMimeType = tostring(todynamic(MsgParts)[0][\u0027detectedMime\u0027])\\n| where attachedMimeType has_any (binaryTypes)\\n| project SrcUserUpn, AccountCustomEntity = tostring(parse_json(DstUserUpn)[0]), attachedMimeType, MsgHeaderSubject\\n| extend Name = tostring(split(AccountCustomEntity, \\\"@\\\")[0]), UPNSuffix = tostring(split(AccountCustomEntity, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Binary file in attachment\",\"description\":\"Detects when email received with binary file as attachment.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"name\":\"ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"// Add the environments expected username format regex below before deploying\\nlet user_regex = \\\"\\\";\\nAuditLogs\\n| where OperationName =~ \\\"Add user\\\"\\n| where Result =~ \\\"success\\\"\\n| extend userAgent = tostring(AdditionalDetails[0].value)\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend InitiatedBy = tostring(iff(isnotempty(InitiatingUserPrincipalName),InitiatingUserPrincipalName, InitiatingAppName))\\n| extend AddedUser = tostring(TargetResources[0].userPrincipalName)\\n| where AddedUser matches regex user_regex\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n| extend TargetAccountName = tostring(split(AddedUser, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(AddedUser, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Account Created Using Incorrect Naming Format\",\"description\":\"This query looks for accounts being created where the name does not match a defined pattern.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n The user_regex field in the query needs to be populated with the expected pattern for the environment before deployment.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2023-12-30T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"name\":\"34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\n IdentityInfo\\n | where TimeGenerated \u003e ago(starttime)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | mv-expand AssignedRoles\\n | where AssignedRoles contains \u0027Admin\u0027 or GroupMembership has \\\"Admin\\\"\\n | summarize Roles = make_list(AssignedRoles) by AccountUPN = tolower(AccountUPN)\\n | join kind=inner (\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultType != 0\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n ) on $left.AccountUPN == $right.UserPrincipalName\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, Roles = tostring(Roles)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\n allSignins\\n | make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1h by UserPrincipalName, Roles\\n | extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n | mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n // Filtering low count events per baselinethreshold\\n | where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n | extend AnomalyHour = TimeGenerated\\n | project UserPrincipalName, Roles, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, Roles, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Privileged Accounts - Sign in Failure Spikes\",\"description\":\" Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1399664f-9434-497c-9cde-42e4d74ae20e\",\"name\":\"1399664f-9434-497c-9cde-42e4d74ae20e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Impossible travel activity\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| project TimeGenerated,Account,IpAddress,CompromisedEntity,Description,ProviderName,ResourceId\\n| join kind=inner\\n(\\nOfficeActivity\\n| where Operation =~ \\\"Add-MailboxPermission\\\"\\n| extend value = tostring(parse_json(Parameters)[3].Value)\\n| where value contains \\\"FullAccess\\\"\\n| where ResultStatus == \\\"True\\\"\\n| project Parameters,TimeGenerated,value,RecordType,Operation,OrganizationId,UserType,UserKey,OfficeWorkload,ResultStatus,OfficeObjectId,UserId,ClientIP,ExternalAccess,OriginatingServer,OrganizationName,TenantId,ElevationTime,SourceSystem,OfficeId,OfficeTenantId,Type,SourceRecordId\\n) on $left.Account == $right.UserId\\n| join kind=inner\\n(\\nAuditLogs\\n| where ActivityDisplayName =~ \\\"Add eligible member to role in PIM requested (timebound)\\\"\\n| where AADOperationType =~ \\\"CreateRequestEligibleRole\\\"\\n| where TargetResources has_any (\\\"-PRIV\\\", \\\"Administrator\\\", \\\"Security\\\")\\n| extend BuiltinRole = tostring(parse_json(TargetResources[0].displayName))\\n| extend CustomGroup = tostring(parse_json(TargetResources[3].displayName))\\n| extend TargetAccount = tostring(parse_json(TargetResources[2].displayName))\\n| extend Initiatedby = Identity\\n| project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResourceId, Id\\n| sort by TimeGenerated desc\\n) on $left.UserId == $right.Initiatedby\\n| extend AccountName = tostring(split(Initiatedby, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(Initiatedby, \\\"@\\\")[1])\\n| project AADOperationType, ActivityDisplayName,AccountName, AccountUPNSuffix, Id,ResourceId,IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Detecting Impossible travel with mailbox permission tampering \u0026 Privilege Escalation attempt\",\"description\":\"This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group.\\nEnsure this impossible travel incident with increase of privileges is legitimate in your environment.\",\"lastUpdatedDateUTC\":\"2024-11-20T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\"name\":\"12dcea64-bec2-41c9-9df2-9f28461b1295\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where NewProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service Control Services and Schedule Control Services\\n| union (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| extend timestamp = TimeGenerated\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(Account, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"name\":\"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.4\",\"severity\":\"Medium\",\"query\":\"// Set threshold value for deviation\\nlet threshold = 25;\\n// Set the time range for the query\\nlet timeRange = 24h;\\n// Set the authentication window duration\\nlet authenticationWindow = 20m;\\n// Define a reusable function \u0027aadFunc\u0027 that takes a table name as input\\nlet aadFunc = (tableName: string) {\\n // Query the specified table\\n table(tableName)\\n // Filter data within the last 24 hours\\n | where TimeGenerated \u003e ago(1d)\\n // Filter records related to \\\"Azure Portal\\\" applications\\n | where AppDisplayName has \\\"Azure Portal\\\"\\n // Extract and transform some fields\\n | extend\\n DeviceDetail = todynamic(DeviceDetail),\\n LocationDetails = todynamic(LocationDetails)\\n | extend\\n OS = tostring(DeviceDetail.operatingSystem),\\n Browser = tostring(DeviceDetail.browser),\\n State = tostring(LocationDetails.state),\\n City = tostring(LocationDetails.city),\\n Region = tostring(LocationDetails.countryOrRegion)\\n // Categorize records as Success or Failure based on ResultType\\n | extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n // Sort and identify sessions\\n | sort by UserPrincipalName asc, TimeGenerated asc\\n | extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName != prev(UserPrincipalName) or prev(FailureOrSuccess) == \\\"Success\\\")\\n // Summarize data\\n | summarize FailureOrSuccessCount = count() by FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, authenticationWindow), ResultType, UserPrincipalName, SessionStartedUtc\\n | summarize FailureCountBeforeSuccess = sumif(FailureOrSuccessCount, FailureOrSuccess == \\\"Failure\\\"), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), makelist(FailureOrSuccess), IPAddress = make_set(IPAddress, 15), make_set(Browser, 15), make_set(City, 15), make_set(State, 15), make_set(Region, 15), make_set(ResultType, 15) by SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, Type\\n // Filter records where \\\"Success\\\" occurs in the middle of a session\\n | where array_index_of(list_FailureOrSuccess, \\\"Success\\\") != 0\\n | where array_index_of(list_FailureOrSuccess, \\\"Success\\\") == array_length(list_FailureOrSuccess) - 1\\n // Remove unnecessary columns from the output\\n | project-away SessionStartedUtc, list_FailureOrSuccess\\n // Join with another table and calculate deviation\\n | join kind=inner (\\n table(tableName)\\n | where TimeGenerated \u003e ago(7d)\\n | where AppDisplayName has \\\"Azure Portal\\\"\\n | extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n | summarize avgFailures = avg(todouble(FailureOrSuccess == \\\"Failure\\\")) by UserPrincipalName\\n ) on UserPrincipalName\\n | extend Deviation = abs(FailureCountBeforeSuccess - avgFailures) / avgFailures\\n // Filter records based on deviation and failure count criteria\\n | where Deviation \u003e threshold and FailureCountBeforeSuccess \u003e= 10\\n // Expand the IPAddress array\\n | mv-expand IPAddress\\n | extend IPAddress = tostring(IPAddress)\\n | extend timestamp = StartTime\\n};\\n// Call \u0027aadFunc\u0027 with different table names and union the results\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n// Additional transformation - Split UserPrincipalName\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against Azure Portal\",\"description\":\"Detects Azure Portal brute force attacks by monitoring for multiple authentication failures and a successful login within a 20-minute window. Default settings: 10 failures, 25 deviations.\\nRef: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2019-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"name\":\"2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\\n//let adfsuser = \u0027adfsadmin\u0027;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe+lookback)\\n | where EventSourceName == \u0027AD FS Auditing\u0027\\n | distinct Computer\\n);\\nSecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // A token of type \u0027http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation\u0027\\n // for relying party \u0027-\u0027 was successfully authenticated.\\n | where EventID == 412\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | extend InstanceId = tostring(EventData[0])\\n| join kind=inner\\n(\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // Events to identify caller identity from event 412\\n | where EventID == 501\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | where tostring(EventData[1]) contains \u0027identity/claims/name\u0027\\n | extend InstanceId = tostring(EventData[0])\\n | extend ClaimsName = tostring(EventData[2])\\n // Filter on the use of a specific AD FS user account\\n //| where ClaimsName contains adfsuser\\n)\\non $left.InstanceId == $right.InstanceId\\n| join kind=inner\\n(\\n SecurityEvent\\n | where EventID == 5156\\n | where Computer in~ (ADFS_Servers)\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend DestPort = column_ifexists(\\\"DestPort\\\", \\\"\\\"),\\n Direction = column_ifexists(\\\"Direction\\\", \\\"\\\"),\\n Application = column_ifexists(\\\"Application\\\", \\\"\\\"),\\n DestAddress = column_ifexists(\\\"DestAddress\\\", \\\"\\\"),\\n SourceAddress = column_ifexists(\\\"SourceAddress\\\", \\\"\\\"),\\n SourcePort = column_ifexists(\\\"SourcePort\\\", \\\"\\\")\\n // Look for inbound connections from endpoints on port 80\\n | where DestPort == 80 and Direction == \u0027%%14592\u0027 and Application == \u0027System\u0027\\n | where DestAddress !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027)\\n)\\non $left.Computer == $right.Computer\\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(ClaimsName, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(ClaimsName, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ClaimsName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceAddress\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote Auth Sync Connection\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious authentication events on an AD FS server. The results then get correlated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates. In order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReferences:\\nhttps://docs.microsoft.com/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging\\nhttps://twitter.com/OTR_Community/status/1387038995016732672\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\"name\":\"957cb240-f45d-4491-9ba5-93430a3c08be\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.5\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\", \\\"Set-TransportRule\\\")\\nand not(UserId has_any (\u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\u0027, \u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)\u0027, \u0027NT AUTHORITY\\\\\\\\SYSTEM (w3wp)\u0027, \u0027devilfish-applicationaccount\u0027) and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend ClientIPOnly = tostring(extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?\u0027, dynamic([\\\"IPAddress\\\"]), ClientIP)[0])\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"AppId\",\"columnName\":\"AppId\"}]}],\"tactics\":[\"Persistence\",\"Collection\"],\"displayName\":\"Rare and potentially high-risk Office operations\",\"description\":\"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\"lastUpdatedDateUTC\":\"2024-03-18T00:00:00Z\",\"createdDateUTC\":\"2019-02-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"name\":\"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName has (\\\"Certificates and secrets management\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"Application\\\"\\n | extend targetDisplayName = tostring(TargetResource.displayName),\\n targetId = tostring(TargetResource.id),\\n targetType = tostring(TargetResource.type),\\n keyEvents = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = keyEvents on \\n (\\n where Property.displayName =~ \\\"KeyDescription\\\"\\n | extend new_value_set = parse_json(tostring(Property.newValue)),\\n old_value_set = parse_json(tostring(Property.oldValue))\\n )\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage =~ \\\"Verify\\\"\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend InitiatingUserAgent = tostring(AdditionalDetail.value)\\n )\\n| project-away new_value_set, old_value_set, TargetResource, Property, AdditionalDetail\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, InitiatingUserAgent, \\ntargetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend Name = split(InitiatingUserPrincipalName, \\\"@\\\")[0], UPNSuffix = split(InitiatingUserPrincipalName, \\\"@\\\")[1]\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"targetDisplayName\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-01-06T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\"name\":\"62085097-d113-459f-9ea7-30216f2ee6af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let starttime = 3d;\\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated \u003e= ago(starttime)\\n| where EventID in (4722,4723) | where TargetUserName !endswith \\\"$\\\"\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\\nlet userEnable = SecEvents\\n| extend EventID4722Time = TimeGenerated\\n// 4722: User Account Enabled\\n| where EventID == 4722\\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\\nlet userPwdSet = SecEvents\\n// 4723: Attempt made by user to set password\\n| where EventID == 4723\\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\\n| extend PasswordSetAttemptDelta_Min = datetime_diff(\u0027minute\u0027, Time_Event4723, Time_Event4722)\\n| where PasswordSetAttemptDelta_Min \u003e 2880 or isempty(PasswordSetAttemptDelta_Min)\\n| project-away TargetAccount1, TargetSid1\\n| extend Reason = @\\\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\\\"\\n| order by Time_Event4722 asc\\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\\n| extend Computer = coalesce(Computer_4723, Computer_4722)\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(TargetAccount, \\\"\\\\\\\\\\\")[1]), AccountNTDomain = tostring(split(TargetAccount, \\\"\\\\\\\\\\\")[0])\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD user enabled and password not set within 48 hours\",\"description\":\"Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which\\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur\\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\\nIt is recommended that this time period is adjusted per your internal company policy.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce02935c-cc67-4b77-9b96-93d9947e119a\",\"name\":\"ce02935c-cc67-4b77-9b96-93d9947e119a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"acrobatrelay.com\\\", \\\"finconsult.cc\\\", \\\"realmetaldns.com\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where DNSName in~ (DomainNames) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n), \\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession (url_has_any=DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n| where isnotempty(DNSName) \\n| where DNSName in~ (DomainNames) \\n| extend IPAddress = RemoteIp \\n), \\n( \\n DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) \\n| where RemoteUrl has_any (DomainNames) \\n| extend IPAddress = RemoteIP \\n| extend Computer = DeviceName \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n) \\n) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Denim Tsunami C2 Domains July 2022\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\"name\":\"5436f471-b03d-41cb-b333-65891f887c43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Informational\",\"query\":\"GitHubRepo\\n| where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Link\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\",\"PrivilegeEscalation\",\"DefenseEvasion\",\"CredentialAccess\",\"LateralMovement\"],\"displayName\":\"GitHub Security Vulnerability in Repository\",\"description\":\"This alerts when there is a new security vulnerability in a GitHub repository.\",\"lastUpdatedDateUTC\":\"2024-07-24T00:00:00Z\",\"createdDateUTC\":\"2020-06-10T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"name\":\"2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| where ObjectClass == \\\"computer\\\" and AttributeLDAPDisplayName == \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserName, SubjectDomainName, SubjectUserSid, SubjectLogonId, ObjectDN, AttributeLDAPDisplayName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"SubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Possible Resource-Based Constrained Delegation Abuse\",\"description\":\"This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. \\nThis query checks for event id 5136 that the Object Class field is \\\"computer\\\" and the LDAP Display Name is \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\" which is an indicator of Resource-based constrained delegation.\\nRef: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"name\":\"8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\" or OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-apply Property = modifiedProperties on \\n (\\n where Property.displayName =~ \\\"LiveType\\\"\\n | extend targetDisplayName = tostring(Property.displayName),\\n NewDomainValue = tostring(Property.newValue)\\n )\\n| extend Federated = iif(OperationName =~ \\\"Set domain authentication\\\", iif(NewDomainValue has \\\"Federated\\\", True, False), True)\\n| where Federated == True\\n| mv-expand AdditionalDetails\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend UserAgent = tostring(AdditionalDetail.value)\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, AADOperationType, targetDisplayName, Result, UserAgent, CorrelationId, TenantId, AADTenantId\\n| extend Name = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"NRT Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"name\":\"dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\",\\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\",\\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\",\\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\",\\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\",\\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage),\\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage),\\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage),\\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NRT Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used.\\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"SyslogAma\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b904747-1336-4363-8d84-df2710bfe5e7\",\"name\":\"0b904747-1336-4363-8d84-df2710bfe5e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n // Filter out indicators without relevant IP address fields\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n // Select the IP entity based on availability of different IP fields\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and AzureDiagnostics logs to identify potential malicious activity\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\", \\\"AzureFirewallNetworkRuleLog\\\")\\n | parse kind=regex flags=U msg_s with Protocol \u0027request from \u0027 SourceHost \u0027to \u0027 DestinationHost @\u0027\\\\.? Action: \u0027 Firewall_Action @\u0027\\\\.\u0027 Rest_msg\\n | extend SourceAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, SourceHost)\\n | extend DestinationAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, DestinationHost)\\n | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, \\\"\\\")\\n | where isnotempty(RemoteIP) // Filter out traffic involving public addresses only\\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\\n )\\n on $left.TI_ipEntity == $right.RemoteIP\\n // Filter out logs that occurred after the expiration of the corresponding indicator\\n | where AzureFirewall_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and RemoteIP, and keep the log entry with the latest timestamp\\n | summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP\\n // Select the desired output fields\\n | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\\n AzureFirewall_TimeGenerated, TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol,\\n NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n // Rename the timestamp field\\n | extend timestamp = AzureFirewall_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"TI_ipEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to AzureFirewall\",\"description\":\"Identifies a match in AzureFirewall (NetworkRule \u0026 ApplicationRule Logs) from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2199398-8942-4b8c-91a9-b0a707c5d147\",\"name\":\"b2199398-8942-4b8c-91a9-b0a707c5d147\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/HiveRansomwareJuly2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\\n| where Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes)\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = tostring(Hashes[1])\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"[Deprecated] - Hive Ransomware IOC - July 2022\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\"name\":\"173f8699-6af5-484a-8b06-8c47ba89b380\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Low\",\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName, 1000) by UserId\\n| where array_length(DeletedTeams) \u003e max_delete_count\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple Teams deleted by a single user\",\"description\":\"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Microsoft Sentinel.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68c0b6bb-6bd9-4ef4-9011-08998c8ef90f\",\"name\":\"68c0b6bb-6bd9-4ef4-9011-08998c8ef90f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Threshold = 3;\\nAzureDiagnostics\\n| where Category == \\\"ApplicationGatewayFirewallLog\\\"\\n| where action_s == \\\"Matched\\\"\\n| project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s\\n| join kind = inner(\\nAzureDiagnostics\\n| where Category == \\\"ApplicationGatewayFirewallLog\\\"\\n| where action_s == \\\"Blocked\\\"\\n| parse Message with MessageText \u0027Total Inbound Score: \u0027 TotalInboundScore \u0027 - SQLI=\u0027 SQLI_Score \u0027,XSS=\u0027 XSS_Score \u0027,RFI=\u0027 RFI_Score \u0027,LFI=\u0027 LFI_Score \u0027,RCE=\u0027 RCE_Score \u0027,PHPI=\u0027 PHPI_Score \u0027,HTTP=\u0027 HTTP_Score \u0027,SESS=\u0027 SESS_Score \u0027): \u0027 Blocked_Reason \u0027; individual paranoia level scores:\u0027 Paranoia_Score\\n| where Blocked_Reason contains \\\"SQL Injection Attack\\\" and toint(SQLI_Score) \u003e=10 and toint(TotalInboundScore) \u003e= 15) on transactionId_g\\n| extend Uri = strcat(hostname_s,requestUri_s)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g), Message = make_set(Message), Detail_Message = make_set(details_message_s), Detail_Data = make_set(details_data_s), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s, SQLI_Score, TotalInboundScore\\n| where Total_TransactionId \u003e= Threshold\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Uri\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"clientIp_s\"}]}],\"tactics\":[\"DefenseEvasion\",\"Execution\",\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Application Gateway WAF - SQLi Detection\",\"description\":\"Identifies a match for SQL Injection attack in the Application gateway WAF logs. The Threshold value in the query can be changed as per your infrastructure\u0027s requirement.\\n References: https://owasp.org/Top10/A03_2021-Injection/\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/52aec824-96c1-4a03-8e44-bb70532e6cea\",\"name\":\"52aec824-96c1-4a03-8e44-bb70532e6cea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 5136 and EventData contains \\\"\u003cData Name=\\\\\\\"ObjectDN\\\\\\\"\u003eCN=AdminSDHolder,CN=System\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend Name = tostring(split(SubjectAccount, \\\"\\\\\\\\\\\")[1]), NTDomain = tostring(split(SubjectAccount, \\\"\\\\\\\\\\\")[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AdminSDHolder Modifications\",\"description\":\"This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence. \\nAdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory.\\nThis query searches for the event id 5136 where the Object DN is AdminSDHolder.\\nRef: https://attack.stealthbits.com/adminsdholder-modification-ad-persistence\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-12-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"name\":\"b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet DOMAIN_TI=ThreatIntelligenceIndicator\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now();\\nlet DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName) \\n | project Domains=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), Domains) ));\\nDOMAIN_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession(starttime=ago(dt_lookBack), url_has_any= DOMAIN_TI_list )\\n //Extract domain patterns from syslog message\\n | extend domain = tostring(parse_url(Url)[\\\"Host\\\"])\\n | where isnotempty(domain)\\n | extend tld = tostring(split(domain, \u0027.\u0027)[-1])\\n | extend Event_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Event_TimeGenerated \u003c ExpirationDateTime\\n| summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain\\n| project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url\",\"customDetails\":{\"EventTime\":\"Event_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map Domain entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the target URL hostname is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https:/aka.ms/AboutASIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"name\":\"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where isnotempty(FileHashValue)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now();\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHashValue, FileHashType\\n| extend HostName = tostring(split(DeviceName, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(DeviceName, \u0027.\u0027), 1, -1), \u0027.\u0027))\\n| extend Name = tostring(split(SourceUserName, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(SourceUserName, \u0027@\u0027, 1)[0])\\n| extend timestamp = CommonSecurityLog_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUserName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map File Hash to CommonSecurityLog Event\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\"name\":\"2fc5d810-c9cc-491a-b564-841427ae0e50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| where isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n))\\n)\\non $left.EmailSenderAddress == $right.TargetUserName\\n| where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, TargetUserName\\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\\n| extend timestamp = SecurityEvent_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"TI map Email entity to SecurityEvent\",\"description\":\"Identifies a match in SecurityEvent table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3edb7215-250b-40c0-8b46-79093949242d\",\"name\":\"3edb7215-250b-40c0-8b46-79093949242d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| where Severity_s == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2022-12-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"name\":\"6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.3\",\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nimAuthentication\\n| where EventType== \u0027Logon\u0027 and EventResult== \u0027Failure\u0027\\n// reason: creds \\n| where EventResultDetails in (\u0027No such user or password\u0027, \u0027Incorrect password\u0027)\\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\\n , Users = make_set(TargetUserId,100) \\n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\\n| where UserCount \u003e FailureThreshold\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcDvcIpAddr\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack (Uses Authentication Normalization)\",\"description\":\"This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2023-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6988c32-4f3b-4a45-8313-b46b33061a74\",\"name\":\"b6988c32-4f3b-4a45-8313-b46b33061a74\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"Application\\\"\\n | extend targetDisplayName = tostring(TargetResource.displayName),\\n targetId = tostring(TargetResource.id),\\n targetType = tostring(TargetResource.type),\\n keyEvents = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = keyEvents on \\n (\\n where Property.displayName =~ \\\"KeyDescription\\\"\\n | extend new_value_set = parse_json(tostring(Property.newValue)),\\n old_value_set = parse_json(tostring(Property.oldValue))\\n )\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\"\\n | mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend UserAgent = tostring(AdditionalDetail.value)\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-03-06T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/55073036-bb86-47d3-a85a-b113ac3d9396\",\"name\":\"55073036-bb86-47d3-a85a-b113ac3d9396\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let admins=(IdentityInfo\\n | where AssignedRoles contains \\\"admin\\\" or GroupMembership has \\\"Admin\\\"\\n | summarize by tolower(AccountUPN));\\n let known_asns = (\\n SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admins)\\n | where AutonomousSystemNumber !in (known_asns)\\n | project-reorder TimeGenerated, UserPrincipalName, UserAgent, IPAddress, AutonomousSystemNumber\\n | extend AccountName = tostring(split(UserPrincipalName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Privileged User Logon from new ASN\",\"description\":\"Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days.\\n Monitor these logons to ensure they are legitimate and identify if there are any similar sign ins.\",\"lastUpdatedDateUTC\":\"2023-12-28T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\"name\":\"23005e87-2d3a-482b-b03d-edbebd1ae151\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated \u003e ago(14d)\\n| where sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| where TimeGenerated \u003e ago(1d)\\n| where Computer in (exchange_servers)\\n| where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(csUserName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(csUserName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"csUserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"cIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Silk Typhoon Suspicious Exchange Request\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by Silk Typhoon actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2023-12-28T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"name\":\"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.8\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet AuditEvents = materialize(AuditLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated);\\nlet AuditUrls = AuditEvents | distinct Url = tolower(Url) | summarize make_list(Url);\\nThreatIntelligenceIndicator\\n| where isnotempty(Url)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| where tolower(Url) in (AuditUrls)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n| where Description !contains_cs \\\"State: inactive;\\\" and Description !contains_cs \\\"State: falsepos;\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (AuditEvents) on Url\\n| where Audit_TimeGenerated \u003c ExpirationDateTime\\n| summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url\\n| project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nOperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend AccountName = tostring(split(userPrincipalName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(userPrincipalName, \\\"@\\\")[1])\\n| extend HostName = tostring(split(TargetResourceDisplayName, \\\".\\\")[0]), DomainIndex = toint(indexof(TargetResourceDisplayName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(TargetResourceDisplayName, DomainIndex + 1), TargetResourceDisplayName)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetResourceDisplayName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map URL Entity to AuditLogs\",\"description\":\"This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in AuditLogs.\",\"lastUpdatedDateUTC\":\"2024-09-12T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2e8fd50-8d66-11ec-b909-0242ac120002\",\"name\":\"d2e8fd50-8d66-11ec-b909-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID in (4624,4625) and LogonType in (10) and IpAddress in (\\\"::1\\\",\\\"127.0.0.1\\\")\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, TargetUserName, TargetLogonId, LogonType, IpAddress\\n | extend Name=tostring(split(TargetUserName, \\\"@\\\")[0]), UPNSuffix=tostring(split(TargetUserName, \\\"@\\\")[1])\\n | extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential Remote Desktop Tunneling\",\"description\":\"This query detects remote desktop authentication attempts with a localhost source address, which can indicate a tunneled login.\\nRef: https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\"name\":\"707494a5-8e44-486b-90f8-155d1797a8eb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend targetResourceName = tostring(TargetResource.displayName),\\n targetResourceID = tostring(TargetResource.id),\\n targetResourceType = tostring(TargetResource.type),\\n targetModifiedProp = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = targetModifiedProp on \\n (\\n where Property.displayName =~ \\\"ConsentContext.IsAdminConsent\\\"\\n | extend isAdminConsent = trim(@\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| mv-apply Property = targetModifiedProp on \\n (\\n where Property.displayName =~ \\\"ConsentAction.Permissions\\\"\\n | extend Consent_Permissions = trim(@\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| mv-apply Property = targetModifiedProp on \\n (\\n where Property.displayName =~ \\\"TargetId.ServicePrincipalNames\\\"\\n | extend Consent_ServicePrincipalNames = tostring(extract_all(@\\\"([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\\\",trim(@\u0027\\\"\u0027,tostring(Property.newValue)))[0])\\n )\\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend targetResourceName = tostring(TargetResource.displayName),\\n targetResourceID = tostring(TargetResource.id),\\n targetModifiedProp = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = targetModifiedProp on \\n (\\n where Property.displayName =~ \\\"KeyDescription\\\"\\n | extend Credential_KeyDescription = trim(@\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| mv-apply Property = targetModifiedProp on \\n (\\n where Property.displayName =~ \\\"Included Updated Properties\\\"\\n | extend UpdatedProperties = trim(@\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| mv-apply Property = targetModifiedProp on \\n (\\n where Property.displayName =~ \\\"TargetId.ServicePrincipalNames\\\"\\n | extend Credential_ServicePrincipalNames = tostring(extract_all(@\\\"([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\\\",trim(@\u0027\\\"\u0027,tostring(Property.newValue)))[0])\\n )\\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent \u003c TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| extend timestamp = TimeConsent, Name = tostring(split(Credential_InitiatingUserOrApp,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Credential_InitiatingUserOrApp,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"Consent_InitiatingIpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential added after admin consented to Application\",\"description\":\"This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-02-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f68a5046-b7eb-4f69-9519-1e99708bb9e0\",\"name\":\"f68a5046-b7eb-4f69-9519-1e99708bb9e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"DeviceFileEvents\\n | where ActionType =~ \\\"FileCreated\\\"\\n | where FolderPath has \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\\\\\\\\\" \\n | where FileName endswith \\\".exe\\\" or FileName endswith \\\".dll\\\"\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"PE file dropped in Color Profile Folder\",\"description\":\"This query looks for writes of PE files to C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\.\\n This is a common directory used by malware, as well as some legitimate programs, and writes of PE files to the folder should be monitored.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/983a6922-894d-413c-9f04-d7add0ecc307\",\"name\":\"983a6922-894d-413c-9f04-d7add0ecc307\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.4\",\"severity\":\"Medium\",\"query\":\"let referencestarttime = 10d;\\nlet referenceendtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \\n {_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027, starttime=stime, endtime=etime)\\n | where DnsQueryTypeName in (\\\"A\\\", \\\"AAAA\\\")\\n | where ipv4_is_match(\\\"127.0.0.1\\\", SrcIpAddr) == False\\n | where DnsQuery !contains \\\"/\\\" and DnsQuery contains \\\".\\\"};\\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold\\n // Filter out previously seen IPs\\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold ) on SrcIpAddr\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected (ASIM DNS Schema)\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"name\":\"84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has_all (\\\"member to role\\\", \\\"add\\\")\\n | where Result =~ \\\"Success\\\"\\n | extend type_ = tostring(TargetResources[0].type)\\n | where type_ =~ \\\"ServicePrincipal\\\"\\n | where isnotempty(TargetResources)\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend InitiatedBy = tostring(iff(isnotempty(InitiatingUserPrincipalName),InitiatingUserPrincipalName, InitiatingAppName))\\n | extend ServicePrincipalName = tostring(TargetResources[0].displayName)\\n | extend ServicePrincipalId = tostring(TargetResources[0].id)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | extend displayName = tostring(TargetResources_0_modifiedProperties.displayName), newValue = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\\n | where displayName == \\\"Role.DisplayName\\\" and newValue contains \\\"admin\\\"\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | extend TargetRole = newValue\\n | project-reorder TimeGenerated, ServicePrincipalName, ServicePrincipalId, InitiatedBy, TargetRole, InitiatingIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipalName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"ServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned Privileged Role\",\"description\":\"Detects a privileged role being added to a Service Principal.\\n Ensure that any assignment to a Service Principal is valid and appropriate - Service Principals should not be assigned to very highly privileged roles such as Global Admin.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b443f22-9be9-4c35-ac70-a94757748439\",\"name\":\"3b443f22-9be9-4c35-ac70-a94757748439\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nDeviceProcessEvents\\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\\n| extend DvcId = DeviceId\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend InitiatingProcessAccount = strcat(InitiatingProcessAccountDomain, \\\"\\\\\\\\\\\", InitiatingProcessAccountName)\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\\n| extend timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccount\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"InitiatingProcessAccountDomain\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\"name\":\"50574fac-f8d1-4395-81c7-78a463ff0c52\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\\n| extend Status = todynamic(Status)\\n| where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\\n| order by TimeGenerated desc\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Microsoft Entra ID PowerShell accessing non-Entra ID resources\",\"description\":\"This will alert when a user or application signs in using Microsoft Entra ID PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\\nFor capabilities and expected behavior of the Microsoft Entra ID PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor further information on Microsoft Entra ID Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\"lastUpdatedDateUTC\":\"2024-04-05T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c1e9381-79dd-4ddf-9570-b73a1dc59fe0\",\"name\":\"9c1e9381-79dd-4ddf-9570-b73a1dc59fe0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let LookBack = 1h;\\nlet Data = (\\nSigninLogs\\n| where TimeGenerated \u003e= ago(LookBack)\\n| where parse_json(NetworkLocationDetails)[0].networkType != \\\"trustedNamedLocation\\\" // Excludes known tagged networks\\n// Counts the number of sign in events in the last hour every 15 minutes by IP\\n| make-series EventCounts = count() on TimeGenerated from ago(LookBack) to now() step 15m by IPAddress \\n);\\nlet AnomalyAlert = (\\nData\\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(EventCounts,1.5,-1,\u0027linefit\u0027)\\n| mv-expand EventCounts,TimeGenerated,Anomalies to typeof(double),Baseline to typeof(long),Score to typeof(double)\\n| where Anomalies \u003e 0\\n);\\nAnomalyAlert\\n| join kind = inner (SigninLogs\\n| where TimeGenerated between (ago(LookBack) .. now())\\n| where parse_json(NetworkLocationDetails)[0].networkType != \\\"trustedNamedLocation\\\"\\n| extend PasswordResult = tostring(parse_json(AuthenticationDetails).authenticationStepResultDetail)\\n| summarize UserCount = dcount(UserPrincipalName), UserList = make_set(UserPrincipalName), AppName = make_set(AppDisplayName), PasswordResult = make_list(PasswordResult) by IPAddress) on IPAddress\\n| where PasswordResult has \\\"Correct Password\\\"\\n| where UserCount \u003e 1 // looks for events targeting more than one user.\",\"customDetails\":{\"Score\":\"Score\",\"Baseline\":\"Baseline\",\"UserCount\":\"UserCount\",\"AppName\":\"AppName\",\"PasswordResult\":\"PasswordResult\",\"UserList\":\"UserList\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomaly Sign In Event from an IP\",\"description\":\"Identifies sign-in anomalies from an IP in the last hour, targeting multiple users where the password is correct after multiple attempts\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2023-05-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"name\":\"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.7\",\"severity\":\"Medium\",\"query\":\"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent = (union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * \u0027TicketEncryptionType\\\"\u003e\u0027 TicketEncryptionType \\\"\u003c\\\" *\\n| where TicketEncryptionType == \u00270x17\u0027\\n| parse EventData with * \u0027TicketOptions\\\"\u003e\u0027 TicketOptions \\\"\u003c\\\" *\\n| where TicketOptions == \u00270x40810000\u0027\\n| parse EventData with * \u0027Status\\\"\u003e\u0027 Status \\\"\u003c\\\" *\\n| where Status == \u00270x0\u0027\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\"\\n| parse EventData with * \u0027TargetUserName\\\"\u003e\u0027 TargetUserName \\\"\u003c\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * \u0027IpAddress\\\"\u003e::ffff:\u0027 ClientIPAddress \\\"\u003c\\\" *\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769 and EventData has \u00270x17\u0027 and EventData has \u00270x40810000\u0027 and EventData has \u0027krbtgt\u0027\\n| extend TicketEncryptionType = tostring(EventData.TicketEncryptionType)\\n| where TicketEncryptionType == \u00270x17\u0027\\n| extend TicketOptions = tostring(EventData.TicketOptions)\\n| where TicketOptions == \u00270x40810000\u0027\\n| extend Status = tostring(EventData.Status)\\n| where Status == \u00270x0\u0027\\n| extend ServiceName = tostring(EventData.ServiceName)\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| extend ClientIPAddress = tostring(EventData.IpAddress)\\n));\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName)\\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h \u003c prev23hThreshold;\\nlet Kerbevent1h =\\nKerbevent\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName)\\nby Computer, TargetUserName, TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h\\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, TargetDomainName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h \u003e prev1hThreshold\\n| project StartTime = min_TimeGenerated, EndTime = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions,\\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend TargetAccount = strcat(TargetDomainName, \\\"\\\\\\\\\\\", TargetUserName)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"TargetDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Kerberoasting\",\"description\":\"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment.\\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment.\\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains a hash of the Service account. This can then be used for offline cracking.\\nThis hunting query looks for accounts that are generating excessive requests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number of request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\"name\":\"ac891683-53c3-4f86-86b4-c361708e2b2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"// Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)[\u0027foo@bar.com\u0027, \u0027test@foo.com\u0027];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist = datatable(OperationNamePart:string)[\u0027Security.\u0027,\u0027Project.\u0027,\u0027AuditLog.\u0027,\u0027Extension.\u0027];\\n// Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)[\u0027Group.UpdateGroupMembership.Add\u0027,\u0027Library.ServiceConnectionExecuted\u0027,\u0027Pipelines.PipelineModified\u0027,\\n\u0027Release.ReleasePipelineModified\u0027, \u0027Git.RefUpdatePoliciesBypassed\u0027];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"Execution\",\"Impact\"],\"displayName\":\"Azure DevOps Personal Access Token (PAT) misuse\",\"description\":\"This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=preview-page\\nUse this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"name\":\"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.11\",\"severity\":\"Medium\",\"query\":\"let riskScoreCutoff = 3; //Adjust this score threshold based on volume of results. Activities identified as the most abnormal receive the highest scores (on a scale of 0-10)\\nlet logonDiff = 10m; \\nlet aadFunc = (tableName:string)\\n{ \\ntable(tableName)\\n| where ResultType == \\\"0\\\"\\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\") // To remove false-positives, add more Apps to this array\\n// ---------- Fix for SuccessBlock to also consider IPv6\\n| extend SuccessIPv6Block = strcat(split(IPAddress, \\\":\\\")[0], \\\":\\\", split(IPAddress, \\\":\\\")[1], \\\":\\\", split(IPAddress, \\\":\\\")[2], \\\":\\\", split(IPAddress, \\\":\\\")[3])\\n| extend SuccessIPv4Block = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1])\\n// ------------------\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, SuccessLocation = Location, AppDisplayName, SuccessIPBlock = iff(IPAddress contains \\\":\\\", strcat(split(IPAddress, \\\":\\\")[0], \\\":\\\", split(IPAddress, \\\":\\\")[1]), strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1])), Type\\n| join kind= inner (\\n table(tableName)\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\")\\n | where ResultDescription !~ \\\"Other\\\"\\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, FailedLocation = Location, AppDisplayName, ResultType, ResultDescription, Type \\n) on UserPrincipalName, AppDisplayName\\n| where SuccessLogonTime \u003c FailedLogonTime and FailedLogonTime - SuccessLogonTime \u003c= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, SuccessLocation, AppDisplayName, FailedIPAddress, FailedLocation, ResultType, ResultDescription, Type\\n| extend timestamp = SuccessLogonTime\\n| extend UserPrincipalName = tolower(UserPrincipalName)};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\\n// UEBA context below - make sure you have these 2 datatypes, otherwise the query will not work. If so, comment all that is below.\\n| join kind=leftouter (\\n IdentityInfo\\n | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\\n | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled\\n | summarize\\n Tags = make_set(Tags, 1000),\\n GroupMembership = make_set(GroupMembership, 1000),\\n AssignedRoles = make_set(AssignedRoles, 1000),\\n UserType = make_set(UserType, 1000),\\n UserAccountControl = make_set(UserType, 1000)\\n by AccountUPN\\n | extend UserPrincipalName=tolower(AccountUPN)\\n) on UserPrincipalName\\n//Below it will be joined with BehaviorAnalytics table to the Failed IP Addresses\\n| join kind=leftouter (\\n BehaviorAnalytics\\n | where ActivityType in (\\\"FailedLogOn\\\", \\\"LogOn\\\")\\n | where isnotempty(SourceIPAddress)\\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress, UserName\\n | project-rename FailedIPAddress = SourceIPAddress, Name = UserName\\n | summarize\\n MaxInvestigationScore = max(InvestigationPriority) // Only retrieve maximum Investigation Property score for both FailedIP and User\\n by FailedIPAddress, Name)\\non FailedIPAddress, Name // Joining on both IP and User so as to only return context associated with same user\\n| extend UEBARiskScore = MaxInvestigationScore\\n| project-away *1 // removing duplicate columns post outer join from output\\n| where UEBARiskScore \u003e riskScoreCutoff\\n| sort by UEBARiskScore desc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuccessIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Successful logon from IP and failure from a different IP\",\"description\":\"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP (may indicate a malicious attempt at password guessing with known account). \\nUEBA added for context to gather all asoociated information assocaited with IP addressed initiating Faile Logon and affected user. \\nPlease note, Failed logons from known IP ranges can be benign depending on the conditional access policies. In case of noisy behavior, consider tuning the source IP ranges after careful consideration\",\"lastUpdatedDateUTC\":\"2024-08-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"name\":\"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous SSH Login Detection\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/188db479-d50a-4a9c-a041-644bae347d1f\",\"name\":\"188db479-d50a-4a9c-a041-644bae347d1f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n// Filtering alerts based on Microsoft product names and Relevent alert names\\n | where ProductName in ( \\\"Microsoft Cloud App Security\\\",\\\"Azure Active Directory Identity Protection\\\")\\n |where AlertName in (\\\"Multiple failed user log on attempts to an app\\\",\\\"Password Spray\\\")\\n// Parsing and extending the \u0027Entities\u0027 column as JSON objects\\n | extend Entities = parse_json(Entities) \\n// Exploring IP entities within the alert entities\\n | mv-apply Entity = Entities on \\n ( \\n where Entity.Type == \u0027ip\u0027 \\n | extend EntityIp = tostring(Entity.Address) \\n ) \\n// Exploring account entities within the alert entities\\n | mv-apply Entity = Entities on \\n ( \\n where Entity.Type == \u0027account\u0027 \\n | extend AccountObjectId = tostring(Entity.AadUserId)\\n )\\n// Filtering out alerts with missing IP or account information\\n | where isnotempty(EntityIp) and isnotempty(AccountObjectId)\\n// Summarizing relevant fields for further analysis\\n | summarize \\n by \\n AlertName,\\n ProductName,\\n ProviderName,\\n AlertSeverity,\\n EntityIp,\\n Tactics,\\n Techniques,\\n AlertTime= bin(TimeGenerated, 1min),\\n AccountObjectId,\\n AlertTimeGenerated=TimeGenerated\\n// Joining with IdentityInfo to obtain additional account details\\n | join kind=inner (\\n IdentityInfo\\n | where TimeGenerated \u003e= ago(1d)\\n | distinct AccountObjectId, AccountUPN=tolower(AccountUPN)\\n )\\n on AccountObjectId \\n |extend Name = tostring(split(AccountUPN,\u0027@\u0027)[0]), UPNSuffix =tostring(split(AccountUPN,\u0027@\u0027)[1])\\n// Joining with AWSCloudTrail data to correlate AWS console logins\\n | join kind=inner (\\n AWSCloudTrail\\n | where EventName == \\\"ConsoleLogin\\\"\\n | extend CTUPN= tolower(tostring(tolower(split(UserIdentityArn, \\\"/\\\", 2)[0])))\\n | extend ActionType= tostring(parse_json(ResponseElements).ConsoleLogin) \\n | where ActionType == \\\"Success\\\"\\n | extend AWSTime= bin(TimeGenerated, 1min)\\n | project\\n EventName,\\n EventSource,\\n EventTypeName,\\n RecipientAccountId,\\n ResponseElements,\\n SessionMfaAuthenticated,\\n SourceIpAddress,\\n TimeGenerated,\\n UserAgent,\\n UserIdentityArn,\\n UserIdentityType,\\n CTUPN,\\n AWSTime,\\n UserIdentityUserName\\n )\\n on $left.EntityIp == $right.SourceIpAddress \\n// Filtering login event after the Alert generation time\\n | where AlertTimeGenerated between ((AWSTime - 1h)..(AWSTime + 1h))\\n// Calculating the time difference between alert generation and AWS login\\n | extend timediff = datetime_diff(\u0027minute\u0027, AlertTimeGenerated, TimeGenerated) \\n// Filtering alerts with a time difference of up to 60 minutes\\n | where timediff \u003c= 60\",\"customDetails\":{\"AWSUser\":\"UserIdentityArn\",\"UserAgent\":\"UserAgent\",\"AWSUserUPN\":\"CTUPN\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Successful AWS Console Login from IP Address Observed Conducting Password Spray\",\"description\":\"This query aims to detect instances of successful AWS console login events followed by multiple failed app logons alerts generated by Microsoft Cloud App Security or password spray alerts generated by Defender Products.\\n Specifically, it focuses on scenarios where the successful login takes place within a 60-minute timeframe of the high-severity alert. \\n The login is considered relevant if it originates from an IP address associated with potential attackers.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2023-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b51fe620-62ad-4ed2-9d40-5c97c0a8231f\",\"name\":\"b51fe620-62ad-4ed2-9d40-5c97c0a8231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n// Filtering alerts based on Microsoft product names\\n | where ProductName in (\\\"Microsoft 365 Defender\\\", \\\"Azure Active Directory\\\", \\\"Microsoft Defender Advanced Threat Protection\\\", \\\"Microsoft Cloud App Security\\\",\\\"Azure Active Directory Identity Protection\\\", \\\"Microsoft Defender ATP\\\")\\n// Narrowing down alerts to specific tactics\\n | where Tactics in(\\\"CredentialAccess\\\", \\\"InitialAccess\\\")\\n// Focusing on high-severity alerts\\n | where AlertSeverity == \\\"High\\\"\\n// Parsing and extending the \u0027Entities\u0027 column as JSON objects\\n | extend Entities = parse_json(Entities) \\n// Exploring IP entities within the alert entities\\n | mv-apply Entity = Entities on \\n ( \\n where Entity.Type == \u0027ip\u0027 \\n | extend EntityIp = tostring(Entity.Address) \\n ) \\n// Exploring account entities within the alert entities\\n | mv-apply Entity = Entities on \\n ( \\n where Entity.Type == \u0027account\u0027 \\n | extend AccountObjectId = tostring(Entity.AadUserId)\\n )\\n// Filtering out alerts with missing IP or account information\\n | where isnotempty(EntityIp) and isnotempty(AccountObjectId)\\n// Summarizing relevant fields for further analysis\\n | summarize \\n by \\n AlertName,\\n ProductName,\\n ProviderName,\\n AlertSeverity,\\n EntityIp,\\n Tactics,\\n Techniques,\\n AlertTime= bin(TimeGenerated, 1min),\\n AccountObjectId,\\n AlertTimeGenerated=TimeGenerated\\n// Joining with IdentityInfo to obtain additional account details\\n | join kind=inner (\\n IdentityInfo\\n | where TimeGenerated \u003e= ago(1d)\\n | distinct AccountObjectId, AccountUPN=tolower(AccountUPN)\\n )\\n on AccountObjectId \\n |extend Name = tostring(split(AccountUPN,\u0027@\u0027)[0]), UPNSuffix =tostring(split(AccountUPN,\u0027@\u0027)[1])\\n// Joining with AWSCloudTrail data to correlate AWS console logins\\n | join kind=inner (\\n AWSCloudTrail\\n | where EventName == \\\"ConsoleLogin\\\"\\n | extend CTUPN= tolower(tostring(tolower(split(UserIdentityArn, \\\"/\\\", 2)[0])))\\n | extend ActionType= tostring(parse_json(ResponseElements).ConsoleLogin) \\n | where ActionType == \\\"Success\\\"\\n | extend AWSTime= bin(TimeGenerated, 1min)\\n | project\\n EventName,\\n EventSource,\\n EventTypeName,\\n RecipientAccountId,\\n ResponseElements,\\n SessionMfaAuthenticated,\\n SourceIpAddress,\\n TimeGenerated,\\n UserAgent,\\n UserIdentityArn,\\n UserIdentityType,\\n CTUPN,\\n AWSTime,\\n UserIdentityUserName\\n )\\n on $left.EntityIp == $right.SourceIpAddress \\n// Filtering login event after the Alert generation time\\n | where AlertTimeGenerated \u003e= AWSTime\\n// Calculating the time difference between alert generation and AWS login\\n | extend timediff = datetime_diff(\u0027minute\u0027, AlertTimeGenerated, TimeGenerated) \\n// Filtering alerts with a time difference of up to 60 minutes\\n | where timediff between ((-60)..(60))\",\"customDetails\":{\"AWSUSerUPN\":\"CTUPN\",\"AzureUserUPN\":\"AccountUPN\",\"ComonIp\":\"SourceIpAddress\",\"UserAgent\":\"UserAgent\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Suspicious AWS console logins by credential access alerts\",\"description\":\"This query aims to detect instances of successful AWS console logins that align with high-severity credential access or Initial Access alerts generated by Defender Products.\\n Specifically, it focuses on scenarios where the successful login takes place within a 60-minute timeframe of the high-severity alert. The login is considered relevant if it originates from an IP address associated with potential attackers.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2023-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\"name\":\"cf3ede88-a429-493b-9108-3e46d3c741f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Low\",\"query\":\"let timeRange = 2h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeRange)\\n| where EventID in (4624, 4625)\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 10 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by bin(TimeGenerated, 10m), Account, IpAddress, Computer, Outcome\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by TimeGenerated asc, Account, IpAddress, Computer, Outcome, OutcomeCount\\n| serialize\\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), make_list(Outcome, 128), make_set(Computer, 128), make_set(IpAddress, 128) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome\\n// where the number of failures before the success is above the threshold\\n| where FailureCountBeforeSuccess \u003e= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mv-expand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, NTDomain = split(Account, \u0027\\\\\\\\\u0027, 0)[0], Name = split(Account, \u0027\\\\\\\\\u0027, 1)[0], HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SecurityEvent - Multiple authentication failures followed by a success\",\"description\":\"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication within a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or possible mis-configuration of a service account within an environment.\\nThe lookback is set to 2h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum of 5 failures followed by a success for an account within 1 hour to surface an alert.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"name\":\"bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"// https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html \\nAWSGuardDuty \\n// Parse the finding\\n// https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-format.html \\n// Example: \\\"ThreatPurpose:ResourceTypeAffected/ThreatFamilyName.DetectionMechanism!Artifact\\\"\\n| extend findingTokens = split(ActivityType, \\\":\\\")\\n| extend ThreatPurpose=findingTokens[0], findingTokens=split(findingTokens[1], \\\"/\\\")\\n| extend ResourceTypeAffected=findingTokens[0], findingTokens= split(findingTokens[1], \\\".\\\")\\n| extend ThreatFamilyName=findingTokens[0], findingTokens=split(findingTokens[1], \\\"!\\\")\\n| extend DetectionMechanism=findingTokens[0], Artifact=findingTokens[1]\\n// Assign severity level\\n// https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html#guardduty_findings-severity\\n| extend Severity = \\n case (\\n Severity \u003e= 7.0, \\\"High\\\",\\n Severity between (4.0 .. 6.9), \\\"Medium\\\",\\n Severity between (1.0 .. 3.9), \\\"Low\\\",\\n \\\"Unknown\\\"\\n )\\n// Pull out any available resource details we can extract entities from. These may not exist in the alert.\\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_Resource.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_AccessKeyDetails.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_RdsDbUserDetails.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_KubernetesDetails.html \\n| extend AccessKeyDetails=ResourceDetails.accessKeyDetails\\n| extend RdsDbUserDetails=ResourceDetails.rdsDbUserDetails\\n| extend KubernetesDetails=ResourceDetails.kubernetesDetails\\n// Pull out any available action details we can extract entities from. These may not exist in the alert.\\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_Action.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_AwsApiCallAction.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_KubernetesApiCallAction.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_NetworkConnectionAction.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_RdsLoginAttemptAction.html \\n| extend ServiceAction = \\n case(\\n isnotempty(ServiceDetails.action.awsApiCallAction), ServiceDetails.action.awsApiCallAction,\\n isnotempty(ServiceDetails.action.kubernetesApiCallAction), ServiceDetails.action.kubernetesApiCallAction,\\n isnotempty(ServiceDetails.action.networkConnectionAction), ServiceDetails.action.networkConnectionAction,\\n isnotempty(ServiceDetails.action.rdsLoginAttemptAction), ServiceDetails.action.rdsLoginAttemptAction,\\n dynamic(null)\\n )\\n// The IPv4 remote address of the connection\\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_RemoteIpDetails.html \\n// or\\n// The IP of the Kubernetes API caller and the IPs of any proxies or load balancers between the caller and the API endpoint \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_KubernetesApiCallAction.html \\n| extend RemoteIpAddress = \\n coalesce(\\n tostring(ServiceAction.remoteIpDetails.ipAddressV4),\\n tostring(parse_json(ServiceAction.sourceIPs)[0])\\n )\\n// The IPv4 local address of the connection\\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_LocalIpDetails.html \\n| extend LocalIpAddress = ServiceAction.localIpDetails.ipAddressV4\\n// The AWS account ID of the remote API caller.\\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_AwsApiCallAction.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_RemoteAccountDetails.html \\n| extend RemoteAWSAccountId = ServiceAction.remoteAccountDetails.accountId\\n// The IAM access key details (user information) of a user that engaged in the activity that prompted GuardDuty to generate a finding\\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_AccessKeyDetails.html \\n| extend AccountUpn = \\n case(\\n AccessKeyDetails.userType == \\\"IAMUser\\\", AccessKeyDetails.userName,\\n AccessKeyDetails.userType == \\\"AssumedRole\\\", split(AccessKeyDetails.principalId, \\\":\\\", 1)[0],\\n isnotempty(RdsDbUserDetails.user), RdsDbUserDetails.user,\\n isnotempty(KubernetesDetails.kubernetesUserDetails.username), KubernetesDetails.kubernetesUserDetails.username,\\n \\\"\\\"\\n )\\n| extend AccountName = split(AccountUpn, \\\"@\\\", 0)[0]\\n| extend UPNSuffix = split(AccountUpn, \\\"@\\\", 1)[0]\\n// Clean up the output\\n| extend GuardDutyDetails =\\n bag_pack( \\n \\\"DetectorId\\\", ServiceDetails.detectorId,\\n \\\"Partition\\\", Partition,\\n \\\"Region\\\", Region\\n )\\n| extend FindingLink = \\n iff(\\n isnotempty(Region) and isnotempty(Id),\\n strcat(\\\"https://\\\", Region, \\\".console.aws.amazon.com/guardduty/home?region=\\\", Region, \\\"#/findings?fId=\\\", Id),\\n \\\"\\\"\\n )\\n| extend FindingLinkDescription = \\n iff(\\n isnotempty(FindingLink),\\n strcat(\\\"Link to GuardDuty finding (AWS): \\\", FindingLink),\\n \\\"\\\"\\n )\\n| project-rename \\n FindingArn=Arn,\\n FindingId=Id,\\n AWSAccountId=AccountId\\n| project-away \\n ActivityType, \\n findingTokens,\\n Partition,\\n Region, \\n SchemaVersion,\\n TimeGenerated,\\n Type\",\"customDetails\":{\"ThreatPurpose\":\"ThreatPurpose\",\"ResourceTypeAffected\":\"ResourceTypeAffected\",\"ThreatFamilyName\":\"ThreatFamilyName\",\"DetectionMechanism\":\"DetectionMechanism\",\"Artifact\":\"Artifact\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"RemoteAWSAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"RemoteIpAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"LocalIpAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"FindingLink\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"{{Title}}\",\"alertDescriptionFormat\":\"{{Description}}\",\"alertTacticsColumnName\":\"ThreatPurpose\",\"alertSeverityColumnName\":\"Severity\"},\"displayName\":\"AWS Guard Duty Alert\",\"description\":\"Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.\",\"lastUpdatedDateUTC\":\"2024-03-27T00:00:00Z\",\"createdDateUTC\":\"2021-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\"name\":\"de58ee9e-b229-4252-8537-41a4c2f4045e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| extend file_ext = extract(@\u0027.*(\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| extend Filename = extract(@\u0027.*\\\\/*\\\\/(.*\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, SrcIpAddr, Identities, Filename\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Identities\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request to blocklisted file type\",\"description\":\"Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"name\":\"88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue =~ \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId has \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid), AccountName = tostring(claimsJson.name), Name = tostring(split(Caller,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Caller,\u0027@\u0027,1)[0])\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Microsoft Entra ID Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Microsoft Entra ID Hybrid Health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-premises AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"name\":\"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet SecurityAlerts = SecurityAlert\\n| where TimeGenerated \u003e ago(dt_lookBack)\\n| extend domain = todynamic(dynamic_to_json(extract_all(@\\\"(((xn--)?[a-z0-9\\\\-]+\\\\.)+([a-z]+|(xn--[a-z0-9]+)))\\\", dynamic([1]), tolower(Entities))))\\n| where isnotempty(domain)\\n| mv-expand domain\\n| extend domain = tostring(domain)\\n| extend EntitiesDynamicArray = parse_json(Entities)\\n| mv-apply EntitiesDynamicArray on\\n (summarize\\n HostName = take_anyif(tostring(EntitiesDynamicArray.HostName), EntitiesDynamicArray.Type == \\\"host\\\"),\\n IP_addr = take_anyif(tostring(EntitiesDynamicArray.Address), EntitiesDynamicArray.Type == \\\"ip\\\")\\n )\\n| extend Alert_TimeGenerated = TimeGenerated\\n| extend Alert_Description = Description;\\nlet AlertDomains = SecurityAlerts\\n| distinct domain\\n| summarize make_list(domain);\\nlet Domain_Indicators = materialize(ThreatIntelligenceIndicator\\n| where isnotempty(DomainName)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| extend TI_DomainEntity = tolower(DomainName)\\n| where TI_DomainEntity in (AlertDomains)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n| where Description !contains_cs \\\"State: inactive;\\\" and Description !contains_cs \\\"State: falsepos;\\\");\\nDomain_Indicators\\n// Using innerunique to keep performance fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (SecurityAlerts) on $left.TI_DomainEntity == $right.domain\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities, Type, TI_DomainEntity\\n| extend timestamp = Alert_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IP_addr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map Domain entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"name\":\"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.4\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has \\\"TVqQAAMAAAAEAAA\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName));\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64-encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"name\":\"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Medium\",\"query\":\"// Define a threshold for significant deviations\\nlet threshold = 25;\\n// Define the name for the SharePoint File Operation record type\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\n// Define an array of SharePoint operations of interest\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\n// Define the start and end time for the analysis period\\nlet starttime = 14d;\\nlet endtime = 1d;\\n// Define a baseline of normal user behavior\\nlet userBaseline = OfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize Count = count() by UserId, Operation, Site_Url, ClientIP\\n| summarize AvgCount = avg(Count) by UserId, Operation, Site_Url, ClientIP;\\n// Get recent user activity\\nlet recentUserActivity = OfficeActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), RecentCount = count() by UserId, UserType, Operation, Site_Url, ClientIP, OfficeObjectId, OfficeWorkload, UserAgent;\\n// Join the baseline and recent activity, and calculate the deviation\\nlet UserBehaviorAnalysis = userBaseline | join kind=inner (recentUserActivity) on UserId, Operation, Site_Url, ClientIP\\n| extend Deviation = abs(RecentCount - AvgCount) / AvgCount;\\n// Filter for significant deviations\\nUserBehaviorAnalysis\\n| where Deviation \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, UserId, UserType, Operation, ClientIP, Site_Url, OfficeObjectId, OfficeWorkload, UserAgent, Deviation, Count=RecentCount\\n| order by Count desc, ClientIP asc, Operation asc, UserId asc\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Site_Url\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via previously unseen IPs\",\"description\":\"Identifies anomalies using user behavior by setting a threshold for significant changes in file upload/download activities from new IP addresses. It establishes a baseline of typical behavior, compares it to recent activity, and flags deviations exceeding a default threshold of 25.\",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\"name\":\"23de46ea-c425-4a77-b456-511ae4855d69\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations above which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\n// Add or remove operation names below as per your requirements. For operations lists, please refer to https://learn.microsoft.com/en-us/Azure/role-based-access-control/resource-provider-operations#all\\nlet SensitiveOperationList = dynamic([\\\"microsoft.compute/snapshots/write\\\", \\\"microsoft.network/networksecuritygroups/write\\\", \\\"microsoft.storage/storageaccounts/listkeys/action\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \\\"listkeys/action\\\"\\n| where ActivityStatusValue =~ \\\"Success\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue, bin(TimeGenerated,1d)\\n| where count_ \u003e= alertOperationThreshold\\n// Returns all the records from the right side that don\u0027t have matches from the left\\n| join kind = rightanti (\\nSensitiveActivity\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_list(TimeGenerated), ActivityStatusValue = make_list(ActivityStatusValue), CorrelationIds = make_list(CorrelationId), ResourceGroups = make_list(ResourceGroup), ResourceIds = make_list(_ResourceId), ActivityCountByCallerIPAddress = count()\\nby CallerIpAddress, Caller, OperationNameValue\\n| where ActivityCountByCallerIPAddress \u003e= alertOperationThreshold\\n) on CallerIpAddress, Caller, OperationNameValue\\n| extend Name = tostring(split(Caller,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Caller,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Rare subscription-level operations in Azure\",\"description\":\"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. For example, this monitors for the operation name \u0027Create or Update Snapshot\u0027, which is used for creating backups but could be misused by attackers to dump hashes or extract sensitive information from the disk.\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\"name\":\"1218175f-c534-421c-8070-5dcaabf28067\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let threshold = 3;\\nZoomLogs\\n| where Event =~ \\\"chat_message.sent\\\"\\n| extend Channel = tostring(parse_json(ChatEvents).Channel)\\n| extend Message = tostring(parse_json(ChatEvents).Message)\\n| where Message matches regex \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\"\\n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\\n| extend ChannelCount = arraylength(Channels)\\n| where ChannelCount \u003e threshold\\n| extend AccountName = tostring(split(User, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(User, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"tactics\":[\"Reconnaissance\"],\"displayName\":\"Suspicious link sharing pattern\",\"description\":\"Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time.\\nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"name\":\"0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName =~ \\\"Update role setting in PIM\\\"\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, OperationName, ResultReason, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, InitiatingAccountName, InitiatingAccountUPNSuffix\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Changes to PIM Settings\",\"description\":\"PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.\\n Monitor these changes to ensure they are being made legitimately and don\u0027t confer more privileges than expected or reduce the security of a PIM elevation.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"name\":\"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where NetworkBytes \u003e msgszthreshold\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple large emails to the same recipient\",\"description\":\"Detects when multiple emails with large size where sent to the same recipient.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"name\":\"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"Event\\n| where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription startswith \\\"An unhandled exception occurred in a UM worker process\\\" or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Silk Typhoon Suspicious UM Service Error\",\"description\":\"This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eda260eb-f4a1-4379-ad98-452604da9b3e\",\"name\":\"eda260eb-f4a1-4379-ad98-452604da9b3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let eventsThreshold = 20;\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName\\n| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has \\\"login.microsoftonline.com/consumers/oauth2/v2.0/token\\\"), graph=(RequestURL has \\\"graph.microsoft.com/v1.0/me/drive/\\\"), SourceIP, SourceHostName)\\n| summarize Events=count() by SourceIP, SourceHostName\\n| where Events \u003e= eventsThreshold\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive request URL sequence\",\"description\":\"CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths.\\nThis detecton will alert when over 20 sequences are observed in a single day.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"name\":\"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.5\",\"severity\":\"Low\",\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = \u0027FileUploaded\u0027;\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic([\u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027]);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated \u003e= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl, 100000), UserId = make_set(UserId, 100000) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount \u003e threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId\\n| extend SiteUrlUserFolder = tolower(split(Site_Url, \u0027/\u0027)[-2])\\n| extend UserIdUserFolderFormat = tolower(replace_regex(UserId, \u0027@|\\\\\\\\.\u0027, \u0027_\u0027))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has \u0027/personal/\u0027 and SiteUrlUserFolder != UserIdUserFolderFormat, true , false )\\n| summarize TimeGenerated = make_list(TimeGenerated, 100000), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated),\\nUserAgents = make_list(UserAgent, 100000), OfficeIds = make_list(OfficeId, 100000), SourceRelativeUrls = make_list(SourceRelativeUrl, 100000), FileNames = make_list(SourceFileName, 100000)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Site_Url\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileNames\"}]}],\"tactics\":[\"CommandAndControl\",\"LateralMovement\"],\"displayName\":\"New executable via Office FileUploaded Operation\",\"description\":\"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes \u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027 file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (SharePoint)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\"name\":\"643c2025-9604-47c5-833f-7b4b9378a1f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5;\\n//Make a list of IPs with AAD signin failures above our threshold\\nlet aadFunc = (tableName:string){\\nlet Suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\nSuspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet Suspicious_signins =\\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, RecipientAccountId, AccountName, AccountUPNSuffix, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to AWS Console\",\"description\":\"Identifies a list of IP addresses with a minimum number (defualt of 5) of failed logon attempts to Microsoft Entra ID.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2023-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"name\":\"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName),\\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\\n| where applicationCount \u003e= threshold\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Attempts to sign in to disabled accounts\",\"description\":\"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2024-01-06T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\"name\":\"09551db0-e147-4a0c-9e7b-918f88847605\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic([\u0027codevexillium.org\u0027, \u0027angeldonationblog.com\u0027, \u0027investbooking.de\u0027, \u0027krakenfolio.com\u0027]);\\nlet SHA256Hash = dynamic([\u002758a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495\u0027,\u0027e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e\u0027,\u00273d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9\u0027, \u00270a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4\u0027, \u002796d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe\u0027,\u0027dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c\u0027, \u002746efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a\u0027, \u002795e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008\u0027, \u00279d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5\u0027, \u00279fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3\u0027, \u0027ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720\u0027, \u0027edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee\u0027, \u002733665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998\u0027, \u00273ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c\u0027, \u0027b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c\u0027, \u002753f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5\u0027, \u002799c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777\u0027, \u0027f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef\u0027, \u00272cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da\u0027, \u0027079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447\u0027]);\\nlet SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(_Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend Type = \\\"imDns\\\", IPAddress = SrcIpAddr, Computer=Dvc\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hash)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| where EventID == 4688\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n( WindowsEvent\\n| where EventID == 4688\\n| where EventData has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\") and EventData has_any (tokens, \\\"Debug\\\\\\\\Browse\\\",\\\"is64bitoperatingsystem\\\" ) \\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames)\\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (DomainNames)\\n| extend DNSName = Fqdn \\n| extend IPAddress = SourceIp\\n),\\n(AZFWDnsQuery\\n| where QueryName has_any (DomainNames)\\n| extend DNSName = QueryName\\n| extend IPAddress = SourceIp\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"[Deprecated] - Known Diamond Sleet Comebacker and Klackring malware hashes\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2149d9bb-8298-444c-8f99-f7bf0274dd05\",\"name\":\"2149d9bb-8298-444c-8f99-f7bf0274dd05\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SEABORGIUMIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet DomainNames = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n),\\n(_Im_WebSession (url_has_any=DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames)\\n| extend IPAddress = RemoteIP\\n| extend Computer = DeviceName\\n),\\n(EmailUrlInfo\\n| where Url has_any (DomainNames)\\n| join (EmailEvents\\n| where EmailDirection == \\\"Inbound\\\" ) on NetworkMessageId\\n| extend IPAddress = SenderIPv4\\n| extend Account = RecipientEmailAddress\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames)\\n| extend DNSName = DestinationHost\\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend AccountName = tostring(split(Account, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(Account, \\\"@\\\")[1])\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(Account, \\\"@\\\")[1])\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Star Blizzard C2 Domains August 2022\",\"description\":\"Identifies a match across various data feeds for domains related to an actor tracked by Microsoft as Star Blizzard.\",\"lastUpdatedDateUTC\":\"2024-06-25T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"EmailUrlInfo\",\"EmailEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82eb796-d1eb-43c8-a813-325ce3417cef\",\"name\":\"d82eb796-d1eb-43c8-a813-325ce3417cef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"union isfuzzy=true\\n (DeviceFileEvents\\n | where ActionType == \\\"FileCreated\\\"\\n | where FileName endswith \\\".h0lyenc\\\" or FolderPath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\"\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)\\n by\\n AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain,\\n DeviceName,\\n Type,\\n InitiatingProcessId,\\n FileName,\\n FolderPath,\\n EventType = ActionType,\\n Commandline = InitiatingProcessCommandLine,\\n InitiatingProcessFileName,\\n InitiatingProcessSHA256,\\n FileHashCustomEntity = SHA256,\\n AlgorithmCustomEntity = \\\"SHA256\\\"\\n | extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\\n ),\\n (imFileEvent\\n | where EventType == \\\"FileCreated\\\"\\n | where TargetFilePath endswith \\\".h0lyenc\\\" or TargetFilePath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\"\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)\\n by\\n ActorUsername,\\n DvcHostname,\\n DvcDomain,\\n DvcId,\\n Type,\\n EventType,\\n FileHashCustomEntity = TargetFileSHA256,\\n Hash,\\n TargetFilePath,\\n Commandline = ActingProcessCommandLine,\\n AlgorithmCustomEntity = \\\"SHA256\\\"\\n | extend AccountName = tostring(split(ActorUsername, @\u0027\\\\\u0027)[1]), AccountDomain = tostring(split(ActorUsername, @\u0027\\\\\u0027)[0])\\n | extend HostName = DvcHostname, HostNameDomain = DvcDomain\\n | extend DeviceName = strcat(DvcHostname, \\\".\\\", DvcDomain )\\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 File Extension Rename\",\"description\":\"Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"name\":\"cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let lookback = 7d; \\nlet timeframe = 1h; \\nlet GlobalAdminsRemoved = AuditLogs \\n| where TimeGenerated \u003e ago(timeframe) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Unassign\\\", \\\"RemoveEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Remove member from role\\\", \\\"Remove eligible member from role\\\") \\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend Target = tostring(TargetResource.userPrincipalName),\\n props = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = props on \\n (\\n where Property.displayName =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = trim(\u0027\\\"\u0027,tostring(Property.oldValue))\\n )\\n| where RoleName =~ \\\"Global Administrator\\\" // Add other Privileged role if applicable\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend Initiator = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| summarize RemovedGlobalAdminTime = max(TimeGenerated), TargetAdmins = make_set(Target,100) by OperationName, RoleName, Initiator, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIpAddress, Result; \\nlet GlobalAdminsAdded = AuditLogs \\n| where TimeGenerated \u003e ago(lookback) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\") and Result == \\\"success\\\" \\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend Target = tostring(TargetResource.userPrincipalName),\\n props = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = props on \\n (\\n where Property.displayName =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where RoleName =~ \\\"Global Administrator\\\" // Add other Privileged role if applicable\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend Initiator = iif(isnotempty(InitiatingAppName), InitiatingAppName, tostring(InitiatedBy.user.userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| summarize AddedGlobalAdminTime = max(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result;\\nGlobalAdminsAdded \\n| join kind= inner GlobalAdminsRemoved on $left.Target == $right.Initiator \\n| where AddedGlobalAdminTime \u003c RemovedGlobalAdminTime \\n| extend NoofAdminsRemoved = array_length(TargetAdmins) \\n| where NoofAdminsRemoved \u003e 1\\n| project AddedGlobalAdminTime, Initiator, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIpAddress, Target, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved\\n| extend TargetName = tostring(split(Target,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(Target,\u0027@\u0027,1)[0])\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Target\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple admin membership removals from newly created admin.\",\"description\":\"This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \\n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/011c84d8-85f0-4370-b864-24c13455aa94\",\"name\":\"011c84d8-85f0-4370-b864-24c13455aa94\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| extend Extprop = parse_json(ExtendedProperties)\\n| mv-expand todynamic(Entities)\\n| extend HostName = iff(isnotempty(tostring(Extprop[\\\"Compromised Host\\\"])), tolower(tostring(Extprop[\\\"Compromised Host\\\"])), tolower(tostring(parse_json(Entities).HostName)))\\n| where isnotempty(HostName)\\n| mv-expand todynamic(split(HostName, \u0027,\u0027))\\n| extend DnsDomain = iff(isnotempty(tostring(Extprop[\\\"Machine Domain\\\"])), tostring(Extprop[\\\"Machine Domain\\\"]), tostring(parse_json(Entities).DnsDomain))\\n| extend UserName = iff(isnotempty(tostring(Extprop[\\\"User Name\\\"])), tostring(Extprop[\\\"User Name\\\"]), iff(tostring(parse_json(Entities).Type) == \u0027account\u0027, tostring(parse_json(Entities).Name), \u0027\u0027))\\n| extend NTDomain = iff(isnotempty(tostring(Extprop[\\\"User Domain\\\"])), tostring(Extprop[\\\"User Domain\\\"]), tostring(parse_json(Entities).NTDomain))\\n| extend IpAddress = iff(tostring(parse_json(Entities).Type) == \u0027ip\u0027, tostring(parse_json(Entities).Address), tostring(parse_json(Extprop).[\\\"IpAddress\\\"]))\\n| summarize timestamp = arg_max(TimeGenerated, *) by AlertName, tostring(HostName)\\n| project timestamp, AlertName, UserName, NTDomain, tostring(HostName), DnsDomain, IpAddress\\n| join kind=inner\\n(\\nCoreAzureBackup\\n| where State =~ \\\"Deleted\\\"\\n| where OperationName =~ \\\"BackupItem\\\"\\n| extend data = split(BackupItemUniqueId, \\\";\\\")\\n| extend AzureLocation = data[0], VaultId=data[1], HostName=tolower(tostring(data[2])), DrivesBackedUp=data[3]\\n| project timestamp = TimeGenerated, AzureLocation, VaultId, HostName, DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\\n)\\non HostName\\n| project timestamp, AlertName, HostName, DnsDomain, UserName, NTDomain, _ResourceId, IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Detect CoreBackUp Deletion Activity from related Security Alerts\",\"description\":\"The query identifies any efforts by an attacker to delete backup containers, while also searching for any security alerts that may be linked to the same activity, in order to uncover additional information about the attacker\u0027s actions.\u0027 \\nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.\",\"lastUpdatedDateUTC\":\"2023-11-23T00:00:00Z\",\"createdDateUTC\":\"2021-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftDefenderForCloudTenantBased\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"name\":\"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let s_threshold = 30;\\nlet l_threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString,100),\\nIPAddress = make_set(IPAddress,100), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName,100), ResultDescription = make_set(ResultDescription,50),\\nBrowser = make_set(Browser,20), OS = make_set(OS,20), SigninCount = count() by UserPrincipalName, Type\\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount \u003e s_threshold and LocationCount \u003e= l_threshold\\n| extend Location = tostring(Location), IPAddress = tostring(IPAddress), AppDisplayName = tostring(AppDisplayName), ResultDescription = tostring(ResultDescription), Browser = tostring(Browser), OS = tostring(OS)\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Distributed Password cracking attempts in Microsoft Entra ID\",\"description\":\"Identifies distributed password cracking attempts from the Microsoft Entra ID SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\"lastUpdatedDateUTC\":\"2024-01-06T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\"name\":\"f2dd4a3a-ebac-4994-9499-1a859938c947\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false\\n| extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where ipv4_is_private(DestinationIP) == false\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where ipv4_is_private(DestinationIP) == false\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false | extend DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIPMax\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly for data size transferred to public internet\",\"description\":\"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2024-04-11T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"name\":\"e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"Event\\n | where EventLog =~ \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n | parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" *\\n | where ParentImage has \\\"svchost.exe\\\" and Image has \\\"rundll32.exe\\\" and CommandLine has \\\"{c08afd90-f2a1-11d1-8455-00a0c91f3880}\\\"\\n | parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\\n | extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Detecting Macro Invoking ShellBrowserWindow COM Objects\",\"description\":\"This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.\",\"lastUpdatedDateUTC\":\"2024-11-18T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\"name\":\"69a45b05-71f5-45ca-8944-2e038747fb39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.8\",\"severity\":\"Medium\",\"query\":\"let endtime = 1d;\\n// Function to resolve hostname to IP address using DNS logs or a lookup table (example syntax)\\nlet rdpConnections =\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend\\nFirstHop = bin(TimeGenerated, 1m),\\nFirstComputer = toupper(Computer),\\nFirstRemoteIPAddress = IpAddress,\\nAccount = tolower(Account)\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 // Labeling the first RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName), \\\"\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend\\nFirstHop = bin(TimeGenerated, 1m),\\nFirstComputer = toupper(Computer),\\nFirstRemoteIPAddress = IpAddress,\\nAccount = tolower(Account)\\n))\\n| join kind=inner (\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend\\nSecondHop = bin(TimeGenerated, 1m),\\nSecondComputer = toupper(Computer),\\nSecondRemoteIPAddress = IpAddress,\\nAccount = tolower(Account)\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10 // Labeling the second RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName), \\\"\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend\\nSecondHop = bin(TimeGenerated, 1m),\\nSecondComputer = toupper(Computer),\\nSecondRemoteIPAddress = IpAddress,\\nAccount = tolower(Account)\\n))\\n)\\non Account\\n| distinct\\nAccount,\\nFirstHop,\\nFirstComputer,\\nFirstRemoteIPAddress,\\nSecondHop,\\nSecondComputer,\\nSecondRemoteIPAddress,\\nAccountType,\\nActivity,\\nLogonTypeName,\\nProcessName;\\n// Resolve hostnames to IP addresses device network Ip\u0027s\\nlet listOfFirstComputer = rdpConnections | distinct FirstComputer;\\nlet listOfSecondComputer = rdpConnections | distinct SecondComputer;\\nlet resolvedIPs =\\nDeviceNetworkInfo\\n| where TimeGenerated \u003e= ago(endtime)\\n| where isnotempty(ConnectedNetworks) and NetworkAdapterStatus == \\\"Up\\\"\\n| extend ClientIP = tostring(parse_json(IPAddresses[0]).IPAddress)\\n| where isnotempty(ClientIP)\\n| where DeviceName in~ (listOfFirstComputer) or DeviceName in~ (listOfSecondComputer)\\n| summarize arg_max(TimeGenerated, ClientIP) by Computer= DeviceName\\n| project Computer=toupper(Computer), ResolvedIP = ClientIP;\\n// Join resolved IPs with the RDP connections\\nrdpConnections\\n| join kind=inner (resolvedIPs) on $left.FirstComputer == $right.Computer\\n| join kind=inner (resolvedIPs) on $left.SecondComputer == $right.Computer\\n// | where ResolvedIP != ResolvedIP1\\n| distinct\\nAccount,\\nFirstHop,\\nFirstComputer,\\nFirstComputerIP = ResolvedIP,\\nFirstRemoteIPAddress,\\nSecondHop,\\nSecondComputer,\\nSecondComputerIP = ResolvedIP1,\\nSecondRemoteIPAddress,\\nAccountType,\\nActivity,\\nLogonTypeName,\\nProcessName\\n// Ensure the first connection is before the second connection\\n// Identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match\\n// Ensure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers\\n| where FirstComputer != SecondComputer\\nand FirstRemoteIPAddress != SecondRemoteIPAddress\\nand SecondHop \u003e FirstHop\\n// Ensure the second hop occurs within 30 minutes of the first hop\\n| where SecondHop \u003c= FirstHop + 30m\\n| where SecondRemoteIPAddress == FirstComputerIP\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop)\\nby\\nAccount,\\nFirstComputer,\\nFirstComputerIP,\\nFirstRemoteIPAddress,\\nSecondHop,\\nSecondComputer,\\nSecondComputerIP,\\nSecondRemoteIPAddress,\\nAccountType,\\nActivity,\\nLogonTypeName,\\nProcessName\\n| extend\\nAccountName = tostring(split(Account, @\\\"\\\")[1]),\\nAccountNTDomain = tostring(split(Account, @\\\"\\\")[0])\\n| extend\\nHostName1 = tostring(split(FirstComputer, \\\".\\\")[0]),\\nDomainIndex = toint(indexof(FirstComputer, \u0027.\u0027))\\n| extend HostNameDomain1 = iff(DomainIndex != -1, substring(FirstComputer, DomainIndex + 1), FirstComputer)\\n| extend\\nHostName2 = tostring(split(SecondComputer, \\\".\\\")[0]),\\nDomainIndex = toint(indexof(SecondComputer, \u0027.\u0027))\\n| extend HostNameDomain2 = iff(DomainIndex != -1, substring(SecondComputer, DomainIndex + 1), SecondComputer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"FirstComputer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName1\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain1\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SecondComputer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName2\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain2\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FirstIPAddress\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"RDP Nesting\",\"description\":\"Query detects potential lateral movement within a network by identifying when an RDP connection (EventID 4624, LogonType 10) is made to an initial system, followed by a subsequent RDP connection from that system to another, using the same account within a 60-minute window.\\n To reduce false positives, it excludes scenarios where the same account has made 5 or more connections to the same set of computers in the previous 7 days. This approach focuses on highlighting unusual RDP behaviour that suggests lateral movement, which is often associated with attacker tactics during a network breach.\",\"lastUpdatedDateUTC\":\"2024-09-27T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"name\":\"694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let queryperiod = 14d;\\nlet queryfrequency = 2h;\\nlet security_info_actions = dynamic([\\\"User registered security info\\\", \\\"User changed default security info\\\", \\\"User deleted security info\\\", \\\"Admin updated security info\\\", \\\"User reviewed security info\\\", \\\"Admin deleted security info\\\", \\\"Admin registered security info\\\"]);\\nlet VIPUsers = (\\n IdentityInfo\\n | where TimeGenerated \u003e ago(queryperiod)\\n | mv-expand AssignedRoles\\n | where AssignedRoles contains \u0027Admin\u0027\\n | summarize by AccountUPN);\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName in (security_info_actions)\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName)\\n )\\n| where TargetUserPrincipalName in~ (VIPUsers)\\n// Uncomment the line below if you are experiencing high volumes of Target entities. If this is uncommented, the Target column will not be mapped to an entity.\\n//| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result\\n// Comment out this line below, if line above is used.\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8) by InitiatingAppName, InitiatingAppServicePrincipalId, \\nInitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIpAddress, TargetUserPrincipalName, Result\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1]), \\nTargetName = iff(tostring(TargetUserPrincipalName) has \\\"[\\\", \\\"\\\", tostring(split(TargetUserPrincipalName,\u0027@\u0027,0)[0])), TargetUPNSuffix = iff(tostring(TargetUserPrincipalName) has \\\"[\\\", \\\"\\\", tostring(split(TargetUserPrincipalName,\u0027@\u0027,1)[0]))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Methods Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"name\":\"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b185ac23-dc27-4573-8192-1134c7a95f4f\",\"name\":\"b185ac23-dc27-4573-8192-1134c7a95f4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"Dynamics365Activity\\n| extend Message = tostring(split(OriginalObjectId, \u0027 \u0027)[0])\\n| where Message =~ \u0027IsDataEncryptionActive\u0027\\n| project-reorder TimeGenerated, Message, UserId, ClientIP, InstanceUrl, UserAgent\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Dynamics Encryption Settings Changed\",\"description\":\"This query looks for changes to the Data Encryption settings for Dynamics 365.\\nReference: https://docs.microsoft.com/microsoft-365/compliance/office-365-encryption-in-microsoft-dynamics-365\",\"lastUpdatedDateUTC\":\"2022-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Dynamics365\",\"dataTypes\":[\"Dynamics365Activity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"name\":\"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"LateralMovement\"],\"displayName\":\"Changes to Amazon VPC settings\",\"description\":\"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"name\":\"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// Look for agents being added to a pool of a OS type not seen with that pool before\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, OsDescription),\\n// Look for users addeing agents to a pool that they have not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New Agent Added to Pool by New User or Added to a New OS Type\",\"description\":\"As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \\nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have not added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a configurable allow list to allow for certain users to be excluded from the logic.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\"name\":\"f948a32f-226c-4116-bddd-d95e91d97eb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nlet threshold = 5;\\nlet o365_attack_regex = \\\"contacts.read|user.read|mail.read|notes.read.all|mailboxsettings.readwrite|Files.ReadWrite.All|mail.send|files.read|files.read.all\\\";\\nlet o365_attack = dynamic([\\\"contacts.read\\\", \\\"user.read\\\", \\\"mail.read\\\", \\\"notes.read.all\\\", \\\"mailboxsettings.readwrite\\\", \\\"Files.ReadWrite.All\\\", \\\"mail.send\\\", \\\"files.read\\\", \\\"files.read.all\\\"]);\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend AppDisplayName = tostring(TargetResource.displayName),\\n AppClientId = tostring(TargetResource.id),\\n props = TargetResource.modifiedProperties\\n )\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\"))) // NOTE: a MATCH from this list will cause the alert to NOT fire - please modify for your environment!\\n| mv-apply ConsentFull = props on \\n (\\n where ConsentFull.displayName =~ \\\"ConsentAction.Permissions\\\"\\n )\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\", CreatedDateTime\\\" * \\\"]\\\" *\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| where ConsentFull has_any (o365_attack) \\n| extend GrantScopeCount = countof(tolower(GrantScope1), o365_attack_regex, \u0027regex\u0027)\\n| where GrantScopeCount \u003e threshold\\n| extend GrantInitiatedByAppName = tostring(InitiatedBy.app.displayName)\\n| extend GrantInitiatedByAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend GrantInitiatedByUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend GrantInitiatedByAadUserId = tostring(InitiatedBy.user.id)\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(GrantInitiatedByUserPrincipalName), GrantInitiatedByUserPrincipalName, GrantInitiatedByAppName)\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend GrantUserAgent = AdditionalDetail.value\\n )\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantInitiatedByUserPrincipalName, GrantInitiatedByAadUserId, GrantInitiatedByAppName, GrantInitiatedByAppServicePrincipalId, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n | where TimeGenerated \u003e ago(joinLookback)\\n | where LoggedByService =~ \\\"Core Directory\\\"\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName =~ \\\"Add service principal\\\"\\n | mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend props = TargetResource.modifiedProperties,\\n AppClientId = tostring(TargetResource.id)\\n )\\n | mv-apply Property = props on \\n (\\n where Property.displayName =~ \\\"AppAddress\\\" and Property.newValue has \\\"AddressType\\\"\\n | extend AppReplyURLs = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n | distinct AppClientId, tostring(AppReplyURLs)\\n) on AppClientId\\n| join kind = innerunique (AuditLogs\\n | where TimeGenerated \u003e ago(joinLookback)\\n | where LoggedByService =~ \\\"Core Directory\\\"\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n | mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\" and array_length(TargetResource.modifiedProperties) \u003e 0 and isnotnull(TargetResource.displayName)\\n | extend GrantAuthentication = tostring(TargetResource.displayName)\\n )\\n | extend GrantOperation = OperationName\\n | project GrantAuthentication, GrantOperation, CorrelationId\\n ) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantInitiatedByUserPrincipalName, GrantInitiatedByAadUserId, GrantInitiatedByAppName, GrantInitiatedByAppServicePrincipalId, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend Name = tostring(split(GrantInitiatedByUserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(GrantInitiatedByUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GrantInitiatedByUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"GrantInitiatedByAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"GrantInitiatedByAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"GrantIpAddress\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AppDisplayName\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to O365 Attack Toolkit\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\"name\":\"157c0cfc-d76d-463b-8755-c781608cdc1a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| where ipv4_is_private(SourceIP) == false\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n table(tableName)\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\")\\n) on $left.SourceIP == $right.IPAddress\\n| extend AccountName = tostring(split(Account, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(Account, \\\"@\\\")[1])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco - firewall block but success logon to Microsoft Entra ID\",\"description\":\"Correlate IPs blocked by a Cisco firewall appliance with successful Microsoft Entra ID signins.\\nBecause the IP was blocked by the firewall, that same IP logging on successfully to Entra ID is potentially suspect and could indicate credential compromise for the user account.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"name\":\"6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// Add non-approved user principal names or apps to the list below to search for their account creation/deletion activity\\n// ex: dynamic([\\\"UPN1\\\", \\\"upn123\\\"])\\nlet nonapproved_users = dynamic([]);\\nlet nonapproved_apps = dynamic([]);\\nAuditLogs\\n| where OperationName =~ \\\"Add user\\\" or OperationName =~ \\\"Delete user\\\"\\n| where Result =~ \\\"success\\\"\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| where InitiatingUserPrincipalName has_any (nonapproved_users) or InitiatingAppName has_any (nonapproved_apps)\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account created or deleted by non-approved user\",\"description\":\"Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\"name\":\"f845881e-2500-44dc-8ed7-b372af3e1e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog\\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) \u003c= short_uaLength or string_size(csUserAgent) \u003e= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount \u003c c_threshold\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(csUserName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(csUserName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"csUserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"cIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous User Agent connection attempt\",\"description\":\"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\"lastUpdatedDateUTC\":\"2023-12-28T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"name\":\"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.6\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent\\n| where EventID == 4688\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Computer, SubjectAccount = Account, SubjectUserName, SubjectDomainName, SubjectUserSid, Process, ProcessId, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n),\\n(WindowsEvent\\n| where EventID == 4688 and EventData has \u0027rundll32.exe\u0027 and EventData has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, SubjectAccount, SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserSid = tostring(EventData.SubjectUserSid), Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n)\\n)\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"SubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Midnight Blizzard - suspicious rundll32.exe execution of vbscript\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2024-01-22T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"name\":\"fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.6\",\"severity\":\"Low\",\"query\":\"let querystarttime = 2d;\\nlet queryendtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\nlet LocalNetworks=dynamic([\\\"169.254.0.0/16\\\",\\\"127.0.0.0/8\\\"]);\\n_Im_NetworkSession(starttime=ago(querystarttime), endtime=ago(queryendtime))\\n| where not(ipv4_is_private(DstIpAddr))\\n| where not (ipv4_is_in_any_range(DstIpAddr, LocalNetworks))\\n| project \\n TimeGenerated\\n , SrcIpAddr\\n , SrcPortNumber\\n , DstIpAddr\\n , DstPortNumber\\n , DstBytes\\n , SrcBytes\\n| sort by \\n SrcIpAddr asc\\n , TimeGenerated asc\\n , DstIpAddr asc\\n , DstPortNumber asc\\n| serialize\\n| extend \\n nextTimeGenerated = next(TimeGenerated, 1)\\n , nextSrcIpAddr = next(SrcIpAddr, 1)\\n| extend \\n TimeDeltainSeconds = datetime_diff(\u0027second\u0027, nextTimeGenerated, TimeGenerated)\\n| where SrcIpAddr == nextSrcIpAddr\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| project\\n TimeGenerated\\n , TimeDeltainSeconds\\n , SrcIpAddr\\n , SrcPortNumber\\n , DstIpAddr\\n , DstPortNumber\\n , DstBytes\\n , SrcBytes\\n| summarize\\n count()\\n , sum(DstBytes)\\n , sum(SrcBytes)\\n , make_list(TimeDeltainSeconds) \\n by TimeDeltainSeconds\\n , bin(TimeGenerated, 1h)\\n , SrcIpAddr\\n , DstIpAddr\\n , DstPortNumber\\n| summarize\\n (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds)\\n , TotalEvents=sum(count_)\\n , TotalSrcBytes = sum(sum_SrcBytes)\\n , TotalDstBytes = sum(sum_DstBytes)\\n by bin(TimeGenerated, 1h)\\n , SrcIpAddr\\n , DstIpAddr\\n , DstPortNumber\\n| where TotalEvents \u003e TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\",\"customDetails\":{\"DstPortNumber\":\"DstPortNumber\",\"FrequencyCount\":\"TotalSrcBytes\",\"FrequencyTime\":\"MostFrequentTimeDeltaCount\",\"TotalDstBytes\":\"TotalDstBytes\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}}\",\"alertDescriptionFormat\":\"Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/). The recurring frequency, reported as FrequencyTime in the custom details, and the total transferred volume reported as TotalDstBytes in the custom details, can help to determine the significance of this incident.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential beaconing activity (ASIM Network Session schema)\",\"description\":\"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. \\nSuch potential outbound beaconing patterns to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](https://medium.com/@HuntOperator/detect-beaconing-with-flare-elastic-stack-and-intrusion-detection-systems-110dc74e0c56).\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"AzureNSG\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoAsaAma\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"AIVectraStream\",\"dataTypes\":[\"VectraStream\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoMeraki\",\"dataTypes\":[\"Syslog\",\"CiscoMerakiNativePoller\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fed0668-6d43-4c78-87e6-510f96f12145\",\"name\":\"2fed0668-6d43-4c78-87e6-510f96f12145\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"//Finding MDO Security alerts and extracting the Entities user, Domain, Ip, and URL.\\nlet Alert_List= dynamic([\\n\\\"Phishing link click observed in Network Traffic\\\",\\n\\\"Phish delivered due to an IP allow policy\\\",\\n\\\"A potentially malicious URL click was detected\\\",\\n\\\"High Risk Sign-in Observed in Network Traffic\\\",\\n\\\"A user clicked through to a potentially malicious URL\\\",\\n\\\"Suspicious network connection to AitM phishing site\\\",\\n\\\"Messages containing malicious entity not removed after delivery\\\",\\n\\\"Email messages containing malicious URL removed after delivery\\\",\\n\\\"Email reported by user as malware or phish\\\",\\n\\\"Phish delivered due to an ETR override\\\",\\n\\\"Phish not zapped because ZAP is disabled\\\"]);\\nSecurityAlert\\n|where ProviderName in~ (\\\"Office 365 Advanced Threat Protection\\\", \\\"OATP\\\")\\n| where AlertName in~ (Alert_List)\\n//extracting Alert Entities\\n | extend Entities = parse_json(Entities)\\n| mv-apply Entity = Entities on\\n(\\nwhere Entity.Type == \u0027account\u0027\\n| extend EntityUPN = iff(isempty(Entity.UserPrincipalName), tostring(strcat(Entity.Name, \\\"@\\\", tostring (Entity.UPNSuffix))), tostring(Entity.UserPrincipalName))\\n)\\n| mv-apply Entity = Entities on\\n(\\nwhere Entity.Type == \u0027url\u0027\\n| extend EntityUrl = tostring(Entity.Url)\\n)\\n| summarize AccountUpn=tolower(tostring(take_any(EntityUPN))),Url=tostring(tolower(take_any(EntityUrl))),AlertTime= min(TimeGenerated)by SystemAlertId, ProductName\\n// filtering 3pnetwork devices\\n| join kind= inner (CommonSecurityLog\\n| where DeviceVendor has_any (\\\"Palo Alto Networks\\\", \\\"Fortinet\\\", \\\"Check Point\\\", \\\"Zscaler\\\")\\n| where DeviceAction != \\\"Block\\\"\\n| where DeviceProduct startswith \\\"FortiGate\\\" or DeviceProduct startswith \\\"PAN\\\" or DeviceProduct startswith \\\"VPN\\\" or DeviceProduct startswith \\\"FireWall\\\" or DeviceProduct startswith \\\"NSSWeblog\\\" or DeviceProduct startswith \\\"URL\\\"\\n| where isnotempty(RequestURL)\\n| where isnotempty(SourceUserName)\\n| extend SourceUserName = tolower(SourceUserName)\\n| project\\n3plogTime=TimeGenerated,\\nDeviceVendor,\\nDeviceProduct,\\nActivity,\\nDestinationHostName,\\nDestinationIP,\\nRequestURL=tostring(tolower(RequestURL)),\\nMaliciousIP,\\nName = tostring(split(SourceUserName,\\\"@\\\")[0]),\\nUPNSuffix =tostring(split(SourceUserName,\\\"@\\\")[1]),\\nSourceUserName,\\nIndicatorThreatType,\\nThreatSeverity,AdditionalExtensions,\\nThreatConfidence)on $left.Url == $right.RequestURL and $left.AccountUpn == $right.SourceUserName\\n// Applied the condition where alert trigger 1st and then the 3p Network activity execution\\n| where AlertTime between ((3plogTime - 1h) .. (3plogTime + 1h))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUserName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DestinationHostName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Phishing link click observed in Network Traffic\",\"description\":\"The purpose of this content is to identify successful phishing links accessed by users. Once a user clicks on a phishing link, we observe successful network activity originating from non-Microsoft network devices. These devices may include Palo Alto Networks, Fortinet, Check Point, and Zscaler devices.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2023-05-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9d2eebc-5dcb-4888-8165-900db44443ab\",\"name\":\"b9d2eebc-5dcb-4888-8165-900db44443ab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"// Enter a reference list of hostnames for your DC servers\\n//let DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\nSecurityEvent\\n//| where Computer in (DCServersList)\\n| where EventID == 4662 and ObjectServer == \u0027DS\u0027\\n| where AccountType != \u0027Machine\u0027\\n| where Properties has \u00271131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes\\n or Properties has \u00271131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes-All\\n or Properties has \u002789e95b76-444d-4c62-991a-0facbeda640c\u0027 //DS-Replication-Get-Changes-In-Filtered-Set\\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\\n| join kind=leftouter\\n(\\n SecurityEvent\\n //| where Computer in (DCServersList)\\n | where EventID == 4624 and LogonType == 3\\n | where AccountType != \u0027Machine\u0027\\n | project TargetLogonId, IpAddress\\n)\\non $left.SubjectLogonId == $right.TargetLogonId\\n| project-reorder TimeGenerated, Computer, Account, IpAddress\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, \\\"\\\\\\\\\\\")[0]), AccountNTDomain = tostring(split(Account, \\\"\\\\\\\\\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Non Domain Controller Active Directory Replication\",\"description\":\"This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\\nA domain user with privileged permissions to use directory replication services is rare.\",\"lastUpdatedDateUTC\":\"2024-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-05-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/276d5190-38de-4eb2-9933-b3b72f4a5737\",\"name\":\"276d5190-38de-4eb2-9933-b3b72f4a5737\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P2D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// In User \u0026 Groups and in Applications, the following \\\"AccessType\\\" values in columns PremodifiedInboundSettings and ModifiedInboundSettings are interpreted accordingly\\n// When Access Type in premodified inbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified inbound settings value was 2 that means that the initial access was blocked.\\n// When Access Type in modified inbound settings value is 1 that means that now access is allowed. When Access Type in modified inbound settings value is 2 that means that now access is blocked.\\nAuditLogs\\n| where OperationName has \\\"Update a partner cross-tenant access setting\\\"\\n| mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type =~ \\\"Policy\\\"\\n | extend Properties = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = Properties on\\n (\\n where Property.displayName =~ \\\"b2bDirectConnectInbound\\\"\\n | extend PremodifiedInboundSettings = trim(\u0027\\\"\u0027,tostring(Property.oldValue)),\\n ModifiedInboundSettings = trim(@\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where PremodifiedInboundSettings != ModifiedInboundSettings\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Cross-tenant Access Settings Organization Inbound Direct Settings Changed\",\"description\":\"Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Direct Settings are changed for \\\"Users \u0026 Groups\\\" and for \\\"Applications\\\".\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/86a036b2-3686-42eb-b417-909fc0867771\",\"name\":\"86a036b2-3686-42eb-b417-909fc0867771\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue =~ \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId has \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/delete\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid), AccountName = tostring(claimsJson.name), Name = tostring(split(Caller,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Caller,\u0027@\u0027,1)[0])\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Microsoft Entra ID Hybrid Health AD FS Service Delete\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Microsoft Entra ID Hybrid Health AD FS service instance in a tenant.\\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\\nThe health AD FS service can then be deleted after it is no longer needed via HTTP requests to Azure.\\nMore information is available in this blog https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"name\":\"feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"let VIPUsers = (IdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| summarize by tolower(AccountUPN));\\nAuditLogs\\n| where TimeGenerated \u003e ago(2h)\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName =~ \\\"User registered security info\\\"\\n| where LoggedByService =~ \\\"Authentication Methods\\\"\\n| extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n| where tolower(TargetUserPrincipalName) in (VIPUsers)\\n| extend TargetAadUserId = tostring(TargetResources[0].id)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend TargetAccountName = tostring(split(TargetUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \\\"@\\\")[1])\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"TargetAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Method Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"name\":\"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| join kind=rightanti (\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| project-away DomainIndex\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Silk Typhoon New UM Service Child Process\",\"description\":\"This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"name\":\"09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.3\",\"severity\":\"Medium\",\"query\":\"let default_file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]); // Update this list as per your requirement\\nlet custom_file_ext_blocklist=toscalar(_GetWatchlist(\u0027RiskyFileTypes\u0027)\\n | extend Extension=column_ifexists(\\\"Extension\\\", \\\"\\\")\\n | where isnotempty(Extension)\\n | summarize make_set(Extension)); // If you have an extensive list, you can also create a Watchlist that includes the file extensions you want to detect\\nlet file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);\\n_Im_WebSession(starttime=ago(10min), url_has_any=file_ext_blocklist, eventresult=\u0027Success\u0027)\\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\\\"Path\\\"]), \u0027/\u0027)[-1])\\n| extend requestedFileExtension=extract(@\u0027(\\\\.\\\\w+)$\u0027, 1, requestedFileName, typeof(string))\\n| where requestedFileExtension in (file_ext_blocklist)\\n| summarize\\n EventStartTime=min(TimeGenerated),\\n EventEndTime=max(TimeGenerated),\\n EventCount=count()\\n by SrcIpAddr, SrcUsername, SrcHostname, requestedFileName, Url\\n| extend\\n Name = iif(SrcUsername contains \\\"@\\\", tostring(split(SrcUsername, \u0027@\u0027, 0)[0]), SrcUsername),\\n UPNSuffix = iif(SrcUsername contains \\\"@\\\", tostring(split(SrcUsername, \u0027@\u0027, 1)[0]), \\\"\\\")\",\"customDetails\":{\"requestedFileExt\":\"requestedFileExtension\",\"Username\":\"SrcUsername\",\"SrcHostname\":\"SrcHostname\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"requestedFileName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUsername\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Client {{SrcIpAddr}} accessed a URL with potentially harmful extension {{requestedFileExtension}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} accessed the URL {{Url}} that has the extension {{requestedFileExtension}}. Downloading a file with this extension may be harmful and may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"A client made a web request to a potentially harmful file (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/74ed028d-e392-40b7-baef-e69627bf89d1\",\"name\":\"74ed028d-e392-40b7-baef-e69627bf89d1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action its unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"name\":\"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where ObjectServer == \u0027DS\u0027\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend AccountName = SubjectUserName, AccountDomain = SubjectDomainName\\n| extend timestamp = TimeGenerated, DeviceName = Computer\\n),\\n( WindowsEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where EventData has_all(\u0027Object Access\u0027, \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027,\u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027) \\n| extend ObjectServer = tostring(EventData.ObjectServer)\\n| where ObjectServer == \u0027DS\u0027\\n| extend OperationType = tostring(EventData.OperationType)\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| extend Properties = tostring(EventData.Properties)\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend AccountName = tostring(EventData.SubjectUserName), AccountDomain = tostring(EventData.SubjectDomainName)\\n| extend timestamp = TimeGenerated, DeviceName = Computer\\n),\\n(DeviceEvents\\n| where ActionType =~ \\\"LdapSearch\\\"\\n| where AdditionalFields.AttributeList contains \\\"thumbnailPhoto\\\"\\n| where AdditionalFields.DistinguishedName contains \\\"CN=ADFS,CN=Microsoft,CN=Program Data\\\" // Filter results to show only hits related to the ADFS AD container\\n| extend timestamp = TimeGenerated, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain\\n)\\n)\\n| extend Account = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS DKM Master Key Export\",\"description\":\"Identifies an export of the ADFS DKM Master Key from Active Directory.\\nReferences: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\\nTo understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:\\nhttps://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469\\nhttps://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339\\n\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}}]}", "isContentBase64": false } }, - "Get-AzSentinelAlertRuleTemplate+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRuleTemplate+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "168" ], - "x-ms-client-request-id": [ "5609626e-44f8-485e-b5cd-a13100ca8b03" ], + "x-ms-unique-id": [ "11" ], + "x-ms-client-request-id": [ "7969ac88-d19c-4170-b79d-77dae59362a4" ], "CommandName": [ "Get-AzSentinelAlertRuleTemplate" ], "FullCommandName": [ "Get-AzSentinelAlertRuleTemplate_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -104,37 +112,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11989" ], - "x-ms-request-id": [ "320a13c5-e8eb-4f49-80f0-4a59a4eea2df" ], - "x-ms-correlation-request-id": [ "320a13c5-e8eb-4f49-80f0-4a59a4eea2df" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160656Z:320a13c5-e8eb-4f49-80f0-4a59a4eea2df" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/dc7d1096-ff68-4c66-a7bc-2fde8261e8c7" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "8da523e9-dfa3-416c-af39-5796ace89ab4" ], + "x-ms-correlation-request-id": [ "8da523e9-dfa3-416c-af39-5796ace89ab4" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074411Z:8da523e9-dfa3-416c-af39-5796ace89ab4" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:06:56 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 7DC761CF3F444ADEADD0EAD186540670 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:10Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:10 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1435342" ], + "Content-Length": [ "1889450" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57c7e832-64eb-411f-8928-4133f01f4a25\",\"name\":\"57c7e832-64eb-411f-8928-4133f01f4a25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where ResourceType =~ \\\"VAULTS\\\"\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where KeyVaultEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = KeyVaultEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure Key Vault logs\",\"description\":\"Identifies a match in Azure Key Vault logsfrom any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\"name\":\"f948a32f-226c-4116-bddd-d95e91d97eb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to O365 Attack Toolkit\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"name\":\"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"name\":\"87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\\n// On the downloads page, click the \u0027details\u0027 button, and then replace just the filename in the URL below\\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n[\\\"https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20220321.json\\\"]\\nwith(format=\u0027multijson\u0027)\\n| mv-expand values\\n| mv-expand values.properties.addressPrefixes\\n| mv-expand values_properties_addressPrefixes\\n| summarize by tostring(values_properties_addressPrefixes);\\nSigninLogs\\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\\n| where AppDisplayName =~ \\\"Azure Portal\\\"\\n// Only get logons where the IP address is in an Azure range\\n| evaluate ipv4_lookup(azure_ranges, IPAddress, values_properties_addressPrefixes)\\n// Limit to where the user is external to the tenant\\n| where HomeTenantId != ResourceTenantId\\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\\n| where ResourceTenantId == AADTenantId\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Portal Signin from another Azure Tenant\",\"description\":\"This query looks for sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.\",\"lastUpdatedDateUTC\":\"2022-03-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"name\":\"29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nimFileEvent\\n| where ((FilePath has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((FilePath has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\\n// Increase risk score if recent alerts for the host\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021 (ASIM Version)\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"name\":\"0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated \u003e ago(1d)\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DvcHostname\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\n A threat actor may use these policies to deploy files or scripts to all hosts in a domain.\\n This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\"name\":\"871ba14c-88ef-48aa-ad38-810f26760ca3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1d;\\nlet queryperiod = 7d;\\nOfficeActivity\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n//| where Operation in (\\\"Set-Mailbox\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\")\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1 and EndTime \u003e ago(queryfrequency)\\n| mv-expand UserId to typeof(string)\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2022-06-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"name\":\"a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT20M\",\"queryPeriod\":\"PT20M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 10;\\nlet successCountThreshold = 1;\\n// let authenticationWindow = 20m; // Implicit in the analytic rule query period \\nimAuthentication\\n| summarize \\n StartTime = min(TimeGenerated), \\n EndTime = max(TimeGenerated), \\n IpAddresses = make_set (SrcDvcIpAddr, 100),\\n ReportedBy = make_set (strcat (EventVendor, \\\"/\\\", EventProduct), 100),\\n FailureCount = countif(EventResult==\u0027Failure\u0027),\\n SuccessCount = countif(EventResult==\u0027Success\u0027)\\n by \\n TargetUserId, TargetUsername, TargetUserType \\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| extend\\n IpAddresses = strcat_array(IpAddresses, \\\", \\\"), \\n ReportedBy = strcat_array(ReportedBy, \\\", \\\")\",\"customDetails\":{\"IpAddresses\":\"IpAddresses\",\"ReportedBy\":\"ReportedBy\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUsername\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against user credentials (Uses Authentication Normalization)\",\"description\":\"Identifies evidence of brute force activity against a user based on multiple authentication failures \\nand at least one successful authentication within a given time window. Note that the query does not enforce any sequence,\\nand does not require the successful authentication to occur last.\\nThe default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"name\":\"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let DomainNames = dynamic([\u0027onetechcompany.com\u0027, \u0027reyweb.com\u0027, \u0027srfnetwork.org\u0027, \u0027sense4baby.fr\u0027, \u0027nikeoutletinc.org\u0027, \u0027megatoolkit.com\u0027]);\\nlet IPList = dynamic([\u0027185.225.69.69\u0027]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NOBELIUM - Domain and IP IOCs - March 2021\",\"description\":\"Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM.\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"name\":\"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"// Replace these with the username or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic([\u0027vip1@email.com\u0027,\u0027vip2@email.com\u0027]);\\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\\nlet allowed_users = dynamic([]);\\nLAQueryLogs\\n| where QueryText has_any (vips) or QueryText has_any (\u0027_GetWatchlist(\\\"VIPUsers\\\")\u0027, \\\"_GetWatchlist(\u0027VIPUsers\u0027)\\\")\\n| where AADEmail !in (allowed_users)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"RequestTarget\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Users searching for VIP user activity\",\"description\":\"This query monitors for users running Log Analytics queries that contain filters\\nfor specific, defined VIP user accounts or the VIPUser watchlist template.\\nUse this detection to alert for users specifically searching for activity of sensitive users.\",\"lastUpdatedDateUTC\":\"2021-11-11T00:00:00Z\",\"createdDateUTC\":\"2020-09-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\"name\":\"62085097-d113-459f-9ea7-30216f2ee6af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 3d;\\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated \u003e= ago(starttime)\\n| where EventID in (4722,4723) | where TargetUserName !endswith \\\"$\\\"\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\\nlet userEnable = SecEvents\\n| extend EventID4722Time = TimeGenerated\\n// 4722: User Account Enabled\\n| where EventID == 4722\\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\\nlet userPwdSet = SecEvents\\n// 4723: Attempt made by user to set password\\n| where EventID == 4723\\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\\n| extend PasswordSetAttemptDelta_Min = datetime_diff(\u0027minute\u0027, Time_Event4723, Time_Event4722)\\n| where PasswordSetAttemptDelta_Min \u003e 2880 or isempty(PasswordSetAttemptDelta_Min)\\n| project-away TargetAccount1, TargetSid1\\n| extend Reason = @\\\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\\\"\\n| order by Time_Event4722 asc \\n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD user enabled and password not set within 48 hours\",\"description\":\"Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which \\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\\nIt is recommended that this time period is adjusted per your internal company policy.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f9949656-473f-4503-bf43-a9d9890f7d08\",\"name\":\"f9949656-473f-4503-bf43-a9d9890f7d08\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n//Exclude local addresses, using the ipv4_is_private operator\\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AppServiceHTTPLogs | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(CIp)\\n | extend WebApp = split(_ResourceId, \u0027/\u0027)[8]\\n // renaming time column so it is clear the log this came from\\n | extend AppService_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CIp\\n| where AppService_TimeGenerated \u003c ExpirationDateTime\\n| summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp\\n| project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, \\nWebApp = split(_ResourceId, \u0027/\u0027)[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId\\n| extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AppServiceHTTPLogs\",\"description\":\"Identifies a match in AppServiceHTTPLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-04-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"name\":\"f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n | where isnotempty(Process)\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines (Normalized Process Events)\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"name\":\"c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID==4688\\n | where isnotempty(CommandLine)\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0433c8a3-9aa6-4577-beef-2ea23be41137\",\"name\":\"0433c8a3-9aa6-4577-beef-2ea23be41137\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | where TimeGenerated \u003e ago(2d)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName has \\\"Add eligible member\\\"\\n | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(userPrincipalName) in (admin_users)\\n | extend Group = tostring(TargetResources[0].displayName)\\n | extend AddedTo = iif(isnotempty(userPrincipalName), userPrincipalName, Group)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedBy = iif(isnotempty(appName), appName, UPN)\\n | mv-expand mod_props\\n | where mod_props.displayName == \\\"Role.DisplayName\\\"\\n | extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))\\n | project-reorder TimeGenerated, OperationName, AddedTo, RoleAdded, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Account Permissions Changed\",\"description\":\"Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.\\nReview any modifications to ensure they were made legitimately.\\nRef: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\"name\":\"79566f41-df67-4e10-a703-c38a6213afd8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66276b14-32c5-4226-88e3-080dacc31ce1\",\"name\":\"66276b14-32c5-4226-88e3-080dacc31ce1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet AccountAllowList = dynamic([\u0027SYSTEM\u0027]);\\nlet SubCategoryList = dynamic([\\\"Logoff\\\", \\\"Account Lockout\\\", \\\"User Account Management\\\", \\\"Authorization Policy Change\\\"]); // Add any Category in the list to be allowed or disallowed\\nlet tokens = dynamic([\\\"clear\\\", \\\"remove\\\", \\\"success:disable\\\",\\\"failure:disable\\\"]); \\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n// | where InitiatingProcessFileName =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Audit policy manipulation using auditpol utility\",\"description\":\"This detects attempt to manipulate audit policies using auditpol command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but \\nif the results show unrelated false positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"name\":\"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where ObjectServer == \u0027DS\u0027\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount\\n),\\n( WindowsEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where EventData has_all(\u0027Object Access\u0027, \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027,\u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027) \\n| extend ObjectServer = tostring(EventData.ObjectServer)\\n| where ObjectServer == \u0027DS\u0027\\n| extend OperationType = tostring(EventData.OperationType)\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| extend Properties = tostring(EventData.Properties)\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend \\n timestamp = TimeGenerated,\\n HostCustomEntity = Computer,\\n AccountCustomEntity = SubjectAccount\\n),\\n(DeviceEvents\\n| where ActionType =~ \\\"LdapSearch\\\"\\n| where AdditionalFields.AttributeList contains \\\"thumbnailPhoto\\\"\\n| where AdditionalFields.DistinguishedName contains \\\"CN=ADFS,CN=Microsoft,CN=Program Data\\\" // Filter results to show only hits related to the ADFS AD container\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS DKM Master Key Export\",\"description\":\"Identifies an export of the ADFS DKM Master Key from Active Directory.\\nReferences: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\\nTo understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:\\nhttps://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469\\nhttps://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\"name\":\"2391ce61-8c8d-41ac-9723-d945b2e90720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\\n| join kind=leftouter (\\n SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday \u003e= coalesce(CountPrev7day,0)*threshold and CountToday \u003e= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\\n| order by sum_CountToday desc nulls last \\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Process\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Windows logon failures\",\"description\":\"User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"name\":\"56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4657\\n | parse ObjectName with \\\"\\\\\\\\REGISTRY\\\\\\\\\\\" KeyPrefix \\\"\\\\\\\\\\\" RegistryKey\\n | project-reorder RegistryKey\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (\\n SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\"name\":\"4b93c5af-d20b-4236-b696-a28b8c51407f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n (union isfuzzy=true\\n (SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was created\\n| where EventID == 4720\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was created\\n| where EventID == 4720\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4720 - A user account was created.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid \\n))\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n | where EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n| where EventID == 4726\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4726 - A user account was deleted.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, AccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid))\\n) on Computer, TargetAccount\\n| where deletionTime - creationTime \u003c spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToCreate\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account created and deleted within 10 mins\",\"description\":\"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7feb859-f03e-4e8d-8b21-617be0213b13\",\"name\":\"d7feb859-f03e-4e8d-8b21-617be0213b13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where OperationName =~ \\\"Admin registered security info\\\"\\n | where ResultReason =~ \\\"Admin registered temporary access pass method for user\\\"\\n | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(userPrincipalName) in (admin_users)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Addition of a Temporary Access Pass to a Privileged Account\",\"description\":\"Detects when a Temporary Access Pass (TAP) is created for a Privileged Account.\\n A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.\\n A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.\\n Review any TAP creations to ensure they were used legitimately.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1399664f-9434-497c-9cde-42e4d74ae20e\",\"name\":\"1399664f-9434-497c-9cde-42e4d74ae20e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Impossible travel activity\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| project TimeGenerated,Account,IpAddress,CompromisedEntity,Description,ProviderName,ResourceId\\n| join kind=inner\\n(\\nOfficeActivity\\n| where Operation =~ \\\"Add-MailboxPermission\\\"\\n| extend value = tostring(parse_json(Parameters)[3].Value)\\n| where value contains \\\"FullAccess\\\"\\n| where ResultStatus == \\\"True\\\"\\n| project Parameters,TimeGenerated,value,RecordType,Operation,OrganizationId,UserType,UserKey,OfficeWorkload,ResultStatus,OfficeObjectId,UserId,ClientIP,ExternalAccess,OriginatingServer,OrganizationName,TenantId,ElevationTime,SourceSystem,OfficeId,OfficeTenantId,Type,SourceRecordId\\n) on $left.Account == $right.UserId\\n| join kind=inner\\n(\\nAuditLogs\\n| where ActivityDisplayName =~ \\\"Add eligible member to role in PIM requested (timebound)\\\"\\n| where AADOperationType =~ \\\"CreateRequestEligibleRole\\\"\\n| where TargetResources has_any (\\\"-PRIV\\\", \\\"Administrator\\\", \\\"Security\\\")\\n| extend BuiltinRole = tostring(parse_json(TargetResources[0].displayName))\\n| extend CustomGroup = tostring(parse_json(TargetResources[3].displayName))\\n| extend TargetAccount = tostring(parse_json(TargetResources[2].displayName))\\n| extend Initiatedby = Identity\\n| project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResourceId, Id\\n| sort by TimeGenerated desc\\n) on $left.UserId == $right.Initiatedby\\n| project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Detecting Impossible travel with mailbox permission tampering \u0026 Privilege Escalation attempt\",\"description\":\"This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group.\\nEnsure this impossible travel incident with increase of privileges is legitimate in your environment.\",\"lastUpdatedDateUTC\":\"2022-02-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"name\":\"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Security Group ingress and egress settings\",\"description\":\"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"name\":\"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(timeframe)\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s\\n) on Resource, TimeGenerated\\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure Key Vault access TimeSeries anomaly\",\"description\":\"Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"name\":\"6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nimAuthentication\\n| where EventType== \u0027Logon\u0027 and EventResult== \u0027Failure\u0027\\n// reason: creds \\n| where EventResultDetails in (\u0027No such user or password\u0027, \u0027Incorrect password\u0027)\\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\\n , Users = make_set(TargetUserId,100) \\n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\\n| where UserCount \u003e FailureThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack (Uses Authentication Normalization)\",\"description\":\"This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"name\":\"a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Sign-in from an infected device\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| summarize count() by AlertName, AlertSeverity, CompromisedEntity, Account, IpAddress\\n| join kind=inner \\n(\\nAzureActivity\\n| where OperationNameValue hassuffix (\\\"/workspaces/computes/delete\\\")\\n| where ActivityStatusValue =~ \\\"Succeeded\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), OperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on $left. IpAddress == $right. CallerIpAddress\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Impact\"],\"displayName\":\"Workspace deletion attempt from an infected device\",\"description\":\"This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. \\nAttackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.\",\"lastUpdatedDateUTC\":\"2022-04-11T00:00:00Z\",\"createdDateUTC\":\"2022-04-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"name\":\"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\" \\n| extend EnforceLogin = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", \\\"\\\") \\n| where EnforceLogin == \u0027false\u0027 or EnforceLoginDomain == \u0027false\u0027 or GuestAlerts == \u0027false\u0027 \\n| extend SettingChanged = case(EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"All settings changed\\\", \\n EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027, \\\"Enforced Logons and Restricted Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"Enforced Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027, \\\"Enfored Domains Changed\\\", \\n GuestAlerts == \u0027false\u0027, \\\"Guest Join Alerts Changed\\\", \\n EnforceLogin == \u0027false\u0027, \\\"Enforced Logins Changed\\\", \\n \\\"No Changes\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"External User Access Enabled\",\"description\":\"This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"name\":\"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 1h;\\nlet tls_ciphers = dynamic([\u0027RC4-SHA\u0027, \u0027DES-CBC3-SHA\u0027]);\\nProofpointPOD\\n| where EventType == \u0027message\u0027\\n| where TlsCipher in (tls_ciphers)\\n| extend IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"ProofpointPOD - Weak ciphers\",\"description\":\"Detects when weak TLS ciphers are used.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"name\":\"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n //Extract domain patterns from message\\n | extend domain = todynamic(dynamic_to_json(extract_all(@\\\"(((xn--)?[a-z0-9\\\\-]+\\\\.)+([a-z]+|(xn--[a-z0-9]+)))\\\", dynamic([1]), tolower(Entities))))\\n | mv-expand domain\\n | extend domain = tostring(domain[0])\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities)\\n | mv-apply EntitiesDynamicArray on\\n (summarize\\n HostName = take_anyif(tostring(EntitiesDynamicArray.HostName), EntitiesDynamicArray.Type == \\\"host\\\"),\\n IP_addr = take_anyif(tostring(EntitiesDynamicArray.Address), EntitiesDynamicArray.Type == \\\"ip\\\")\\n )\\n | extend Alert_TimeGenerated = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"name\":\"88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"name\":\"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 15;\\nSyslog\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\\n| where PerHourCount \u003e threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SSH - Potential Brute Force\",\"description\":\"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/55073036-bb86-47d3-a85a-b113ac3d9396\",\"name\":\"55073036-bb86-47d3-a85a-b113ac3d9396\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admins=(IdentityInfo\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let known_asns = (\\n SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admins)\\n | where AutonomousSystemNumber !in (known_asns)\\n | project-reorder TimeGenerated, UserPrincipalName, UserAgent, IpAddress, AutonomousSystemNumber\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Privileged User Logon from new ASN\",\"description\":\"Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days.\\n Monitor these logons to ensure they are legitimate and identify if there are any similar sign ins.\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7b9df32-1367-402d-b385-882daf6e3020\",\"name\":\"a7b9df32-1367-402d-b385-882daf6e3020\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==10\\n| parse EventData with * \u0027TargetImage\\\"\u003e\u0027 TargetImage \\\"\u003c\\\" * \u0027GrantedAccess\\\"\u003e\u0027 GrantedAccess \\\"\u003c\\\" * \u0027CallTrace\\\"\u003e\u0027 CallTrace \\\"\u003c\\\" * \\n| where GrantedAccess == \\\"0x1FFFFF\\\" and TargetImage == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and CallTrace has_any (\\\"dbghelp.dll\\\",\\\"dbgcore.dll\\\")\\n| parse EventData with * \u0027SourceProcessGUID\\\"\u003e\u0027 SourceProcessGUID \\\"\u003c\\\" * \u0027SourceImage\\\"\u003e\u0027 SourceImage \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"SourceImage\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Dumping LSASS Process Into a File\",\"description\":\"Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). \\nAfter a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. \\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material. \\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\\nRef: https://attack.mitre.org/techniques/T1003/001/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"name\":\"94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer , Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = EventDetail.[4].[\\\"#text\\\"]\\n| where Image has_any (file_path1) or Image has_any (file_path3)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = DestinationIP, Alert = \u0027SOURGUM IOC detected\u0027\\n), \\n(DeviceNetworkEvents\\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, Alert = \u0027SOURGUM IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source), Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\\n),\\n(DeviceRegistryEvents\\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine, Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceRegistryEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95407904-0131-4918-bc49-ebf282ce149a\",\"name\":\"95407904-0131-4918-bc49-ebf282ce149a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"135.125.147.170:80\\\",\\\"185.244.129.79:63047\\\",\\\"185.244.129.79:80\\\",\\\"45.80.149.108:63047\\\",\\\"45.80.149.108:80\\\",\\\"45.80.149.57:63047\\\",\\\"45.80.149.68:63047\\\",\\\"45.80.149.71:80\\\",\\\"185.244.129.109\\\",\\\"172.96.188.51\\\",\\\"51.83.246.73\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known POLONIUM IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the POLONIUM activity group. \\n References: BLOGURL\u0027 \",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"name\":\"ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 25; \\nlet TimeSeriesData = \\nAzureActivity \\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OperationNameValue endswith \\\"delete\\\" \\n| project TimeGenerated, Caller \\n| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Caller; \\nlet TimeSeriesAlerts = materialize(TimeSeriesData \\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, \u0027linefit\u0027) \\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long) \\n| where anomalies \u003e 0 \\n| project Caller, TimeGenerated, Total, baseline, anomalies, score \\n| where Total \u003e TotalEventsThreshold and baseline \u003e 0 ); \\nTimeSeriesAlerts \\n| where TimeGenerated \u003e (ago(endtime)) \\n| project TimeGenerated, Caller \\n| join (AzureActivity \\n| where TimeGenerated \u003e (ago(endtime)) \\n| where OperationNameValue endswith \\\"delete\\\" \\n| summarize count(), make_set(OperationNameValue), make_set(Resource) by bin(TimeGenerated, 1h), Caller) on TimeGenerated, Caller \\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Mass Cloud resource deletions Time Series Anomaly\",\"description\":\"This query generates baseline pattern of cloud resource deletions by an user and generated anomaly \\nwhen any unusual spike is detected.\\nThese anomalies from unusual or privileged users could be an indication of cloud infrastructure \\ntake-down by an adversary \",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6988c32-4f3b-4a45-8313-b46b33061a74\",\"name\":\"b6988c32-4f3b-4a45-8313-b46b33061a74\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-06-01T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"name\":\"fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let account_threshold = 5;\\nAADNonInteractiveUserSignInLogs\\n//| where ResultType == \\\"81016\\\"\\n| where ResultType startswith \\\"81\\\"\\n| summarize DistinctAccounts = dcount(UserPrincipalName), DistinctAddresses = make_set(IPAddress) by ResultType\\n| where DistinctAccounts \u003e account_threshold\\n| mv-expand IPAddress = DistinctAddresses\\n| extend IPAddress = tostring(IPAddress)\\n| join kind=leftouter (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs) on IPAddress\\n| summarize\\n StartTime = min(TimeGenerated),\\n EndTime = max(TimeGenerated),\\n UserPrincipalName = make_set(UserPrincipalName),\\n UserAgent = make_set(UserAgent),\\n ResultDescription = take_any(ResultDescription),\\n ResultSignature = take_any(ResultSignature)\\n by IPAddress, Type, ResultType\\n| project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD Seamless SSO\",\"description\":\"This query detects when there is a spike in Azure AD Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\\nAzure AD only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/825991eb-ea39-4590-9de2-ee97ef42eb93\",\"name\":\"825991eb-ea39-4590-9de2-ee97ef42eb93\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or (ProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ProcessCommandLine has (\u0027.wav\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\nor (ProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, InitiatingProcessFolderPath, ProcessId, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256, FileName\\n| extend Account = AccountName, Computer = DeviceName, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = FileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or (ActingProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ActingProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ActingProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ActingProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027.wav\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\n or (ActingProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = Hash\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027) or (CommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DnsEvents\\n| where Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, File = ProcessName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) \\n| where RemoteUrl in~ (domains) \\n| project Type, TimeGenerated, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessAccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"ACTINIUM Actor IOCs - Feb 2022\",\"description\":\"Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.\",\"lastUpdatedDateUTC\":\"2022-03-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"name\":\"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"LateralMovement\"],\"displayName\":\"Changes to Amazon VPC settings\",\"description\":\"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\\nin a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\"name\":\"f2eb15bd-8a88-4b24-9281-e133edfba315\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming time column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e715730-82c0-496c-983b-7a20c4590bd9\",\"name\":\"6e715730-82c0-496c-983b-7a20c4590bd9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let accountLookback = 3d;\\nlet requestLookback = 3d;\\nlet extraction_regex = @\\\"(?:\\\\?|\u0026)[a-zA-Z0-9\\\\%]*=([a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Collect account names and base64 encode them\\nDeviceEvents\\n| where TimeGenerated \u003e ago(accountLookback)\\n| summarize make_set(DeviceId), make_set(DeviceName) by InitiatingProcessAccountName\\n| where isnotempty(InitiatingProcessAccountName)\\n| extend base64_user = base64_encode_tostring(InitiatingProcessAccountName)\\n| join (\\n // Collect requests and extract base64 parameters\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(requestLookback)\\n | where isnotempty(RequestURL)\\n // Summarize early on the RequestURL\\n | summarize FirstRequest=min(TimeGenerated), LastRequest=max(TimeGenerated), NumberOfRequests=count() by RequestURL\\n | extend base64_candidate = extract_all(extraction_regex, RequestURL)\\n | mv-expand base64_candidate to typeof(string)\\n) on $left.base64_user == $right.base64_candidate\\n| project FirstRequest, LastRequest, NumberOfRequests, RequestURL, DeviceIds=set_DeviceId, DeviceNames=set_DeviceName, UserName=InitiatingProcessAccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Windows host username encoded in base64 web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table.\\nThis technique was seen usee by POLONIUM in their RunningRAT tool.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"name\":\"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| where OldE2ESetting =~ \u0027false\u0027 and NewE2ESetting =~ \u0027true\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Zoom E2E Encryption Disabled\",\"description\":\"This alerts when end to end encryption is disabled for Zoom meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"name\":\"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Exchange AuditLog disabled\",\"description\":\"Identifies when the exchange audit logging has been disabled which may be an adversary attempt\\nto evade detection or avoid other defenses.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/218f60de-c269-457a-b882-9966632b9dc6\",\"name\":\"218f60de-c269-457a-b882-9966632b9dc6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\\n| where dcount_Target \u003e 9\\n| join kind=rightsemi (AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Bulk Changes to Privileged Account Permissions\",\"description\":\"Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"name\":\"6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.1\",\"severity\":\"High\",\"query\":\"let IPList = externaldata(IPAddress:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//Network logs\\nlet CSlogSourceIP = CommonSecurityLog | summarize by IPAddress = SourceIP, Type;\\nlet CSlogDestIP = CommonSecurityLog | summarize by IPAddress = DestinationIP, Type;\\nlet CSlogMsgIP = CommonSecurityLog | extend MessageIP = extract(IPRegex, 0, Message) | summarize by IPAddress = MessageIP, Type;\\nlet DnsIP = DnsEvents | summarize by IPAddress = IPAddresses, Type;\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workspace, you can uncomment one or both below. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let imDnsIP = imDns (response_has_any_prefix=IPList) | summarize by IPAddress = ResponseName, Type;\\n//let imNetSessIP = imNetworkSession (dstipaddr_has_any_prefix=IPList) | summarize by IPAddress = DstIpAddr, Type;\\n//Cloud service logs\\nlet officeIP = OfficeActivity | summarize by IPAddress = ClientIP, Type;\\nlet signinIP = SigninLogs | summarize by IPAddress, Type;\\nlet nonintSigninIP = AADNonInteractiveUserSignInLogs | summarize by IPAddress, Type;\\nlet azureActIP = AzureActivity | summarize by IPAddress = CallerIpAddress, Type;\\nlet awsCtIP = AWSCloudTrail | summarize by IPAddress = SourceIpAddress, Type;\\n//Device logs\\nlet vmConnSourceIP = VMConnection | summarize by IPAddress = SourceIp, Type;\\nlet vmConnDestIP = VMConnection | summarize by IPAddress = DestinationIp, Type;\\nlet iisLogIP = W3CIISLog | summarize by IPAddress = cIP, Type;\\nlet devNetIP = DeviceNetworkEvents | summarize by IPAddress = RemoteIP, Type;\\n//need to parse to get IP\\nlet azureDiagIP = AzureDiagnostics | where ResourceType == \\\"AZUREFIREWALLS\\\" | where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\") \\n| where msg_s has_any (IPList) | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action | summarize by IPAddress = DestinationHost, Type;\\nlet sysEvtIP = Event | where Source == \\\"Microsoft-Windows-Sysmon\\\" | where EventID == 3 | where EventData has_any (IPList) | extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) | extend IPAddress = iff(SourceIP in (IPList), SourceIP, DestinationIP) | summarize by IPAddress, Type;\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP, imDnsIP, imNetSessIP\\n// If you uncomment above, then comment out the line below\\nlet ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP\\n| summarize by IPAddress\\n| where isnotempty(IPAddress) | where not(ipv4_is_private(IPAddress)) and IPAddress !in (\u00270.0.0.0\u0027,\u0027127.0.0.1\u0027);\\nlet ipMatch = ipsort | where IPAddress in (IPList);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch) or Message has_any (ipMatch)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", MessageIP in (ipMatch), \\\"Message\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"No Match\\\")\\n),\\n(OfficeActivity\\n| where ClientIP in (ipMatch)\\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(DnsEvents\\n| where IPAddresses has_any (ipMatch)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (ipMatch) or DestinationIp in (ipMatch)\\n| project TimeGenerated, Computer, SourceIp, DestinationIp, Type\\n| extend IPMatch = case( SourceIp in (ipMatch), \\\"SourceIP\\\", DestinationIp in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| where EventData has_any (ipMatch)\\n| project TimeGenerated, EventData, UserName, Computer, Type\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch)\\n| extend IPMatch = case( SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog\\n| where cIP in (ipMatch)\\n| project TimeGenerated, Computer, cIP, csUserName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity\\n| where CallerIpAddress in (ipMatch)\\n| project TimeGenerated, CallerIpAddress, Caller, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where SourceIpAddress in (ipMatch)\\n| project TimeGenerated, SourceIpAddress, UserIdentityUserName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n), \\n( \\nDeviceNetworkEvents\\n| where RemoteIP in (ipMatch)\\n| where ActionType == \\\"InboundConnectionAccepted\\\"\\n| project TimeGenerated, RemoteIP, DeviceName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\")\\n| where msg_s has_any (ipMatch)\\n| project TimeGenerated, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceIP \u0027:\u0027 SourcePort \u0027to \u0027 DestinationIP \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationIP has_any (ipMatch)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP\\n)\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//,\\n//(imDns (response_has_any_prefix=IPList)\\n//| project TimeGenerated, ResponseName, SrcIpAddr, Type\\n//| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr\\n//| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n//),\\n//(imNetworkSession (dstipaddr_has_any_prefix=IPList)\\n//| project TimeGenerated, DstIpAddr, SrcIpAddr, Type\\n//| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr\\n//)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Log4j vulnerability exploit aka Log4Shell IP IOC\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. \\n References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228\u0027 \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"name\":\"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple archived attachments to the same recipient\",\"description\":\"Detects when multiple emails where sent to the same recipient with large archived attachments.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1baaaf00-655f-4de9-8ff8-312e902cda71\",\"name\":\"1baaaf00-655f-4de9-8ff8-312e902cda71\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_locations = (\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location);\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend City = tostring(parse_json(LocationDetails).city)\\n | extend State = tostring(parse_json(LocationDetails).state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(Place) by ServicePrincipalName, Location\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Service Principal Authentication Attempt from New Country\",\"description\":\"Detects when there is a Service Principal login attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\"name\":\"39198934-62a0-4781-8416-a81265c03fd6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to PwnAuth\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"name\":\"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\n| summarize make_set(Operation);\\nOfficeActivity\\n// Only admin or global-admin can disable/remove policy\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Office policy tampering\",\"description\":\"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://learn.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\"name\":\"06a9b845-6a95-4432-a78b-83919b28c375\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n// Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal \u003e percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly detection for total volume of traffic\",\"description\":\"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\"name\":\"f110287e-1358-490d-8147-ed804b328514\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AWSCloudTrail | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| where AWSCloudTrail_TimeGenerated \u003c ExpirationDateTime\\n| summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress\\n| project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AWSCloudTrail\",\"description\":\"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\"name\":\"7249500f-3038-4b83-8549-9cd8dfa2d498\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ \u0027OATP\u0027\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Known PHOSPHORUS group domains/IP - October 2020\",\"description\":\"Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics (Azure Firewall)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\"name\":\"5ef06767-b37c-4818-b035-47de950d0046\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688\\n| where Process has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688 and EventData has_any (build_processes)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (build_processes)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663 and EventData has_any (\\\"0x6\\\", \\\"0x4\\\", \\\"0X100\\\") and EventData has_any (\\\".cs\\\", \\\".cpp\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| extend AccessMask = tostring(EventData.AccessMask) \\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\\n))\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"name\":\"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/42436753-9944-4d70-801c-daaa4d19ddd2\",\"name\":\"42436753-9944-4d70-801c-daaa4d19ddd2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Powershell\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"]\\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running PowerShell\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by PoerShell and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong PowerShell. \u003cbr\u003eYou can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56fe0db0-6779-46fa-b3c5-006082a53064\",\"name\":\"56fe0db0-6779-46fa-b3c5-006082a53064\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2022-03-31T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"name\":\"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHashValue, FileHashType\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to CommonSecurityLog Event\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"name\":\"1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"PIM\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has \\\"Disable PIM Alert\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n \u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\\n| extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Detect PIM Alert Disabling activity\",\"description\":\"Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. \\nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d99cf5c3-d660-436c-895b-8a8f8448da23\",\"name\":\"d99cf5c3-d660-436c-895b-8a8f8448da23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"},{\"identifier\":\"AadTenantId\",\"columnName\":\"AADTenantId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"MFA Rejected by User\",\"description\":\"Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"name\":\"d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where ResourceProvider == \u0027MICROSOFT.SQL\u0027\\n | where Category == \u0027SQLSecurityAuditEvents\u0027\\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\\n // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas\\n | extend ClientIP = column_ifexists(\\\"client_ip_s\\\", \\\"Not Available\\\"), Action = column_ifexists(\\\"action_name_s\\\", \\\"Not Available\\\"), \\n Application = column_ifexists(\\\"application_name_s\\\", \\\"Not Available\\\"), HostName = column_ifexists(\\\"host_name_s\\\", \\\"Not Available\\\")\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where SQLSecurityAuditEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SQLSecurityAuditEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure SQL Security Audit Events\",\"description\":\"Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"name\":\"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserId)\\n | where UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.UserId\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, UserId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\"name\":\"44a555d8-ecee-4a25-95ce-055879b4b14b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount \u003e= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High count of connections by client IP on many ports\",\"description\":\"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2de8abd6-a613-450e-95ed-08e503369fb3\",\"name\":\"2de8abd6-a613-450e-95ed-08e503369fb3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"AzureDiagnostics\\n| where details_data_s has \\\"jndi:\\\"\\n| parse details_data_s with * \u0027${\u0027 MaliciousCommand \u0027}\u0027 *\\n| extend EncodeCmd = iff(MaliciousCommand has \u0027Base64/\u0027, split(split(MaliciousCommand, \\\"Base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend EncodeCmd1 = iff(MaliciousCommand has \u0027base64/\u0027, split(split(MaliciousCommand, \\\"base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend CmdLine = iff( isnotempty(EncodeCmd), EncodeCmd, EncodeCmd1)\\n| extend DecodedCmdLine = base64_decode_tostring(tostring(CmdLine))\\n| extend DecodedCmdLine = iff( isnotempty(DecodedCmdLine), DecodedCmdLine, \\\"Unable to decode\\\")\\n| project TimeGenerated, Target=hostname_s, MaliciousHost = clientIp_s, MaliciousCommand, details_data_s, DecodedCmdLine, Message, ruleSetType_s, OperationName, SubscriptionId, details_message_s, details_file_s \\n| extend IPCustomEntity = MaliciousHost, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure WAF matching for Log4j vuln(CVE-2021-44228)\",\"description\":\"This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis.\\n Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-12-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/972c89fa-c969-4d12-932f-04d55d145299\",\"name\":\"972c89fa-c969-4d12-932f-04d55d145299\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"( union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| extend FileName = Process, ProcessCommandLine = CommandLine\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(DeviceProcessEvents\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\nor ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1 \\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\"), ProcessCommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend FileName = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"MSHTML vulnerability CVE-2021-40444 attack\",\"description\":\"This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. \\n The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : \\\".cpl:../../msword.inf\\\"\\n Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\"name\":\"4ca74dc0-8352-4ac5-893c-73571cc78331\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let keywords = dynamic([\\\"secret\\\", \\\"secrets\\\", \\\"password\\\", \\\"PAT\\\", \\\"passwd\\\", \\\"pswd\\\", \\\"pwd\\\", \\\"cred\\\", \\\"creds\\\", \\\"credentials\\\", \\\"credential\\\", \\\"key\\\"]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend Type = tostring(Data.Type)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| mv-expand Data.Variables\\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\\n| where Type != \\\"AzureKeyVault\\\"\\n| where Data_Variables !has \\\"IsSecret\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps Variable Secret Not Secured\",\"description\":\"Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \\nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"name\":\"cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName =~ \\\"Add owner to application\\\"\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AddedUser = TargetResources[0].userPrincipalName\\n | mv-expand mod_props\\n | where mod_props.displayName =~ \\\"Application.DisplayName\\\"\\n | extend AppName = tostring(parse_json(tostring(mod_props.newValue)))\\n | project-reorder TimeGenerated, OperationName, AppName, AddedUser, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Ownership\",\"description\":\"Detects changes to the ownership of an appplicaiton.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#new-owner\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15049017-527f-4d3b-b011-b0e99e68ef45\",\"name\":\"15049017-527f-4d3b-b011-b0e99e68ef45\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityEvent\\n| where EventID == 4688 and Process has_any (procList) and not (NewProcessName has (\\\"C:\\\\\\\\Windows\\\\\\\\\\\"))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SubjectUserName, NewProcessName, Process, CommandLine\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Executed from Non-Default Directory\",\"description\":\"The query detects Windows binaries, that can be executed from a non-default directory (e.g. C:\\\\Windows\\\\, C:\\\\Windows\\\\System32 etc.). \\nRef: https://lolbas-project.github.io/\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"name\":\"2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\\n//let adfsuser = \u0027adfsadmin\u0027;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe+lookback)\\n | where EventSourceName == \u0027AD FS Auditing\u0027\\n | distinct Computer\\n);\\nSecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // A token of type \u0027http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation\u0027\\n // for relying party \u0027-\u0027 was successfully authenticated.\\n | where EventID == 412\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | extend InstanceId = tostring(EventData[0])\\n| join kind=inner\\n(\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // Events to identify caller identity from event 412\\n | where EventID == 501\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | where tostring(EventData[1]) contains \u0027identity/claims/name\u0027\\n | extend InstanceId = tostring(EventData[0])\\n | extend ClaimsName = tostring(EventData[2])\\n // Filter on the use of a specific AD FS user account\\n //| where ClaimsName contains adfsuser\\n)\\non $left.InstanceId == $right.InstanceId\\n| join kind=inner\\n(\\n SecurityEvent\\n | where EventID == 5156\\n | where Computer in~ (ADFS_Servers)\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend DestPort = column_ifexists(\\\"DestPort\\\", \\\"\\\"),\\n Direction = column_ifexists(\\\"Direction\\\", \\\"\\\"),\\n Application = column_ifexists(\\\"Application\\\", \\\"\\\"),\\n DestAddress = column_ifexists(\\\"DestAddress\\\", \\\"\\\"),\\n SourceAddress = column_ifexists(\\\"SourceAddress\\\", \\\"\\\"),\\n SourcePort = column_ifexists(\\\"SourcePort\\\", \\\"\\\")\\n // Look for inbound connections from endpoints on port 80\\n | where DestPort == 80 and Direction == \u0027%%14592\u0027 and Application == \u0027System\u0027\\n | where DestAddress !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027) \\n)\\non $left.Computer == $right.Computer\\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\\n| extend HostCustomEntity = Computer, AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote Auth Sync Connection\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious authentication events on an AD FS server. The results then get\\ncorrelated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract\\nsensitive information such as AD FS certificates.\\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"name\":\"d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let IPList = dynamic([\\\"185.63.90.137\\\"]); \\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = \\ndynamic([\\\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\\\",\\n\\\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\\\",\\n\\\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\\\",\\n\\\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\\\",\\n\\\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\\\",\\n\\\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\\\",\\n\\\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\",\\n\\\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\"\\n]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost) \\n| where SourceHost in (IPList) or DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceFileEvents\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n| where FileHash in (sha256Hashes)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where CommandLine has_any (IPList) \\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n(WindowsEvent\\n| where EventID == \u00274688\u0027 and has_any_ipv4(EventData, toscalar(IPList)) \\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName in (IPList) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021\",\"description\":\"Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs\\nReference: \\nhttps://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders\\nhttps://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"name\":\"ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let SunburstURL=dynamic([\\\"panhardware.com\\\",\\\"databasegalore.com\\\",\\\"avsvmcloud.com\\\",\\\"freescanonline.com\\\",\\\"thedoccloud.com\\\",\\\"deftsecurity.com\\\"]);\\nDeviceNetworkEvents\\n| where ActionType == \\\"ConnectionSuccess\\\"\\n| where RemoteUrl in(SunburstURL)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = InitiatingProcessMD5, \\n HashAlgorithm = \u0027MD5\u0027,\\n URLCustomEntity = RemoteUrl,\\n IPCustomEntity = RemoteIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST network beacons\",\"description\":\"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/baedfdf4-7cc8-45a1-81a9-065821628b83\",\"name\":\"baedfdf4-7cc8-45a1-81a9-065821628b83\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let runningRAT_parameters = dynamic([\u0027/ui/chk\u0027, \u0027mactok=\u0027, \u0027UsRnMe=\u0027, \u0027IlocalP=\u0027, \u0027kMnD=\u0027]);\\nCommonSecurityLog\\n| where RequestMethod == \\\"GET\\\"\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\\n| where RequestURL has_any (runningRAT_parameters)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"RunningRAT request parameters\",\"description\":\"This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication\\npresence of this alert means the RunningRAT implant is likely still executing on the source host.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"name\":\"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet AuthorizedBypassers = dynamic([\u0027foo@baz.com\u0027, \u0027test@foo.com\u0027]);\\nlet historicBypassers = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| parse ScopeDisplayName with OrganizationName \u0027(Organization)\u0027\\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \\n BypassReason = Data.BypassReason, PRLink = strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_git/\u0027, Data.RepoName, \u0027/pullrequest/\u0027, Data.PullRequestId)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Pull Request Policy Bypassing - Historic allow list\",\"description\":\"This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\"name\":\"75bf9902-0789-47c1-a5d8-f57046aa72df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688 and EventData has_any (procList) and EventData has \\\":\\\\\\\\recycler\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName) \\n| extend NewProcessName = tostring(EventData.NewProcessName) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n));\\nprocessEvents};\\nProcessCreationEvents \\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin\",\"description\":\"The query detects Windows binaries, that can be used for executing malware, that have been hidden in the recycle bin. \\n The list of these binaries are sourced from https://lolbas-project.github.io/\\n References: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2399891-383c-4caf-ae67-68a008b9f89e\",\"name\":\"e2399891-383c-4caf-ae67-68a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where TI_ipEntity != \\\"NO_IP\\\";\\nlet IP_TI_list=toscalar(IP_TI | summarize NIoCs=dcount(TI_ipEntity), IoCs=make_set( TI_ipEntity)\\n | project IoCs=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs));\\nIP_TI\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique \\n (\\n union \\n (\\n _Im_NetworkSession (starttime=ago(dt_lookBack), dstipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated, IoCIP=DstIpAddr, IoCIPDirection=\u0027Destination\u0027\\n ),\\n (\\n _Im_NetworkSession (starttime=ago(dt_lookBack), srcipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(DstIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated, IoCIP=SrcIpAddr, IoCIPDirection=\u0027Source\u0027\\n )\\n)on $left.TI_ipEntity == $right.IoCIP\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\",\"IoCIPDirection\":\"IoCIPDirection\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IoCIP\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A network session {{IoCIPDirection}} address {{IoCIP}} matched an IoC.\",\"alertDescriptionFormat\":\"The {{IoCIPDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema)\",\"description\":\"This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC. \u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"name\":\"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to internet facing AWS RDS Database instances\",\"description\":\"Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-11-28T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"name\":\"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Barium activity group. \\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\u0027 \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"name\":\"595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), Account = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), File = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, Account = UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027, Type\\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, Account = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) \\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = tostring(EventDetail.[4].[\\\"#text\\\"]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessFolderPath has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlertDetail = \u0027Chia crypto IOC detected\u0027, FileHashAlgo = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| project TimeGenerated, EventDetail, UserName, Computer, Type\\n| extend Image = tostring(EventDetail.[4].[\\\"#text\\\"]), CommandLine = tostring(EventDetail.[10].[\\\"#text\\\"]), Account = UserName, FileHash = tostring(EventDetail.[17].[\\\"#text\\\"]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| where Image has_any (process)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath= replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceEvents\\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName has_any (process)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n)\\n)\\n| extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\"name\":\"dd0a6029-ecef-4507-89c4-fc355ac52111\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend DomainName = tolower(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"name\":\"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"union isfuzzy=true \\n(\\n SecurityEvent\\n | where EventID == 4738\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | where UserAccountControl has \\\"%%2089\\\" \\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\\n ),\\n (\\n WindowsEvent\\n | where EventID == 4738 and EventData has \u00272089\u0027\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | extend UserAccountControl = tostring(EventData.UserAccountControl)\\n | where UserAccountControl has \\\"%%2089\\\" \\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | extend Activity=\\\"4738 - A user account was changed.\\\"\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD account with Don\u0027t Expire Password\",\"description\":\"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 resolves to \\\"Don\u0027t Expire Password - Enabled\\\".\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"name\":\"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\nbefore conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\nits unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2559891-383c-4caf-ae67-55a008b9f89e\",\"name\":\"e2559891-383c-4caf-ae67-55a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where TI_ipEntity != \\\"NO_IP\\\";\\nlet IP_TI_list=toscalar(IP_TI | summarize NIoCs= dcount(TI_ipEntity), IoCs=make_set(TI_ipEntity) \\n | project IoCs=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs ) );\\nIP_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession (starttime=ago(dt_lookBack), srcipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SrcIpAddr\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Dvc, SrcIpAddr, DstIpAddr\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The IP {{SrcIpAddr}} of a web request to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"The source address {{SrcIpAddr}} of a web request for URL {{Url}} matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the source IP address is a known IoC. \u003cbr\u003e\u003cbr\u003eThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2022-03-15T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"name\":\"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Elastic Load Balancer security groups\",\"description\":\"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"name\":\"bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where Process hassuffix \u0027rundll32.exe\u0027\\n| where CommandLine has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"name\":\"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Extract URL from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,Entities)\\n // We only want alerts that actually contain URL data\\n | where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to SecurityAlert data\",\"description\":\"Identifies a match in SecurityAlert data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"name\":\"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nWindowsEvent\\n| where EventID == 1102 and Provider == \\\"Microsoft-Windows-Eventlog\\\" \\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend Activity= \\\"1102 - The audit log was cleared.\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"name\":\"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n //Extract the Url from a number of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url = tostring(split(Url, \u0027;\u0027)[0])\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n // Project a single user identity that we can use for entity mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))\\n) on Url\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \\nUserType, OfficeWorkload, Parameters, Url, User\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to OfficeActivity data\",\"description\":\"Identifies a match in OfficeActivity data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"name\":\"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 25;\\nlet TotalEventsThreshold = 30;\\nlet MostFrequentTimeDeltaThreshold = 25;\\nlet PercentBeaconThreshold = 80;\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where ipv4_is_private(DestinationIP)== false\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| summarize count(), sum(ReceivedBytes), sum(SentBytes)\\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents \u003e TotalEventsThreshold and MostFrequentTimeDeltaCount \u003e MostFrequentTimeDeltaThreshold\\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Palo Alto - potential beaconing detected\",\"description\":\"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"name\":\"14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService == \\\"Core Directory\\\" and OperationName == \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"NRT Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"name\":\"f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject==\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\SecurityProviders\\\\\\\\WDigest\\\\\\\\UseLogonCredential\\\" and Details !=\\\"DWORD (0x00000000)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"WDigest downgrade attack\",\"description\":\"When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory.\\nRef: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"name\":\"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime \u003e= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime \u003c ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"New UserAgent observed in last 24 hours\",\"description\":\"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\\nextracts words from user agents to build the baseline and determine rareity rather than perform a\\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments,\\nthese new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\"name\":\"155e9134-d5ad-4a6f-88f3-99c220040b66\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Set the lookback to determine if user has created pipelines before\\nlet timeback = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a list of previous Release Pipeline creators to exclude\\nlet releaseusers = AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show results where the user as AADIdP alerts\\n//| where Alerts \u003e 0\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Pipeline modified by a new user.\",\"description\":\"There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \\nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) \\nin order to show if the user conducting the action has any associated AAD IdP alerts. You can also choose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"name\":\"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was enabled\\n| where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| where TargetAccount !endswith \\\"$\\\"\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was enabled\\n| where EventID == 4722\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where TargetAccount !endswith \\\"$\\\"\\n| extend Activity=\\\"4722 - A user account was enabled.\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n))\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n| where AccountType =~ \\\"User\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(WindowsEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4725 - A user account was disabled.\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid))\\n) on Computer, TargetAccount\\n| where DisableTime - EnableTime \u003c spanoftime\\n| extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, \\nDisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\\n| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToEnable\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account enabled and disabled within 10 mins\",\"description\":\"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"name\":\"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"Event\\n| where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription startswith \\\"An unhandled exception occurred in a UM worker process\\\" or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious UM Service Error\",\"description\":\"This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"name\":\"09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let default_file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet custom_file_ext_blocklist=toscalar(_GetWatchlist(\u0027RiskyFileTypes\u0027) | extend Extension=column_ifexists(\\\"Extension\\\",\\\"\\\") | where isnotempty(Extension) | summarize make_set(Extension));\\nlet file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);\\n_Im_WebSession(url_has_any=file_ext_blocklist, eventresult=\u0027Success\u0027)\\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\\\"Path\\\"]),\u0027/\u0027)[-1])\\n| extend requestedFileExt=extract(@(\\\\.\\\\w+)$,1,requestedFileName, typeof(string))\\n| where requestedFileExtension in (file_ext_blocklist)\\n| summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url\\n| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url\",\"customDetails\":{\"requestedFileName\":\"requestedFileName\",\"requestedFileExt\":\"requestedFileExt\",\"Username\":\"SrcUsername\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Client {{SrcIpAddr}} accessed a URL with potentially harmful extension {{requestedFileExt}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} accessed the URL {{Url}} that has the extension {{requestedFileExt}}. Downloading a file with this extension may be harmful and may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"A client made a web request to a potentially harmful file (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced Security Information Model (ASIM).\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"name\":\"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserID\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, \\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, \\nDestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"name\":\"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let lookBack_long = 7d;\\nlet lookBack_med = 3d;\\nlet lookBack = 1d;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_long))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n// Create time series \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_med))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n) on UserPrincipalName, AppDisplayName\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 5\\n| top 50 by Slope desc\\n// Higher threshold requirement on last day anomaly\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous sign-in location by user account and authenticating application\",\"description\":\"This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \\nDirectory application and picks out the most anomalous change in location profile for a user within an \\nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\\nover last day but also over the last 3-day and 7-day periods.\\nPlease note that on workspaces with larger volume of Signin data (~10M+ events a day) may timeout when using this default query time period.\\nIt is recommended that you test and tune this appropriately for the workspace.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"name\":\"1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let PortScanThreshold = 50;\\n_Im_NetworkSession\\n| where ipv4_is_private(SrcIpAddr) == False\\n| summarize AttemptedPortsCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 5m)\\n| where AttemptedPortsCount \u003e PortScanThreshold\",\"customDetails\":{\"AttemptedPortsCount\":\"AttemptedPortsCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential port scan from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"A port scan has been performed from address {{SrcIpAddr}} over {{AttemptedPortsCount}} pots within 5 minutes. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Discovery\"],\"displayName\":\"Port scan detected (ASIM Network Session schema)\",\"description\":\"This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eda260eb-f4a1-4379-ad98-452604da9b3e\",\"name\":\"eda260eb-f4a1-4379-ad98-452604da9b3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let eventsThreshold = 20;\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName\\n| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has \\\"login.microsoftonline.com/consumers/oauth2/v2.0/token\\\"), graph=(RequestURL has \\\"graph.microsoft.com/v1.0/me/drive/\\\"), SourceIP, SourceHostName)\\n| summarize Events=count() by SourceIP, SourceHostName\\n| where Events \u003e= eventsThreshold\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive request URL sequence\",\"description\":\"CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths.\\nThis detecton will alert when over 20 sequences are observed in a single day.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\"name\":\"3533f74c-9207-4047-96e2-0eb9383be587\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Suspicious application consent for offline access\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"name\":\"0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserIdentityUserName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"NRT Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for administrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used\\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/269435e3-1db8-4423-9dfc-9bf59997da1c\",\"name\":\"269435e3-1db8-4423-9dfc-9bf59997da1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService == \\\"Core Directory\\\" and OperationName == \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"name\":\"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by FileHashValue\\n| project CommonSecurityLog_TimeGenerated, FileHashValue, FileHashType, Description, ThreatType, \\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Microsoft COVID-19 file hash indicator matches\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"name\":\"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n| extend Reason = coalesce(\\n column_ifexists(\\\"Reason\\\", \\\"\\\"), \\n extract(\\\"reason=(.+?)(;|$)\\\", 1, AdditionalExtensions),\\n \\\"\\\"\\n )\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \\n| where Reason !has \\\"aged-out\\\" \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where Reason !has \\\"tcp-fin\\\" \\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n// Already performed\\n//| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ \u003e= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Palo Alto - possible internal to external port scanning\",\"description\":\"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \\nresults in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication \\nof internal to external port scanning or probing attack. \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/677da133-e487-4108-a150-5b926591a92b\",\"name\":\"677da133-e487-4108-a150-5b926591a92b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.1\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256s = (iocs | where Type =~ \\\"SHA256\\\"| project IoC);\\nlet ips = (iocs | where Type =~ \\\"IP\\\"| project IoC);\\nlet IPList = dynamic([\\\"192.99.221.77\\\",\\\"83.171.237.173\\\"]);\\nlet ips_list=toscalar(ips | summarize makeset(IoC));\\nlet full_ip_list= array_concat(ips_list, IPList);\\nlet domains = (iocs | where Type =~ \\\"Domain\\\"| project IoC);\\nlet domain_list=toscalar(domains | summarize make_set(IoC));\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = dynamic([\\\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\\\",\\n\\\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\\\",\\n\\\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\\\",\\n\\\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\\\",\\n\\\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\\\",\\n\\\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (domains), \\\"RequestUrl\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=todynamic(domain_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=todynamic(full_ip_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList) or ClientIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(_Im_NetworkSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"SourceIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = SrcIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_NetworkSession(dstipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"DestinationIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = DstIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_WebSession(url_has_any=domains)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(_Im_WebSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"NOBELIUM - Domain, Hash and IP IOCs - May 2021\",\"description\":\"Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM.\\nRef: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"name\":\"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details of operations conducted by user soon after elevation of permissions\\n| join (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\\n| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New PA, PCA, or PCAS added to Azure DevOps\",\"description\":\"In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \\nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of \\nusers granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these \\nshould also be conducted.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\"name\":\"bf07ca9c-e408-443a-8939-6860a45a929e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps New Extension Added\",\"description\":\"Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \\nThis query looks for new extensions that are not from a configurable list of approved publishers.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\"name\":\"65c78944-930b-4cae-bd79-c3664ae30ba7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(AuditLogs \\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\") \\n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"MFA disabled for a user\",\"description\":\"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user \",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"name\":\"4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet parentprocess = (iocs | where Type =~ \\\"parentprocess\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (IPList), \\\"RequestUrl\\\",\\\"NoMatch\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, IPMatch == \\\"RequestUrl\\\", RequestURL, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Dev-0322 IOC match\u0027, UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where SourceHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ParentImage = EventDetail.[20].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceProcessEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Dev-0322 IOC match\u0027, IPCustomEntity = CommandLineIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"DEV-0322 Serv-U related IOCs - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to DEV-0322 targeting SolarWinds Serv-U software.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"name\":\"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"name\":\"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (DomainNames) \\n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n (_Im_Dns (domain_has_any=DomainNames)\\n | extend DNSName = DnsQuery \\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (_Im_WebSession (url_has_any=DomainNames)\\n | extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer = DeviceName \\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (DomainNames) \\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ) \\n ) \\n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium domains\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let fileAccessThrehold = 10;\\nOfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberAdded\\\"\\n | extend UPN = tostring(parse_json(Members)[0].UPN)\\n | where UPN contains (\\\"#EXT#\\\")\\n | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n | join kind = inner(\\n OfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberRemoved\\\"\\n | extend UPN = tostring(parse_json(Members)[0].UPN)\\n | where UPN contains (\\\"#EXT#\\\")\\n | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n ) on UPN\\n | where TimeDeleted \u003e TimeAdded\\n | join kind=inner \\n (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | where Operation == \\\"FileUploaded\\\"\\n | join kind = inner \\n (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where Operation == \\\"FileAccessed\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | summarize FileAccessCount = count() by OfficeObjectId\\n | where FileAccessCount \u003e fileAccessThrehold\\n ) on $left.OfficeObjectId == $right.OfficeObjectId\\n )on $left.UPN == $right.UserId\\n | extend timestamp=TimeGenerated, AccountCustomEntity = UserWhoAdded\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Accessed files shared by temporary external user\",\"description\":\"This detection identifies an external user is added to a Team or Teams chat\\nand shares a files which is accessed by many users (\u003e10) and the users is removed within short period of time. This might be\\nan indicator of suspicious activity.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2020-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"name\":\"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Changes made to AWS CloudTrail logs\",\"description\":\"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \",\"lastUpdatedDateUTC\":\"2022-01-11T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"name\":\"3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nSigninLogs\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n| where AppDisplayName =~ \\\"Windows Sign In\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against a Cloud PC\",\"description\":\"Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\"name\":\"173f8699-6af5-484a-8b06-8c47ba89b380\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| where array_length(DeletedTeams) \u003e max_delete_count\\n| extend timestamp = StartTime, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple Teams deleted by a single user\",\"description\":\"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Microsoft Sentinel.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9f9c1e51-4fb1-4510-a675-c7c2fb32f47e\",\"name\":\"9f9c1e51-4fb1-4510-a675-c7c2fb32f47e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let knotweed_sigs = dynamic([\\\"JumplumpDropper\\\", \\\"Jumplump\\\", \\\"Corelump\\\", \\\"Medcerc\\\", \\\"SuspModuleLoad\\\", \\\"Mexlib\\\"]);\\n let mde_data = (DeviceInfo\\n | extend DeviceName = tolower(DeviceName)\\n | join kind=rightouter ( SecurityAlert\\n | where ProviderName =~ \\\"MDATP\\\"\\n | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n | where ThreatFamilyName in~ (knotweed_sigs)\\n | extend CompromisedEntity = tolower(CompromisedEntity)\\n ) on $left.DeviceName == $right.CompromisedEntity);\\n let event_data = ( Event\\n | where EventID in (1006, 1009, 1116, 1119)\\n | extend ThreatData = parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_xml(EventData).DataItem)).EventData)).Data))\\n | mv-expand ThreatData\\n | where tostring(ThreatData.[\\\"@Name\\\"]) == \\\"Threat Name\\\"\\n | extend EventData = parse_xml(EventData)\\n | where tostring(ThreatData.[\\\"#text\\\"]) has_any (knotweed_sigs));\\n union mde_data, event_data\\n | extend ThreatName = iif(isnotempty(ThreatName), ThreatName, tostring(ThreatData.[\\\"#text\\\"]))\\n | extend ThreatFamilyName = iif(isnotempty(ThreatFamilyName), ThreatFamilyName, split(tostring(ThreatData.[\\\"#text\\\"]), \\\"/\\\")[-1])\\n | extend TimeGenerated = iif(isnotempty(TimeGenerated), TimeGenerated, TimeGenerated1)\\n | extend DeviceName = iif(isnotempty(DeviceName), DeviceName, Computer)\\n | project-reorder TimeGenerated, CompromisedEntity, ThreatName, ThreatFamilyName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"KNOTWEED AV Detection\",\"description\":\"This query looks for Microsoft Defender AV detections related to the KNOTWEED threat actor and the Corelump and Jumplump malware.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-27T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f171045-88ab-4634-baae-a7b6509f483b\",\"name\":\"5f171045-88ab-4634-baae-a7b6509f483b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let Dev0530_threats = dynamic([\\\"Trojan:Win32/SiennaPurple.A\\\", \\\"Ransom:Win32/SiennaBlue.A\\\", \\\"Ransom:Win32/SiennaBlue.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Dev0530_threats) or ThreatFamilyName in~ (Dev0530_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Dev-0530 actors\",\"description\":\"This query looks for Microsoft Defender AV detections related to Dev-0530 actors. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, \\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\"name\":\"fbfbf530-506b-49a4-81ad-4030885a195c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions that suit your web application environment - a sample are provided below\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData = materialize(SecurityAlert \\n| where TimeGenerated \u003e ago(alertTimeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet fileData = alertData\\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet hostData = alertData\\n// Extract server details from alerts and map to alert id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| join ( \\n// Find requests that were made to this file on the impacted server in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated \u003e ago(logTimeWindow) \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts\",\"description\":\"Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\\nhas been provided in scriptExtensions that should be tailored to your environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\"name\":\"5f0d80db-3415-4265-9d52-8466b7372e3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps PAT used with Browser.\",\"description\":\"Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \\nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \\nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/86a036b2-3686-42eb-b417-909fc0867771\",\"name\":\"86a036b2-3686-42eb-b417-909fc0867771\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/delete\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Service Delete\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\\nMore information in this blog https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"name\":\"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationNameValue =~ \\\"microsoft.authorization/roleassignments/write\\\";\\ncreateRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), \\nOperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Suspicious granting of permissions to an account\",\"description\":\"Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"name\":\"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let szOperationNames = dynamic([\\\"Microsoft.Compute/virtualMachines/write\\\", \\\"Microsoft.Resources/deployments/write\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| project ResourceGroup, Caller, OperationNameValue, CallerIpAddress\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatusValue = makeset(ActivityStatusValue), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious Resource deployment\",\"description\":\"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4902eddb-34f7-44a8-ac94-8486366e9494\",\"name\":\"4902eddb-34f7-44a8-ac94-8486366e9494\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 5000;\\n_Im_NetworkSession(eventresult=\u0027Failure\u0027)\\n| summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m)\\n| where Count \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"customDetails\":{\"NumberOfDenies\":\"Count\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of failed connections from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} generated more than {{threshold}} failures over a 5 minutes time window, which may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"Excessive number of failed connections from a single source (ASIM Network Session schema)\",\"description\":\"This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"name\":\"f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let known_locations = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | summarize by LocationDetail);\\n let known_asn = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where isempty(DeviceDetail.deviceId)\\n | where AuthenticationRequirement == \\\"singleFactorAuthentication\\\"\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomolous Single Factor Signin\",\"description\":\"Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.\\n Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"name\":\"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent = (union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * \u0027TicketEncryptionType\\\"\u003e\u0027 TicketEncryptionType \\\"\u003c\\\" *\\n| where TicketEncryptionType == \u00270x17\u0027\\n| parse EventData with * \u0027TicketOptions\\\"\u003e\u0027 TicketOptions \\\"\u003c\\\" *\\n| where TicketOptions == \u00270x40810000\u0027\\n| parse EventData with * \u0027Status\\\"\u003e\u0027 Status \\\"\u003c\\\" *\\n| where Status == \u00270x0\u0027\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\" \\n| parse EventData with * \u0027TargetUserName\\\"\u003e\u0027 TargetUserName \\\"\u003c\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * \u0027IpAddress\\\"\u003e::ffff:\u0027 ClientIPAddress \\\"\u003c\\\" *\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769 and EventData has \u00270x17\u0027 and EventData has \u00270x40810000\u0027 and EventData has \u0027krbtgt\u0027\\n| extend TicketEncryptionType = tostring(EventData.TicketEncryptionType)\\n| where TicketEncryptionType == \u00270x17\u0027\\n| extend TicketOptions = tostring(EventData.TicketOptions)\\n| where TicketOptions == \u00270x40810000\u0027\\n| extend Status = tostring(EventData.Status)\\n| where Status == \u00270x0\u0027\\n| extend ServiceName = tostring(EventData.ServiceName)\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| extend ClientIPAddress = tostring(EventData.IpAddress) \\n));\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h \u003c prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, TargetDomainName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h \u003e prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Kerberoasting\",\"description\":\"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \\na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \\nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \\nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/508cef41-2cd8-4d40-a519-b04826a9085f\",\"name\":\"508cef41-2cd8-4d40-a519-b04826a9085f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared.\\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\"name\":\"3ff0fffb-d963-40c0-b235-3404f915add7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce02935c-cc67-4b77-9b96-93d9947e119a\",\"name\":\"ce02935c-cc67-4b77-9b96-93d9947e119a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"acrobatrelay.com\\\", \\\"finconsult.cc\\\", \\\"realmetaldns.com\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where DNSName in~ (DomainNames) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n), \\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession (url_has_any=DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n| where isnotempty(DNSName) \\n| where DNSName in~ (DomainNames) \\n| extend IPAddress = RemoteIp \\n), \\n( \\n DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) \\n| where RemoteUrl has_any (DomainNames) \\n| extend IPAddress = RemoteIP \\n| extend Computer = DeviceName \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n) \\n) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"KNOTWEED C2 Domains July 2022\",\"description\":\"This query looks for references to known KNOTWEED Domains in network logs.\\n This query was published July 2022.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-27T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/594c653d-719a-4c23-b028-36e3413e632e\",\"name\":\"594c653d-719a-4c23-b028-36e3413e632e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2022-05-22T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"name\":\"50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" *\\n| where ParentCommandLine == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k DcomLaunch\\\" and CommandLine == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe -Embedding\\\"\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Lateral Movement via DCOM\",\"description\":\"This query detects a fairly uncommon attack technique using the Windows Distributed Component Object Model (DCOM) to make a remote execution call to another computer system and gain lateral movement throughout the network.\\nRef: http://thenegative.zone/incident%20response/2017/02/04/MMC20.Application-Lateral-Movement-Analysis.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"name\":\"b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet DOMAIN_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName);\\nlet DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName) \\n | project Domains=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), Domains) ));\\nDOMAIN_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession(starttime=ago(dt_lookBack), url_has_any= DOMAIN_TI_list )\\n //Extract domain patterns from syslog message\\n | extend domain = tostring(parse_url(Url)[\\\"Host\\\"])\\n | where isnotempty(domain)\\n | extend tld = tostring(split(domain, \u0027.\u0027)[-1])\\n | extend Event_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Event_TimeGenerated \u003c ExpirationDateTime\\n| summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain\\n| project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url\",\"customDetails\":{\"EventTime\":\"Event_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the target URL hostname is a known IoC. \u003cbr\u003e\u003cbr\u003eThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\"name\":\"643c2025-9604-47c5-833f-7b4b9378a1f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold\\nlet aadFunc = (tableName:string){\\nlet Suspicious_signins = \\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\nSuspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet Suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to AWS Console\",\"description\":\"Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"name\":\"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n (WindowsEvent\\n| where EventID == 4663 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\") and EventData has_any (scriptExtensions) \\n| where EventData has_any (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (scriptExtensions)\\n| extend AccessMask = tostring(EventData.AccessMask)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n and\\n TargetFileName has_any (scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where FileName has_any(scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM UM Service writing suspicious file\",\"description\":\"This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d714ef62-1a56-4779-804f-91c4158e528d\",\"name\":\"d714ef62-1a56-4779-804f-91c4158e528d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let ImagesList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\"]); \\nlet OriginalFileNameList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\",\\\"SR.exe\\\",\\\"utilman2.exe\\\",\\\"ScreenMagnifier.exe\\\"]); \\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where Image has_any (ImagesList) and not (OriginalFileName has_any (OriginalFileNameList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Modification of Accessibility Features\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\\n Two common accessibility programs are C:\\\\Windows\\\\System32\\\\sethc.exe, launched when the shift key is pressed five times and C:\\\\Windows\\\\System32\\\\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as \\\"sticky keys\\\", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1]\\nRef: https://attack.mitre.org/techniques/T1546/008/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"name\":\"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 1;\\nAzureDiagnostics\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\\n | where count_ \u003e= [\\\"threshold\\\"]\\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Several deny actions registered\",\"description\":\"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-10-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9d2eebc-5dcb-4888-8165-900db44443ab\",\"name\":\"b9d2eebc-5dcb-4888-8165-900db44443ab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of hostnames for your DC servers\\n//let DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\nSecurityEvent\\n//| where Computer in (DCServersList)\\n| where EventID == 4662 and ObjectServer == \u0027DS\u0027\\n| where AccountType != \u0027Machine\u0027\\n| where Properties has \u00271131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes\\n or Properties has \u00271131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes-All\\n or Properties has \u002789e95b76-444d-4c62-991a-0facbeda640c\u0027 //DS-Replication-Get-Changes-In-Filtered-Set\\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\\n| join kind=leftouter\\n(\\n SecurityEvent\\n //| where Computer in (DCServersList)\\n | where EventID == 4624 and LogonType == 3\\n | where AccountType != \u0027Machine\u0027\\n | project TargetLogonId, IpAddress\\n)\\non $left.SubjectLogonId == $right.TargetLogonId\\n| project-reorder TimeGenerated, Computer, Account, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, SourceAddress = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Non Domain Controller Active Directory Replication\",\"description\":\"This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\\nA domain user with privileged permissions to use directory replication services is rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"lastUpdatedDateUTC\":\"2021-11-08T00:00:00Z\",\"createdDateUTC\":\"2021-05-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"name\":\"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(domain_lookBack) and TimeGenerated \u003c ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to unpopular website (possible malicious payload delivery)\\\"\\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Connection to Unpopular Website Detected\",\"description\":\"Detects first connection to an unpopular website (possible malicious payload delivery).\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89a86f70-615f-4a79-9621-6f68c50f365f\",\"name\":\"89a86f70-615f-4a79-9621-6f68c50f365f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 7d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet HistThreshold = 25; \\nlet CurrThreshold = 10; \\nlet HistoricalThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceVendor;\\nlet CurrentHourThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(timeframe)\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceProduct, DeviceVendor;\\nCurrentHourThreats \\n| where TotalEvents \u003c CurrThreshold\\n| join kind = leftanti (HistoricalThreats \\n| where TotalEvents \u003e HistThreshold) on SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"Discovery\",\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Palo Alto Threat signatures from Unusual IP addresses\",\"description\":\"Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. \\nThis detection is also leveraged and required for MDE and PAN Fusion scenario\\nhttps://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall\",\"lastUpdatedDateUTC\":\"2022-04-20T00:00:00Z\",\"createdDateUTC\":\"2022-03-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\"name\":\"35a0792a-1269-431e-ac93-7ae2980d4dde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(EmailSenderAddress)\\n| extend TI_emailEntity = EmailSenderAddress\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcUserUpn)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientEmail = SrcUserUpn\\n\\n)\\non $left.TI_emailEntity == $right.ClientEmail\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail\\n| project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ClientEmail\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender in TI list\",\"description\":\"Email sender in TI list.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"name\":\"c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\n_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n| where isnotempty(DnsResponseCodeName)\\n//| where DnsResponseCodeName =~ \\\"NXDOMAIN\\\"\\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n ) on SrcIpAddr\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a172107d-794c-48c0-bc26-d3349fe10b4d\",\"name\":\"a172107d-794c-48c0-bc26-d3349fe10b4d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Dev-0530_July2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\n(union isfuzzy=true \\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) \\nand InitiatingProcessCommandLine has (\u0027sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID, CommandLine\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and ActingProcessCommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(EmailEvents\\n| where SenderFromAddress == \u0027H0lyGh0st@mail2tor.com\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = SenderIPv4, AccountCustomEntity = SenderFromAddress \\n),\\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) or FileHash in (sha256Hashes)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch , FileHash\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 IOC - July 2022\",\"description\":\"Identifies a IOC match related to Dev-0530 actor across various data sources.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceProcessEvents\",\"DeviceNetworkEvents\",\"EmailEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"name\":\"572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let inviting_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(invitingUser)\\n | summarize by invitingUser);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(invitingUser) and invitingUser !in (inviting_users)\\n | extend invitedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"invitingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"invitedUserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Guest Users Invited to Tenant by New Inviters\",\"description\":\"Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts added should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\"name\":\"500415fb-bba7-4227-a08a-9857fb61b6a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", OfficeObjectId,\\n Operation =~ \\\"New-TransportRule\\\", ParsedParameters.Name,\\n \\\"Unknown\\\")\\n| mv-expand ExpandedParameters = todynamic(Parameters)\\n| where ExpandedParameters.Name in~ (\\\"BlindCopyTo\\\", \\\"RedirectMessageTo\\\") and isnotempty(ExpandedParameters.Value)\\n| extend RedirectTo = ExpandedParameters.Value\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, Operation, RuleName, Parameters\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Mail redirect via ExO transport rule\",\"description\":\"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\"lastUpdatedDateUTC\":\"2022-04-18T00:00:00Z\",\"createdDateUTC\":\"2020-05-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\"name\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\" \\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \\napplicationSet = make_set(AppDisplayName) by IPAddress, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n table(tableName)\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n) on IPAddress \\n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts.\\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"name\":\"e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n | where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n | parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" *\\n | where ParentImage has \\\"svchost.exe\\\" and Image has \\\"rundll32.exe\\\" and CommandLine has \\\"{c08afd90-f2a1-11d1-8455-00a0c91f3880}\\\"\\n | parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Detecting Macro Invoking ShellBrowserWindow COM Objects\",\"description\":\"This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-doc-with-macro-invoking.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"name\":\"c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where ScanStatus == \\\"Failed\\\"\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"displayName\":\"AppServices AV Scan Failure\",\"description\":\"Identifies if an AV scan fails in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"name\":\"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Oct 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"name\":\"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nSyslog\\n| where Facility =~ \\\"authpriv\\\"\\n| where SyslogMessage has \\\"authentication failure\\\" and SyslogMessage has \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" RemoteIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID\\n| join kind=innerunique (\\n // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\n Syslog \\n | where Facility =~ \\\"authpriv\\\"\\n | where SyslogMessage has \\\"user unknown\\\"\\n | project Computer, HostIP, ProcessID\\n ) on Computer, HostIP, ProcessID\\n// Count the number of failed logon attempts by External IP and internal machine\\n| summarize FirstLogonAttempt = min(TimeGenerated), LatestLogonAttempt = max(TimeGenerated), TotalLogonAttempts = count() by Computer, HostIP, RemoteIP\\n// Calculate the time between first and last logon attempt (AttemptPeriodLength)\\n| extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt\\n| where TotalLogonAttempts \u003e= threshold\\n| project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, DestinationHost = Computer, DestinationAddress = HostIP\\n| sort by DestinationHost asc nulls last\\n| extend timestamp = FirstLogonAttempt, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts in authpriv\",\"description\":\"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \\nisn\u0027t provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren\u0027t authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\"name\":\"f041e01d-840d-43da-95c8-4188f6cef546\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | distinct Country, Actor, TimeGenerated\\n) on Actor \\n| where set_Country !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"GitHub Activites from a New Country\",\"description\":\"Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\"name\":\"40ba9493-4183-4eee-974f-87fe39c8f267\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Identity alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Identity\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (AATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"name\":\"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from a new IP\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via previously unseen IPs\",\"description\":\"Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds a threshold (default is 50).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\"name\":\"4a3073ac-7383-48a9-90a8-eb6716183a54\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-02-01T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"name\":\"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where NetworkBytes \u003e msgszthreshold\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple large emails to the same recipient\",\"description\":\"Detects when multiple emails with large size where sent to the same recipient.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6dd2629c-534b-4275-8201-d7968b4fa77e\",\"name\":\"6dd2629c-534b-4275-8201-d7968b4fa77e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 4657\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\"), OperationType = column_ifexists(\u0027OperationType\u0027, \\\"\\\"), ObjectValueName = column_ifexists(\u0027ObjectValueName\u0027, \\\"\\\")\\n| where ObjectName has \u0027Schedule\\\\\\\\TaskCache\\\\\\\\Tree\u0027 and ObjectValueName == \\\"SD\\\" and OperationType == \\\"%%1906\\\" // %%1906 - Registry value deleted\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Scheduled Task Hide\",\"description\":\"This query detects attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task disappearing from schtasks /query and Task Scheduler.\\n The query requires auditing to be turned on for HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree registry hive as well as audit policy for registry auditing to be turned on.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\\n Reference: https://4sysops.com/archives/audit-changes-in-the-windows-registry/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"name\":\"3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Hacking Tool\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running a hacking tool\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by a hacking tool and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"A host is potentially running a hacking tool (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.\u003cbr\u003eYou can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\"name\":\"738702fd-0a66-42c7-8586-e30f0583f8fe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName contains \\\"svchost.exe\\\" and FileName contains \\\"NetSetupSvc.dll\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \\\"SHA1\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"TEARDROP memory-only dropper\",\"description\":\"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window\u0027s defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"name\":\"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, \u0027|\u0027, 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity == $right.PIP\\n| where AzureNetworkAnalytics_CL_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId, PIP\\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\"description\":\"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/968358d6-6af8-49bb-aaa4-187b3067fb95\",\"name\":\"968358d6-6af8-49bb-aaa4-187b3067fb95\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let successCodes = dynamic([200, 302, 401]);\\nW3CIISLog\\n| where scStatus has_any (successCodes)\\n| where ipv4_is_private(cIP) == False\\n| where csUriStem hasprefix \\\"/autodiscover/autodiscover.json\\\"\\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\\n| where (csUriQuery !has \\\"Protocol\\\" and isnotempty(csUriQuery))\\nor (csUriQuery has_any(\\\"/mapi/\\\", \\\"powershell\\\"))\\nor (csUriQuery contains \\\"@\\\" and csUriQuery matches regex @\\\"\\\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\\\/)\\\")\\nor (csUriQuery contains \\\":\\\" and csUriQuery matches regex @\\\"\\\\:[0-9]{2,4}\\\\/\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange SSRF Autodiscover ProxyShell - Detection\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit patterns recently\\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"name\":\"999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet DomainTIs= ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | where Active == true\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \\n | project DomainList = iff(NDomains \u003e HAS_ANY_MAX, dynamic([]), DomainsList) ;\\nDomainTIs\\n | join (\\n _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.DnsQuery\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"DnsQuery\":\"DnsQuery\",\"QueryType\":\"DnsQueryType\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any Domain IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\"name\":\"f2dd4a3a-ebac-4994-9499-1a859938c947\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false\\n| extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where ipv4_is_private(DestinationIP) == false\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where ipv4_is_private(DestinationIP) == false\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false | extend DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly for data size transferred to public internet\",\"description\":\"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"name\":\"06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\MicrosoftOnline\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n ( WindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n( WindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Service Agents Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent.\\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\"name\":\"a35f2c18-1b97-458f-ad26-e033af18eb99\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.2\",\"severity\":\"Low\",\"query\":\"// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nunion isfuzzy=true \\n(\\nSecurityEvent \\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account added to built in domain local or global group\",\"description\":\"Identifies when a user account has been added to a privileged built in domain local group or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"name\":\"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"W3CIISLog\\n| where csMethod == \u0027GET\u0027\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"CommandAndControl\"],\"displayName\":\"SUPERNOVA webshell\",\"description\":\"Identifies SUPERNOVA webshell based on W3CIISLog data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-01-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\"name\":\"223db5c1-1bf8-47d8-8806-bed401b356a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet aadFunc = (tableName:string){\\nlet azPortalSignins = materialize(table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70044\\\", \\\"70043\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins \\n) on UserPrincipalName\\n| where TimeGenerated \u003e TimeGenerated1 or isempty(TimeGenerated1)\\n| project-away TimeGenerated1, UserPrincipalName1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend FullLocation = strcat(Region,\u0027|\u0027, State, \u0027|\u0027, City)\\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\\n| where (IPAddressCount \u003e= threshold_IPAddressCount and FailedLogonCount \u003e= threshold_Failed) or FailedLogonCount \u003e= threshold_FailedwithSingleIP\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed login attempts to Azure Portal\",\"description\":\"Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to \u0027Keep me signed in\u0027 interrupt when the user was signing-in.\",\"lastUpdatedDateUTC\":\"2022-04-21T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acc4c247-aaf7-494b-b5da-17f18863878a\",\"name\":\"acc4c247-aaf7-494b-b5da-17f18863878a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OperationName in (\\\"Invite external user\\\", \\\"Bulk invite users - started (bulk)\\\", \\\"Invite external user with reset invitation status\\\")\\n| extend InitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n// Uncomment the following line to filter events where the inviting user was a guest user\\n//| where InitiatedBy has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend InvitedUser = TargetResources[0].userPrincipalName\\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\\n| where UserToCompare has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend\\n parsedUser = replace_string(tolower(iff(UserToCompare startswith \\\"live.com#\\\", tostring(split(UserToCompare, \\\"#\\\")[1]), tostring(split(UserToCompare, \\\"#EXT#\\\")[0]))), \\\"@\\\", \\\"_\\\"),\\n InvitationTime = TimeGenerated\\n| join (\\n (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where UserType != \\\"Member\\\"\\n | where AppId has_any\\n (\\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\",// Azure Active Directory PowerShell\\n \\\"04b07795-8ddb-461a-bbee-02f9e1bf7b46\\\",// Microsoft Azure CLI\\n \\\"1950a258-227b-4e31-a9cf-717495945fc2\\\",// Microsoft Azure PowerShell\\n \\\"a0c73c16-a7e3-4564-9a95-2bdf47383716\\\",// Microsoft Exchange Online Remote PowerShell\\n \\\"fb78d390-0c51-40cd-8e17-fdbfab77341b\\\",// Microsoft Exchange REST API Based Powershell\\n \\\"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\\\",// Microsoft Intune PowerShell\\n \\\"9bc3ab49-b65d-410a-85ad-de819febfddc\\\",// Microsoft SharePoint Online Management Shell\\n \\\"12128f48-ec9e-42f0-b203-ea49fb6af367\\\",// MS Teams Powershell Cmdlets\\n \\\"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\\\",// Power BI PowerShell\\n \\\"31359c7f-bd7e-475c-86db-fdb8c937548e\\\",// PnP Management Shell\\n \\\"90f610bf-206d-4950-b61d-37fa6fd1b224\\\" // Aadrm Admin Powershell\\n )\\n | summarize arg_min(TimeGenerated, *) by UserPrincipalName\\n | extend\\n parsedUser = replace_string(UserPrincipalName, \\\"@\\\", \\\"_\\\"),\\n SigninTime = TimeGenerated\\n )\\n on parsedUser\\n| project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InvitedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"External guest invitation followed by Azure AD PowerShell signin\",\"description\":\"By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests\\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\\nRef : \u0027https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"name\":\"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 1;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend ConditionalAccessPolicies = todynamic(ConditionalAccessPolicies)\\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status), StatusDetails = make_list(StatusDetails), IPAddresses = make_list(IPAddress), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId) \\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, Type\\n| where IPAddressCount \u003e threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = make_set(IPAddresses), Status = make_set(Status), CorrelationIds = make_set(CorrelationIds) \\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount, Type\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Attempt to bypass conditional access rule in Azure AD\",\"description\":\"Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b904747-1336-4363-8d84-df2710bfe5e7\",\"name\":\"0b904747-1336-4363-8d84-df2710bfe5e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\", \\\"AzureFirewallNetworkRuleLog\\\")\\n | parse kind=regex flags=U msg_s with Protocol \u0027request from \u0027 SourceHost \u0027to \u0027 DestinationHost @\u0027\\\\.? Action: \u0027 Firewall_Action @\u0027\\\\.\u0027 Rest_msg\\n | extend SourceAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, SourceHost)\\n | extend DestinationAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, DestinationHost)\\n | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, \\\"\\\")\\n // Traffic that involves a public address, and in case this is the source address then the traffic was not denied\\n | where isnotempty(RemoteIP)\\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where AzureFirewall_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated,\\nTI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureFirewall\",\"description\":\"Identifies a match in AzureFirewall (NetworkRule \u0026 ApplicationRule Logs) from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"name\":\"4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of decoy users (usernames) \\\"Case Sensitive\\\"\\nlet MaliciousServiceArtifacts = dynamic ([\\\"fgexec\\\",\\\"cachedump\\\",\\\"mimikatz\\\",\\\"mimidrv\\\",\\\"wceservice\\\",\\\"pwdump\\\"]);\\nEvent\\n| where Source == \\\"Service Control Manager\\\" and EventID == 7045\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" * \u0027ImagePath\\\"\u003e\u0027 ImagePath \\\"\u003c\\\" *\\n| where ServiceName has_any (MaliciousServiceArtifacts) or ImagePath has_any (MaliciousServiceArtifacts)\\n| parse EventData with * \u0027AccountName\\\"\u003e\u0027 AccountName \\\"\u003c\\\" *\\n|summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ServiceName, ImagePath, AccountName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountName\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ImagePath\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - Service Installation\",\"description\":\"This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz.\\nRef: https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"name\":\"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\\nlet allowed_sources = dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// Look for feeds created or modified at either the organization or project level\\n| where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and locations in the allow list\\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"External Upstream Source Added to Azure DevOps Feed\",\"description\":\"The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \\nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"name\":\"feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let VIPUsers = (IdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| summarize by tolower(AccountUPN));\\nAuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName =~ \\\"User registered security info\\\"\\n| where LoggedByService =~ \\\"Authentication Methods\\\"\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| where AccountCustomEntity in (VIPUsers)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Method Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indicated of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"name\":\"2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| where ObjectClass == \\\"computer\\\" and AttributeLDAPDisplayName == \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN, AttributeLDAPDisplayName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Possible Resource-Based Constrained Delegation Abuse\",\"description\":\"This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. \\nThis query checks for event id 5136 that the Object Class field is \\\"computer\\\" and the LDAP Display Name is \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\" which is an indicator of Resource-based constrained delegation.\\nRef: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html\",\"lastUpdatedDateUTC\":\"2022-01-19T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"name\":\"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT4H\",\"queryPeriod\":\"PT4H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Change to true to monitor for Project Administrator adds to *any* project\\nlet MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\\nlet ProjectsToMonitor = dynamic([\u0027\u003cproject_X\u003e\u0027,\u0027\u003cproject_Y\u003e\u0027]);\\nAzureDevOpsAuditing\\n| where Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has \u0027Administrators\u0027\\n| where Details has \\\"was added as a member of group\\\" and (Details endswith \u0027\\\\\\\\Project Administrators\u0027 or Details endswith \u0027\\\\\\\\Project Collection Administrators\u0027)\\n| parse Details with AddedIdentity \u0027 was added as a member of group [\u0027 EntityName \u0027]\\\\\\\\\u0027 GroupName\\n| extend Level = iif(GroupName == \u0027Project Collection Administrators\u0027, \u0027Organization\u0027, \u0027Project\u0027), AddedIdentityId = Data.MemberId\\n| extend Severity = iif(Level == \u0027Organization\u0027, \u0027High\u0027, \u0027Medium\u0027), AlertDetails = strcat(\u0027At \u0027, TimeGenerated, \u0027 UTC \u0027, ActorUPN, \u0027/\u0027, ActorDisplayName, \u0027 added \u0027, AddedIdentity, \u0027 to the \u0027, EntityName, \u0027 \u0027, Level)\\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == \u0027Organization\u0027\\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Administrator Group Monitoring\",\"description\":\"This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"name\":\"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let servicelist = dynamic([\u0027Services\\\\\\\\HealthService\u0027, \u0027Services\\\\\\\\Sense\u0027, \u0027Services\\\\\\\\WinDefend\u0027, \u0027Services\\\\\\\\MsSecFlt\u0027, \u0027Services\\\\\\\\DiagTrack\u0027, \u0027Services\\\\\\\\SgrmBroker\u0027, \u0027Services\\\\\\\\SgrmAgent\u0027, \u0027Services\\\\\\\\AATPSensorUpdater\u0027 , \u0027Services\\\\\\\\AATPSensor\u0027, \u0027Services\\\\\\\\mpssvc\u0027]);\\nlet filename = dynamic([\\\"subinacl.exe\\\",\u0027SetACL.exe\u0027]);\\nlet parameters = dynamic ([\u0027/deny=SYSTEM\u0027, \u0027/deny=S-1-5-18\u0027, \u0027/grant=SYSTEM=r\u0027, \u0027/grant=S-1-5-18=r\u0027, \u0027n:SYSTEM;p:READ\u0027, \u0027n1:SYSTEM;ta:remtrst;w:dacl\u0027]);\\nlet FullAccess = dynamic([\u0027A;CI;KA;;;SY\u0027, \u0027A;ID;KA;;;SY\u0027, \u0027A;CIID;KA;;;SY\u0027]);\\nlet ReadAccess = dynamic([\u0027A;CI;KR;;;SY\u0027, \u0027A;ID;KR;;;SY\u0027, \u0027A;CIID;KR;;;SY\u0027]);\\nlet DenyAccess = dynamic([\u0027D;CI;KR;;;SY\u0027, \u0027D;ID;KR;;;SY\u0027, \u0027D;CIID;KR;;;SY\u0027]);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName has_any (servicelist)\\n| parse EventData with * \u0027OldSd\\\"\u003e\u0027 OldSd \\\"\u003c\\\" *\\n| parse EventData with * \u0027NewSd\\\"\u003e\u0027 NewSd \\\"\u003c\\\" *\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670 and EventData has_any (servicelist) and EventData has \u0027Key\u0027\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (servicelist)\\n| extend OldSd = tostring(EventData.OldSd)\\n| extend NewSd = tostring(EventData.NewSd)\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend ProcessId = tostring(EventData.ProcessId)\\n| extend Activity= \\\"4670 - Permissions on an object were changed.\\\"\\n| extend HandleId = tostring(EventData.HandleId)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688 and EventData has_any (filename) and EventData has_any (servicelist) and EventData has_any (parameters)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountDomain = tostring(EventData.AccountDomain)\\n| extend Activity=\\\"4688 - A new process has been created.\\\"\\n| extend EventSourceName=Provider\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename) \\n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Service Registry ACL Modification\",\"description\":\"Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. \\n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. \\n Reference on guidance for enabling registry auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule \\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-01-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"name\":\"29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let UserAgentString = dynamic ([\\\"${jndi:ldap:/\\\", \\\"${jndi:rmi:/\\\", \\\"${jndi:ldaps:/\\\", \\\"${jndi:dns:/\\\", \\\"${jndi:iiop:/\\\",\\\"${jndi:\\\",\\\"${jndi:nds:/\\\",\\\"${jndi:corba/\\\"]);\\nlet UARegexMinimalString=dynamic([\u0027{\u0027,\u0027%7b\u0027, \u0027%7B\u0027]);\\nlet UARegex = @\u0027(\\\\\\\\$|%24)(\\\\\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\\\\\$|%24|}|%7D)\u0027;\\n(union isfuzzy=true\\n(OfficeActivity\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, Operation\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(AzureDiagnostics\\n| where Category in (\\\"FrontdoorWebApplicationFirewallLog\\\", \\\"FrontdoorAccessLog\\\", \\\"ApplicationGatewayFirewallLog\\\", \\\"ApplicationGatewayAccessLog\\\")\\n| where userAgent_s has_any (UserAgentString) or userAgent_s matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = userAgent_s, SourceIP = clientIP_s, Type, host_s, requestUri_s, httpStatus_d\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, UrlCustomEntity = requestUri_s\\n),\\n(\\nW3CIISLog\\n| where csUserAgent has_any (UserAgentString) or csUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(SigninLogs\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(_Im_WebSession (httpuseragent_has_any=array_concat(UserAgentString,UARegexMinimalString))\\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, Url, Type\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User agent search for log4j exploitation attempt\",\"description\":\"This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in \\n many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation.\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"name\":\"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated \u003e ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// where destination IPs are public\\n| where ipv4_is_private(DestinationIP) == false\\n// sort into source-\u003edestination \u0027sessions\u0027\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds \u003e TimeDeltaThresholdInSeconds\\n// summarize the deltas by source-\u003edestination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers \u003e 1.5 or outliers \u003c -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev \u003c MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount \u003e TotalBeaconsThreshold and (sum_SentBytes \u003e 0 or sum_ReceivedBytes \u003e 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity \u003e= (10*TimeDeltaThresholdInSeconds)\\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Fortinet - Beacon pattern detected\",\"description\":\"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\\n detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\\n automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-03-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\"name\":\"80733eb7-35b2-45b6-b2b8-3c51df258206\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"name\":\"3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1\\n| mv-expand UserId to typeof(string)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"NRT Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination.\\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2022-06-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"name\":\"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName), \\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\\n| where applicationCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Attempts to sign in to disabled accounts\",\"description\":\"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"name\":\"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let s_threshold = 30;\\nlet l_threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName, Type \\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount \u003e s_threshold and LocationCount \u003e= l_threshold\\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Distributed Password cracking attempts in AzureAD\",\"description\":\"Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"name\":\"7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection.\\nThe first CommandLine component is looking for Python decoding base64.\\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"name\":\"95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"imAuthentication\\n| where EventResult ==\u0027Failure\u0027\\n| where EventResultDetails == \u0027User disabled\u0027\\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\\n , applicationsTargeted = dcount(TargetAppName)\\n , applicationSet = make_set(TargetAppName) \\n by SrcDvcIpAddr, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind=leftouter \\n (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n imAuthentication\\n | where EventResult==\u0027Success\u0027\\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on SrcDvcIpAddr\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"name\":\"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"CommonSecurityLog \\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - threat detection message fired\",\"description\":\"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"name\":\"1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Tarrask_threats = dynamic([\\\"HackTool:Win64/Tarrask!MS\\\", \\\"HackTool:Win64/Ligolo!MSR\\\", \\\"Behavior:Win32/ScheduledTaskHide.A\\\", \\\"Tarrask\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=rightouter ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Tarrask_threats) or ThreatFamilyName in~ (Tarrask_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AV detections related to Tarrask malware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel the SecurityAlerts table \\n includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. \\n This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\"name\":\"157c0cfc-d76d-463b-8755-c781608cdc1a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| where ipv4_is_private(SourceIP) == false\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n table(tableName)\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco - firewall block but success logon to Azure AD\",\"description\":\"Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \\nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\\nand could indicate credential compromise for the user account.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"name\":\"875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| where AttributeLDAPDisplayName == \\\"servicePrincipalName\\\" and ObjectClass == \\\"user\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeValue\\\"\u003e\u0027 AttributeValue \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Name (SPN) Assigned to User Account\",\"description\":\"This query identifies whether a Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. \\nThis query checks for event id 5136 that the Object Class field is \\\"user\\\" and the LDAP Display Name is \\\"servicePrincipalName\\\".\\nRef: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf\",\"lastUpdatedDateUTC\":\"2022-02-02T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45076281-35ae-45e0-b443-c32aa0baf965\",\"name\":\"45076281-35ae-45e0-b443-c32aa0baf965\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nimProcessCreate\\n//looks for execution from a shell\\n| where ActingProcessName has_any (parentProcesses)\\n| extend ActingProcessFileName = tostring(split(ActingProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ActingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where Process hassuffix \\\"AdFind.exe\\\" or TargetProcessSHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or CommandLine has_any (args)\\n| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, CommandLineCustomEntity = CommandLine, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = TargetProcessSHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLineCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage (Normalized Process Events)\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-09T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\"name\":\"910124df-913c-47e3-a7cd-29e1643fa55e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AWS Console logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a779e2d5-9109-4f0a-a75e-f3d4f3c58560\",\"name\":\"a779e2d5-9109-4f0a-a75e-f3d4f3c58560\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let sha256Hashes = dynamic([\\\"78c255a98003a101fa5ba3f49c50c6922b52ede601edac5db036ab72efc57629\\\", \\\"0588f61dc7e4b24554cffe4ea56d043d8f6139d2569bc180d4a77cf75b68792f\\\", \\\"441a3810b9e89bae12eea285a63f92e98181e9fb9efd6c57ef6d265435484964\\\", \\\"cbae79f66f724e0fe1705d6b5db3cc8a4e89f6bdf4c37004aa1d45eeab26e84b\\\", \\\"fd6515a71530b8329e2c0104d0866c5c6f87546d4b44cc17bbb03e64663b11fc\\\", \\\"5d169e083faa73f2920c8593fb95f599dad93d34a6aa2b0f794be978e44c8206\\\", \\\"7f29b69eb1af1cc6c1998bad980640bfe779525fd5bb775bc36a0ce3789a8bfc\\\", \\\"02a59fe2c94151a08d75a692b550e66a8738eb47f0001234c600b562bf8c227d\\\", \\\"7f84bf6a016ca15e654fb5ebc36fd7407cb32c69a0335a32bfc36cb91e36184d\\\", \\\"afab2e77dc14831f1719e746042063a8ec107de0e9730249d5681d07f598e5ec\\\", \\\"894138dfeee756e366c65a197b4dbef8816406bc32697fac6621601debe17d53\\\", \\\"4611340fdade4e36f074f75294194b64dcf2ec0db00f3d958956b4b0d6586431\\\", \\\"c96ae21b4cf2e28eec222cfe6ca903c4767a068630a73eca58424f9a975c6b7d\\\", \\\"fa30be45c5c5a8f679b42ae85410f6099f66fe2b38eb7aa460bcc022babb41ca\\\", \\\"e64bea4032cf2694e85ede1745811e7585d3580821a00ae1b9123bb3d2d442d6\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"KNOTWEED File Hashes July 2022\",\"description\":\"This query looks for references to known KNOTWEED file hashes in various logs.\\n This query was published July 2022.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-27T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"name\":\"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@\u0027\\\\A(.*?)@\u0027, 1, SrcUserUpn)\\n| extend sender_domain = extract(@\u0027@(.*)$\u0027, 1, SrcUserUpn)\\n| extend recipient = extract(@\u0027\\\\A(.*?)@\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| extend recipient_domain = extract(@\u0027@(.*)$\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Possible data exfiltration to private email\",\"description\":\"Detects when sender sent email to the non-corporate domain and recipient\u0027s username is the same as sender\u0027s username.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"name\":\"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex emailregex\\n | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming timestamp column so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.EmailSenderAddress == $right.UserPrincipalName\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, UserPrincipalName\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"name\":\"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has_any (\\\".decode(\u0027base64\u0027)\\\", \\\"base64 --decode\\\", \\\".decode64(\\\" )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend FileName=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, CommandLine, ParentProcessName\\n));\\nprocessEvents;\\n};\\nProcessCreationEvents \\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\"name\":\"a04cf847-a832-4c60-b687-b0b6147da219\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Collection\"],\"displayName\":\"Known Manganese IP and UserAgent activity\",\"description\":\"Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\\nReferences: \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/74ed028d-e392-40b7-baef-e69627bf89d1\",\"name\":\"74ed028d-e392-40b7-baef-e69627bf89d1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\n before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\n its unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a356c8bd-c81d-428b-aa36-83be706be034\",\"name\":\"a356c8bd-c81d-428b-aa36-83be706be034\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// AADJoined or Register Device Registry Keys\\nlet aadJoinRoot = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\CloudDomainJoin\\\\\\\\JoinInfo\\\\\\\\\\\";\\nlet aadRegisteredRoot = \\\"\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\WorkplaceJoin\\\";\\n// Transport Key Registry Key\\nlet keyTransportKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\Cryptography\\\\\\\\Ngc\\\\\\\\KeyTransportKey\\\\\\\\\\\";\\n(union isfuzzy=true\\n(\\n// Access to Object Requested\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData contains aadJoinRoot or EventData contains aadRegisteredRoot\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadJoinRoot and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274656\u0027\\n | where EventData contains keyTransportKey\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName startswith keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, tostring(Process), ProcessName, ProcessId, EventID\\n),\\n// Accessing Object\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where (ObjectName startswith aadJoinRoot or ObjectName contains aadRegisteredRoot) and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend Account = SubjectAccount\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274663\u0027\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName contains keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend Account = SubjectAccount\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, Process, ProcessName, ProcessId, EventID\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"AAD Local Device Join Information and Transport Key Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts by the same process\\n to registry keys that provide information about an AAD joined or registered devices and Transport keys (tkpub / tkpriv).\\n This information can be used to export the Device Certificate (dkpub / dkpriv) and Transport key (tkpub/tkpriv).\\n These set of keys can be used to impersonate existing Azure AD joined devices.\\n This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable objects:\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\CloudDomainJoin (AAD joined devices)\\n HKCU:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\WorkplaceJoin (AAD registered devices)\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Cryptography\\\\Ngc\\\\KeyTransportKey (Transport Key)\\n Make sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n Reference: https://o365blog.com/post/deviceidentity/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"name\":\"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let schedule_lookback = 14d; \\nlet join_lookback = 1d; \\n// If you want to whitelist specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet meetings = ( \\nZoomLogs \\n| where TimeGenerated \u003e= ago(schedule_lookback) \\n| where Event =~ \\\"meeting.created\\\" \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); \\nZoomLogs \\n| where TimeGenerated \u003e= ago(join_lookback) \\n| where Event =~ \\\"meeting.participant_joined\\\" \\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) \\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId \\n| where SchedTimezone != JoinedTimeZone \\n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1 \\n| extend timestamp = TimeGenerated, AccountCustomEntity = JoiningUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"User joining Zoom meeting from suspicious timezone\",\"description\":\"The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"name\":\"a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName =~ \\\"Update user\\\"\\n | where Result =~ \\\"success\\\"\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"TargetId.UserType\\\"\\n | extend UpdatingServicePrincipal = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend UpdatingUserPrincipal = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatingUser = iif(isnotempty(UpdatingServicePrincipal), UpdatingServicePrincipal, UpdatingUserPrincipal)\\n | extend UpdatedUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n | project-reorder TimeGenerated, UpdatedUserPrincipalName, UpdatingUser\\n | where parse_json(tostring(TargetResources_modifiedProperties.newValue)) =~ \\\"\\\\\\\"Member\\\\\\\"\\\" and parse_json(tostring(TargetResources_modifiedProperties.oldValue)) =~ \\\"\\\\\\\"Guest\\\\\\\"\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedUserPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User State changed from Guest to Member\",\"description\":\"Detects when a guest account in a tenant is converted to a member of the tenant.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts converted to members should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"name\":\"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"Cisco Umbrella - Windows PowerShell User-Agent Detected\",\"description\":\"Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"name\":\"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = \u0027FileUploaded\u0027;\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic([\u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027]);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated \u003e= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount \u003e threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, \u0027/\u0027)[-2])\\n| extend UserIdUserFolderFormat = tolower(replace(\u0027@|\\\\\\\\.\u0027, \u0027_\u0027,UserId))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has \u0027/personal/\u0027 and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"New executable via Office FileUploaded Operation\",\"description\":\"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes \u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027 file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\"name\":\"69a45b05-71f5-45ca-8944-2e038747fb39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\\nlet threshold = 5;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 // Labeling the first RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account)\\n))\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10 // Labeling the second RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n))\\n) on Account\\n// Make sure that the first connection is after the second connection --\u003e SecondHop \u003e FirstHop\\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --\u003e FirstComputer != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --\u003e FirstIPAddress != SecondIPAddress\\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop \u003e FirstHop\\n// where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop \u003c= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 \\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n))\\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"RDP Nesting\",\"description\":\"Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system\\nto another system with the same account within the 60 minutes. Additionally, if historically daily\\nRDP connections are indicated by the logged EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\"name\":\"884c4957-70ea-4f57-80b9-1bca3890315b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"\u0026\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"\u0026\\\")[0]),tostring(split(csUriQuery, \\\"\u0026\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed logons by a user\",\"description\":\"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"name\":\"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add = \\n(union isfuzzy=true \\n(SecurityEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n),\\n(WindowsEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend AddingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupAddedTo = TargetUserName\\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n)\\n);\\nlet AC_Remove = \\n( union isfuzzy=true \\n(SecurityEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n),\\n(WindowsEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend RemovingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupRemovedFrom = TargetUserName\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n)); \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed = datetime_diff (\u0027second\u0027, AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed \u003e 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Account added and removed from privileged groups\",\"description\":\"Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.\u0027 \",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f68a5046-b7eb-4f69-9519-1e99708bb9e0\",\"name\":\"f68a5046-b7eb-4f69-9519-1e99708bb9e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"DeviceFileEvents\\n | where ActionType =~ \\\"FileCreated\\\"\\n | where FolderPath has \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\\\\\\\\\" \\n | where FileName endswith \\\".exe\\\" or FileName endswith \\\".dll\\\"\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"PE file dropped in Color Profile Folder\",\"description\":\"This query looks for writes of PE files to C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\.\\n This is a common directory used by malware, as well as some legitimate programs, and writes of PE files to the folder should be monitored.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-26T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"name\":\"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Alert1 = \\nSecurityAlert\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[3].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[3].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[3].Location)).City))\\n| extend CurrentIPAddress = tostring(parse_json(Entities)[2].Address)\\n| extend PreviousIPAddress = tostring(parse_json(Entities)[3].Address)\\n;\\nAlert1\\n| join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff(\u0027minute\u0027, Alert1Time, Alert2Time)) \u003c=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = CurrentIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Correlate Unfamiliar sign-in properties and atypical travel alerts\",\"description\":\"The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.\",\"lastUpdatedDateUTC\":\"2021-12-07T00:00:00Z\",\"createdDateUTC\":\"2020-09-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed8c9153-6f7a-4602-97b4-48c336b299e1\",\"name\":\"ed8c9153-6f7a-4602-97b4-48c336b299e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let guids = dynamic([\\\"{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\",\\\"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\",\\\"{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\", \\\"{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\", \\\"{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\"]);\\n let mde_data = DeviceRegistryEvents\\n | where ActionType =~ \\\"RegistryValueSet\\\"\\n | where RegistryKey contains \\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Classes\\\\\\\\CLSID\\\"\\n | where RegistryKey has_any (guids)\\n | where RegistryValueData has \\\"System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\";\\n let event_data = SecurityEvent\\n | where EventID == 4657\\n | where ObjectName contains \\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Classes\\\\\\\\CLSID\\\"\\n | where ObjectName has_any (guids)\\n | where NewValue has \\\"System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\"\\n | extend RegistryKey = ObjectName, RegistryValueData = NewValue, DeviceName=Computer, InitiatingProcessFileName = Process, InitiatingProcessAccountName=SubjectAccount;\\n union mde_data, event_data\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"RegistryKey\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"InitiatingProcessFileName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"COM Registry Key Modified to Point to File in Color Profile Folder\",\"description\":\"This query looks for changes to COM registry keys to point to files in C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\.\\n This can be used to enable COM hijacking for persistence.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-26T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceRegistryEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"name\":\"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = (union isfuzzy=true \\n(SecurityEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = Account, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid\\n));\\nlet GroupCreated = (union isfuzzy=true \\n(SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid\\n),\\n(WindowsEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\", \\\"Machine\\\", iff(SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", iff(isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")))\\n| where AccountType =~ \\\"User\\\"\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName) \\n| extend TargetSid = tostring(EventData.TargetSid) \\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid\\n));\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"GroupCreateSubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Group created then added to built in domain local or global group\",\"description\":\"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \\nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b443f22-9be9-4c35-ac70-a94757748439\",\"name\":\"3b443f22-9be9-4c35-ac70-a94757748439\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nDeviceProcessEvents\\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\\n| extend DvcId = DeviceId\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"name\":\"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where CommandLine has_all (cmdList)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where EventData has_all (cmdList)\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_all (cmdList)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessCommandLine has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Email access via active sync\",\"description\":\"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\n- Note that this query can be changed to use the KQL \\\"has_all\\\" operator, which hasn\u0027t yet been documented officially, but will be soon.\\n In short, \\\"has_all\\\" will only match when the referenced field has all strings in the list.\\n- Refer to Set-CASMailbox syntax: https://learn.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps \",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"name\":\"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total \u003e TotalEventsThreshold);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Process execution frequency anomaly\",\"description\":\"Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"name\":\"694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"High\",\"query\":\"let queryperiod = 14d;\\nlet queryfrequency = 2h;\\nlet security_info_actions = dynamic([\\\"User registered security info\\\", \\\"User changed default security info\\\", \\\"User deleted security info\\\", \\\"Admin updated security info\\\", \\\"User reviewed security info\\\", \\\"Admin deleted security info\\\", \\\"Admin registered security info\\\"]);\\nlet VIPUsers = (\\n IdentityInfo\\n | where TimeGenerated \u003e ago(queryperiod)\\n | mv-expand AssignedRoles\\n | where AssignedRoles matches regex \u0027Admin\u0027\\n | summarize by tolower(AccountUPN));\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName in (security_info_actions)\\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\\n| extend IP = tostring(InitiatedBy.user.ipAddress)\\n| extend Target = tolower(tostring(TargetResources[0].userPrincipalName))\\n| where Target in (VIPUsers)\\n// Uncomment the line below if you are experiencing high volumes of Target entities. If this is uncommented, the Target column will not be mapped to an entity.\\n//| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result\\n// Comment out this line below, if line above is used.\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8) by Initiator, IP, Result, Targets = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Targets\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Methods Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"name\":\"6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| where AlertName =~ \\\"mass download by a single user\\\"\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project timestamp=TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| join kind=inner\\n( \\nDeviceEvents\\n| where ActionType == \\\"PnpDeviceConnected\\\"\\n| extend parsed = parse_json(AdditionalFields)\\n| project DeviceId, DriveClass = tostring(parsed.ClassName), UsbDeviceId = tostring(parsed.DeviceId), ClassId = tostring(parsed.DeviceId), DeviceDescription = tostring(parsed.DeviceDescription), VendorIds = tostring(parsed.VendorIds), AccountDomain,AccountName,TimeGenerated, ActionType, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, Type\\n| where DriveClass == \u0027USB\u0027 and DeviceDescription == \u0027USB Mass Storage Device\u0027\\n) on $left.Account == $right.AccountName\\n| join kind=inner \\n(\\nDeviceFileEvents\\n| where FolderPath !startswith \\\"c\\\" and FolderPath !startswith @\\\"\\\\\\\"\\n) on DeviceId\\n| project TimeGenerated, ActionType, Computer, FileName, FileSize, IpAddress, InitiatingProcessCommandLine, InitiatingProcessFileName, Account\\n| extend timestamp = TimeGenerated, CompromisedEntity = Computer, AccountCustomEntity=Account, ProcessCustomEntity = InitiatingProcessFileName, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Mass Download \u0026 copy to USB device by single user\",\"description\":\"This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. \\nThis query could also reveal unintentional insider that had no intention of malicious activity but their actions may impact an organizations security posture.\\nReference:https://docs.microsoft.com/defender-cloud-apps/policy-template-reference\",\"lastUpdatedDateUTC\":\"2022-05-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3edb7215-250b-40c0-8b46-79093949242d\",\"name\":\"3edb7215-250b-40c0-8b46-79093949242d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| where Severity_s == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/492fbe35-cbac-4a8c-9059-826782e6915a\",\"name\":\"492fbe35-cbac-4a8c-9059-826782e6915a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | extend Action = tostring(mod_props.displayName)\\n | where Action contains \\\"Url\\\"\\n | extend OldURL = tostring(mod_props.oldValue)\\n | extend NewURL = tostring(mod_props.newValue)\\n | project-reorder TimeGenerated, OperationName, Action, AppName, OldURL, NewURL, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"OldURL\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURL\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Logout URL\",\"description\":\"Detects changes to an applications sign out URL.\\n Look for any modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#logout-url-modified-or-removed\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"name\":\"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, CallerIpAddress\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, \\nCaller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"name\":\"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA265 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known ZINC related maldoc hash\",\"description\":\"Document hash used by ZINC in highly targeted spear phishing campaign.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"name\":\"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"name\":\"0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName =~ \\\"Update role setting in PIM\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, OperationName, ResultReason, userPrincipalName, ipAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Changes to PIM Settings\",\"description\":\"PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.\\n Monitor these changes to ensure they are being made legitimately and don\u0027t confer more privileges than expected or reduce the security of a PIM elevation.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"name\":\"c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft 365 Insider Risk Management\",\"displayName\":\"(Private Preview) Create incidents based on Microsoft 365 Insider Risk Management\",\"description\":\"Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management\",\"lastUpdatedDateUTC\":\"2021-05-13T00:00:00Z\",\"createdDateUTC\":\"2021-05-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeIRM\",\"dataTypes\":[\"SecurityAlert (OfficeIRM)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\"name\":\"09551db0-e147-4a0c-9e7b-918f88847605\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.2\",\"severity\":\"High\",\"query\":\"let tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic([\u0027codevexillium.org\u0027, \u0027angeldonationblog.com\u0027, \u0027investbooking.de\u0027, \u0027krakenfolio.com\u0027]);\\nlet SHA256Hash = dynamic([\u002758a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495\u0027,\u0027e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e\u0027,\u00273d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9\u0027, \u00270a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4\u0027, \u002796d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe\u0027,\u0027dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c\u0027, \u002746efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a\u0027, \u002795e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008\u0027, \u00279d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5\u0027, \u00279fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3\u0027, \u0027ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720\u0027, \u0027edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee\u0027, \u002733665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998\u0027, \u00273ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c\u0027, \u0027b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c\u0027, \u002753f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5\u0027, \u002799c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777\u0027, \u0027f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef\u0027, \u00272cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da\u0027, \u0027079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447\u0027]);\\nlet SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(_Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend Type = \\\"imDns\\\", IPAddress = SrcIpAddr, Computer=Dvc\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hash)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| where EventID == 4688\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n( WindowsEvent\\n| where EventID == 4688\\n| where EventData has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\") and EventData has_any (tokens, \\\"Debug\\\\\\\\Browse\\\",\\\"is64bitoperatingsystem\\\" ) \\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"Known ZINC Comebacker and Klackring malware hashes\",\"description\":\"ZINC attacks against security researcher campaign malware hashes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"name\":\"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// Look for agents being added to a pool of a OS type not seen with that pool before\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, OsDescription),\\n// Look for users addeing agents to a pool that they have not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New Agent Added to Pool by New User or Added to a New OS Type.\",\"description\":\"As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \\nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have \\nnot added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a \\nconfigurable allow list to allow for certain users to be excluded from the logic.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"name\":\"05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated \u003e ago(1d)\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n // This will likely apply to multiple hosts so summarize these data\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, NewProcessName, CommandLine, Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\nA threat actor may use these policies to deploy files or scripts to all hosts in a domain.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"name\":\"c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppCert DLL Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec.\\nRef: https://attack.mitre.org/techniques/T1546/009/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"name\":\"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\u0027127.0.0.1\u0027, \u0027::1\u0027)\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons = (union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason\\n),\\n(WindowsEvent\\n| where EventID == 4624 and has_any_ipv4(EventData, toscalar(suspicious_signins))\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend Activity = \\\"4624 - An account was successfully logged on.\\\"\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend AccountType =case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, TargetUserSid, Reason\\n)\\n);\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to host\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\"name\":\"46ac55ae-47b8-414a-8f94-89ccd1962178\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let queryperiod = 1d;\\nlet mode = \u0027Blocked\u0027;\\nlet successCode = dynamic([\u0027200\u0027, \u0027101\u0027,\u0027204\u0027, \u0027400\u0027,\u0027504\u0027,\u0027304\u0027,\u0027401\u0027,\u0027500\u0027]);\\nlet sessionBin = 30m;\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where Category == \u0027ApplicationGatewayFirewallLog\u0027 and action_s == mode\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\\n| extend SessionBlockedStarted = row_window_session(TimeGenerated, queryperiod, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| summarize SessionBlockedEnded = max(TimeGenerated), SessionBlockedCount = count() by hostname_s, clientIp_s, SessionBlockedStarted\\n| extend TimeKey = range(bin(SessionBlockedStarted, sessionBin), bin(SessionBlockedEnded, sessionBin), sessionBin)\\n| mv-expand TimeKey to typeof(datetime)\\n| join kind = inner(\\n AzureDiagnostics\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where Category == \u0027ApplicationGatewayAccessLog\u0027 and (isempty(httpStatus_d) or httpStatus_d in (successCode))\\n | extend TimeKey = bin(TimeGenerated, sessionBin)\\n) on TimeKey, $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s\\n| where TimeGenerated between (SessionBlockedStarted..SessionBlockedEnded)\\n| extend\\n originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", \\\"\\\"),\\n serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", \\\"\\\")\\n| summarize\\n SuccessfulAccessCount = count(),\\n UserAgents = make_set(userAgent_s, 250),\\n RequestURIs = make_set(requestUri_s, 250),\\n OriginalRequestURIs = make_set(originalRequestUriWithArgs_s, 250),\\n SuccessCodes = make_set(httpStatus_d, 250),\\n SuccessCodes_BackendServer = make_set(serverStatus_s, 250),\\n take_any(SessionBlockedEnded, SessionBlockedCount)\\n by hostname_s, clientIp_s, SessionBlockedStarted\\n| where SessionBlockedCount \u003e SuccessfulAccessCount\\n| extend timestamp = SessionBlockedStarted, IPCustomEntity = clientIp_s\\n| extend BlockvsSuccessRatio = SessionBlockedCount/toreal(SuccessfulAccessCount)\\n| sort by BlockvsSuccessRatio desc, timestamp asc\\n| project-reorder SessionBlockedStarted, SessionBlockedEnded, hostname_s, clientIp_s, SessionBlockedCount, SuccessfulAccessCount, BlockvsSuccessRatio, SuccessCodes, RequestURIs, OriginalRequestURIs, UserAgents\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"A potentially malicious web request was executed against a web server\",\"description\":\"Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \\nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \\na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \\nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \\nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d173248-439b-4741-8b37-f63ad0c896ae\",\"name\":\"4d173248-439b-4741-8b37-f63ad0c896ae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\nWindowsEvent\\n| where EventID == \u00274688\u0027 and EventData has_any (process)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName has_any (process)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n , Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n , NewProcessId = tostring(EventData.NewProcessId)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n| project TimeGenerated, timestamp, File, AlertDetail, FilePath,Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2022-05-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"name\":\"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\"name\":\"ef88eb96-861c-43a0-ab16-f3835a97c928\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker\\\\(\\\\$Volume\\\\){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\n(union isfuzzy=true\\n (SecurityEvent\\n| where EventID == 4688\\n//consider filtering on filename if perf issues occur\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4688 \\n| where EventData has_any (\\\"-encodedCommand\\\", \\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(EventData has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n//consider filtering on filename if perf issues occur\\n//extend NewProcessName = tostring(EventData.NewProcessName)\\n//extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n//FileName = Process\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"Powershell Empire cmdlets seen in command line\",\"description\":\"Identifies instances of PowerShell Empire cmdlets in powershell process command line data.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"name\":\"cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let lookback = 7d; \\nlet timeframe = 1h; \\nlet GlobalAdminsRemoved = AuditLogs \\n| where TimeGenerated \u003e ago(timeframe) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Unassign\\\", \\\"RemoveEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Remove member from role\\\", \\\"Remove eligible member from role\\\") \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) \\n| where displayName_ =~ \\\"Role.DisplayName\\\" \\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.oldValue))) \\n| where RoleName == \\\"Global Administrator\\\" // Add other Privileged role if applicable \\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| extend Target = tostring(TargetResources.userPrincipalName) \\n| summarize RemovedGlobalAdminTime = max(TimeGenerated), TargetAdmins = make_set(Target) by OperationName, RoleName, Initiator, Result; \\nlet GlobalAdminsAdded = AuditLogs \\n| where TimeGenerated \u003e ago(lookback) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\") and Result == \\\"success\\\" \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) \\n| where displayName_ =~ \\\"Role.DisplayName\\\" \\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue))) \\n| where RoleName == \\\"Global Administrator\\\" // Add other Privileged role if applicable \\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| extend Target = tostring(TargetResources.userPrincipalName) \\n| summarize AddedGlobalAdminTime = max(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result \\n| extend AccountCustomEntity = Target; \\nGlobalAdminsAdded \\n| join kind= inner GlobalAdminsRemoved on $left.Target == $right.Initiator \\n| where AddedGlobalAdminTime \u003c RemovedGlobalAdminTime \\n| extend NoofAdminsRemoved = array_length(TargetAdmins) \\n| where NoofAdminsRemoved \u003e 1\\n| project AddedGlobalAdminTime, Initiator, Target, AccountCustomEntity, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple admin membership removals from newly created admin.\",\"description\":\"This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \\n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"name\":\"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\"name\":\"45b903c5-6f56-4969-af10-ae62ac709718\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 \\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n))\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n))\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)\\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Rare RDP Connections\",\"description\":\"Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2020-01-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1080fc1-13d1-479b-8340-255f0290d96c\",\"name\":\"a1080fc1-13d1-479b-8340-255f0290d96c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend AddingUser = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), \\\"\\\")\\n | extend AddingApp = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)) , tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName), \\\"\\\")\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingApp)\\n | project-away AddingApp, AddingUser\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, AddedBy, UserAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application Redirect URL Update\",\"description\":\"Detects the redirect URL of an app being changed.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e42e889a-caaf-4dbb-aec6-371b37d64298\",\"name\":\"e42e889a-caaf-4dbb-aec6-371b37d64298\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\")\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserOrApp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b79f6190-d104-4691-b7db-823e05980895\",\"name\":\"b79f6190-d104-4691-b7db-823e05980895\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"OriginatingServer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"NRT Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.\\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"name\":\"9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category == \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | where mod_props.displayName has \\\"AppIdentifierUri\\\"\\n | extend OldURI = tostring(mod_props.oldValue)\\n | extend NewURI = tostring(mod_props.newValue)\\n | project-reorder TimeGenerated, OperationName, AppName, OldURI, NewURI, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURI\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application ID URI Changed\",\"description\":\"Detects changes to an Application ID URI.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"name\":\"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n// Look for specific Directory Service Changes and parse data\\n| where EventID == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where changes relate to Exchange OAB\\n| extend ObjectClass = column_ifexists(\\\"ObjectClass\\\", \\\"\\\")\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// Look for InternalHostName or ExternalHostName properties being changed\\n| extend AttributeLDAPDisplayName = column_ifexists(\\\"AttributeLDAPDisplayName\\\", \\\"\\\")\\n| where AttributeLDAPDisplayName in (\\\"msExchExternalHostName\\\", \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| extend AttributeValue = column_ifexists(\\\"AttributeValue\\\", \\\"\\\")\\n| where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| extend ObjectDN = column_ifexists(\\\"ObjectDN\\\", \\\"\\\")\\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange OAB Virtual Directory Attribute Containing Potential Webshell\",\"description\":\"This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\\nwhere the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"name\":\"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Cloud App Security\",\"displayName\":\"Create incidents based on Microsoft Cloud App Security alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud Apps\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert (MCAS)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"name\":\"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Binary file in attachment\",\"description\":\"Detects when email received with binary file as attachment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"name\":\"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"union isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has \\\"vmware-vmdmp.log\\\"\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(imFileEvent\\n| where TargetFileName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\\n)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT log file creation\",\"description\":\"This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b6ae038-f66e-4f74-9315-df52fd492be4\",\"name\":\"5b6ae038-f66e-4f74-9315-df52fd492be4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"imProcess\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-s\\\", \\\"-r\\\", \\\"-q\\\")\\n | where Process !endswith \\\"sdelete.exe\\\"\\n | where CommandLine !has \\\"sdelete\\\"\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage (ASIM Version)\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\\nThis detection uses the ASIM imProcess parser, this will need to be deployed before use - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"name\":\"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(lookBack) and TimeGenerated \u003c ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Rare User Agent Detected\",\"description\":\"Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"name\":\"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let logonDiff = 10m;\\nlet aadFunc = (tableName:string){\\ntable(tableName) \\n| where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1]), Type\\n| join kind= inner (\\n table(tableName)\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription, Type\\n) on UserPrincipalName, AppDisplayName \\n| where SuccessLogonTime \u003c FailedLogonTime and FailedLogonTime - SuccessLogonTime \u003c= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription, Type\\n| extend timestamp = SuccessLogonTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuccessIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Successful logon from IP and failure from a different IP\",\"description\":\"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"name\":\"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\"name\":\"78422ef2-62bf-48ca-9bab-72c69818a425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Low\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account, IpAddress, AccountType, Activity, LogonTypeName),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account, IpAddress, AccountType, Activity, LogonTypeName)\\n)\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress)\\n)\\n) on Account, IpAddress\\n| extend Ratio = iff(isempty(ComputerCountPrev7Days), toreal(ComputerCountToday), ComputerCountToday / (ComputerCountPrev7Days * 1.0))\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Multiple RDP connections from Single System\",\"description\":\"Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days.\\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"name\":\"4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-38647\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to OMIGOD CVE-2021-38647\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \\n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\"name\":\"d3980830-dd9d-40a5-911f-76b44dfdce16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppDisplayName == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\\n| where CountOfLocations \u003e 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"GitHub Signin Burst from Multiple Locations\",\"description\":\"This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25a7f951-54b7-4cf5-9862-ebc04306c590\",\"name\":\"25a7f951-54b7-4cf5-9862-ebc04306c590\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | summarize by userPrincipalName);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CAPolicyName = tostring(TargetResources[0].displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | where userPrincipalName !in (known_users)\\n | extend NewPolicyValues = TargetResources[0].modifiedProperties[0].newValue\\n | extend OldPolicyValues = TargetResources[0].modifiedProperties[0].oldValue\\n | project-reorder TimeGenerated, OperationName, CAPolicyName, userPrincipalName, ipAddress, NewPolicyValues, OldPolicyValues\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Conditional Access Policy Modified by New User\",\"description\":\"Detects a Conditional Access Policy being modified by a user who has not modified a policy in the last 14 days.\\n A threat actor may try to modify policies to weaken the security controls in place.\\n Investigate any change to ensure they are approved.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"name\":\"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost \\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"THALLIUM domains included in DCU takedown\",\"description\":\"THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-01-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"name\":\"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId, \\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\"name\":\"50574fac-f8d1-4395-81c7-78a463ff0c52\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\\n| extend Status = todynamic(Status)\\n| where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\\n| order by TimeGenerated desc\\n// New entity mapping\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Active Directory PowerShell accessing non-AAD resources\",\"description\":\"This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://learn.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"name\":\"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.Caller\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, Caller\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, EmailSenderName, EmailRecipient, \\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, \\nResourceGroup, SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"name\":\"9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"beesweiserdog.com\\\", \\n \\\"bluehostfit.com\\\", \\n \\\"business-toys.com\\\", \\n \\\"cleanskycloud.com\\\", \\n \\\"cumberbat.com\\\", \\n \\\"czreadsecurity.com\\\", \\n \\\"dgtresorgouv.com\\\", \\n \\\"dimediamikedask.com\\\", \\n \\\"diresitioscon.com\\\", \\n \\\"elcolectador.com\\\", \\n \\\"elperuanos.org\\\", \\n \\\"eprotectioneu.com\\\", \\n \\\"fheacor.com\\\", \\n \\\"followthewaterdata.com\\\", \\n \\\"francevrteepress.com\\\", \\n \\\"futtuhy.com\\\", \\n \\\"gardienweb.com\\\", \\n \\\"heimflugaustr.com\\\", \\n \\\"ivpsers.com\\\", \\n \\\"jkeducation.org\\\", \\n \\\"micrlmb.com\\\", \\n \\\"muthesck.com\\\", \\n \\\"netscalertech.com\\\", \\n \\\"newgoldbalmap.com\\\", \\n \\\"news-laestrella.com\\\", \\n \\\"noticialif.com\\\", \\n \\\"opentanzanfoundation.com\\\", \\n \\\"optonlinepress.com\\\", \\n \\\"palazzochigi.com\\\", \\n \\\"pandemicacre.com\\\", \\n \\\"papa-ser.com\\\", \\n \\\"pekematclouds.com\\\", \\n \\\"pipcake.com\\\", \\n \\\"popularservicenter.com\\\", \\n \\\"projectsyndic.com\\\", \\n \\\"qsadtv.com\\\", \\n \\\"sankreal.com\\\", \\n \\\"scielope.com\\\", \\n \\\"seoamdcopywriting.com\\\", \\n \\\"slidenshare.com\\\", \\n \\\"somoswake.com\\\", \\n \\\"squarespacenow.com\\\", \\n \\\"subapostilla.com\\\", \\n \\\"suzukicycles.net\\\", \\n \\\"tatanotakeeps.com\\\", \\n \\\"tijuanazxc.com\\\", \\n \\\"transactioninfo.net\\\", \\n \\\"eurolabspro.com\\\", \\n \\\"adelluminate.com\\\", \\n \\\"headhunterblue.com\\\", \\n \\\"primenuesty.com\\\" \\n ]);\\nlet SHA256Hashes = dynamic ([\\\"02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2\\\", \\n \\\"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c\\\", \\n \\\"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c\\\", \\n \\\"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95\\\", \\n \\\"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21\\\", \\n \\\"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49\\\", \\n \\\"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844\\\", \\n \\\"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef\\\", \\n \\\"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822\\\", \\n \\\"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2\\\", \\n \\\"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838\\\", \\n \\\"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65\\\", \\n \\\"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6\\\", \\n \\\"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1\\\", \\n \\\"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90\\\", \\n \\\"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b\\\", \\n \\\"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce\\\", \\n \\\"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0\\\", \\n \\\"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c\\\", \\n \\\"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a\\\", \\n \\\"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b\\\", \\n \\\"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a\\\", \\n \\\"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124\\\", \\n \\\"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa\\\", \\n \\\"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda\\\", \\n \\\"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94\\\", \\n \\\"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6\\\", \\n \\\"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce\\\", \\n \\\"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6\\\", \\n \\\"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba\\\"\\n ]);\\nlet SigNames = dynamic([\\\"Backdoor:Win32/Leeson\\\", \\\"Trojan:Win32/Kechang\\\", \\\"Backdoor:Win32/Nightimp!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"TrojanSpy:Win32/KeyLogger\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns(domain_has_any = DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(_Im_WebSession(url_has_any = DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hashes) \\n| extend Account = UserName\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hashes)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known NICKEL domains and hashes\",\"description\":\"IOC domains and hash values for tools and malware used by NICKEL. \\n Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/720d12c6-a08c-44c4-b18f-2236412d59b0\",\"name\":\"720d12c6-a08c-44c4-b18f-2236412d59b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process !~ \\\"sdelete.exe\\\"\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-r\\\", \\\"-s\\\", \\\"-q\\\", \\\"c:/\\\")\\n | where CommandLine !has (\\\"sdelete\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"name\":\"009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has \\\"Consent to application\\\"\\n | where Result =~ \\\"failure\\\"\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend userAgent = iif(AdditionalDetails[0].key == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))\\n | where isnotempty(TargetResources)\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"MethodExecutionResult.\\\"\\n | extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\\n | where FailureReason contains \\\"Risky\\\"\\n | project-reorder TimeGenerated, OperationName, Result, AppName, FailureReason, userPrincipalName, userAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"End-user consent stopped due to risk-based consent\",\"description\":\"Detects a user\u0027s consent to an OAuth application being blocked due to it being too risky.\\n These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"name\":\"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"DeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName has \\\"Solorigate\\\"\\n| extend HostCustomEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.HostCustomEntity\\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity\\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Solorigate Defender Detections\",\"description\":\"Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as \\n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"name\":\"9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet querystarttime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the cisco umbrella top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n | extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n | extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n | mvexpand Trigram=AllTriGrams to typeof(string)\\n | summarize triCount=count() by Trigram\\n | sort by triCount desc\\n | where triCount \u003e triThreshold\\n | distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = _Im_WebSession \\n| where isnotempty(Url) \\n| extend Name = tolower(tostring(parse_url(Url)[\\\"Host\\\"]))\\n| summarize NameCount=count() by Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n _Im_WebSession\\n | where isnotempty(Url)\\n | extend Url = tolower(Url)\\n | summarize arg_max(TimeGenerated, EventVendor, SrcIpAddr) by Url\\n | extend Name=tostring(parse_url(Url)[\\\"Host\\\"])\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SrcIpAddr, Url\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SrcIpAddr, Url, NameCount\",\"customDetails\":{\"DGAPattern\":\"DGADomain\",\"NameCount\":\"NameCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential communication from {{SrcIpAddr} with a Domain Generation Algorithm (DGA) based host {{Name}}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} communicated with host {{Name}} that have a domain name that might have been generated by a Domain Generation Algorithm (DGA), identified by the pattern {{DGADomain}}. DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like and uses the model to identify domains that may have been randomly generated by an algorithm.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema)\",\"description\":\"This rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA). DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like nad uses the model to identify domains that may have been randomly generated by an algorithm. You can modify the triThreshold and dgaLengthThreshold query parameters to change Analytic Rule sensitivity. The higher the numbers, the less noisy the rule is. \u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f819c592-c5f9-4d5c-a79f-1e6819863533\",\"name\":\"f819c592-c5f9-4d5c-a79f-1e6819863533\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Microsoft Online\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n (\\nWindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Monitoring Agent Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent.\\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"name\":\"066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\nWindowsEvent\\n| where EventID == 4688 and (EventData has_any (file_path1) or EventData has_any (file_path2) or EventData has_any (file_path3) or EventData has_any (\u0027reg add\u0027) or EventData has_any (reg_key) )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where (CommandLine has_any (file_path1)) or\\n (CommandLine has_any (file_path3)) or\\n (CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or \\n (NewProcessName has_any (file_path1)) or\\n (NewProcessName has_any (file_path3)) or\\n (ParentProcessName has_any (file_path1)) or \\n (ParentProcessName has_any (file_path3)) \\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| extend IPCustomEntity = tostring(EventData.IpAddress)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, IPCustomEntity\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2022-05-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6116dc19-475a-4148-84b2-efe89c073e27\",\"name\":\"6116dc19-475a-4148-84b2-efe89c073e27\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"name\":\"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events for ToR proxies\",\"description\":\"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"name\":\"70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId,\\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"NRT User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5239248b-abfb-4c6a-8177-b104ade5db56\",\"name\":\"5239248b-abfb-4c6a-8177-b104ade5db56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let RunCommandData = materialize ( AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Success\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n| join kind=leftouter (\\n DeviceFileEvents\\n | where InitiatingProcessFileName == \\\"RunCommandExtension.exe\\\"\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\\n) on VirtualMachineName\\n// We need to filter by time sadly, this is the only way to link events\\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath\\n| join kind=inner(\\n DeviceEvents\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | where InitiatingProcessCommandLine has \\\"-File\\\"\\n // Extract the script name based on the structure used by the RunCommand extension\\n | extend PowershellFileName = extract(@\\\"\\\\-File\\\\s(script[0-9]{1,9}\\\\.ps1)\\\", 1, InitiatingProcessCommandLine)\\n // Discard results that didn\u0027t successfully extract, these are not run command related\\n | where isnotempty(PowershellFileName)\\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\\n | where PSCommand != PowershellFileName \\n // Now we normalise the cmdlets, we\u0027re aiming to hash them to find scripts using rare combinations\\n | extend PSCommand = toupper(PSCommand)\\n | order by PSCommand asc\\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\\n) on $left.FileName == $right.PowershellFileName\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName\\n| order by StartTime asc \\n// We generate the hash based on the cmdlets called and the size of the powershell script\\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\\nlet totals = toscalar (RunCommandData\\n| summarize count());\\nlet hashTotals = RunCommandData\\n| summarize HashCount=count() by ScriptFingerprintHash;\\nRunCommandData\\n| join kind=leftouter (\\nhashTotals\\n) on ScriptFingerprintHash\\n// Calculate prevalence, while we don\u0027t need this, it may be useful for responders to know how rare this script is in relation to normal activity\\n| extend Prevalence = toreal(HashCount) / toreal(totals) * 100\\n// Where the hash was only ever seen once.\\n| where HashCount == 1\\n| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName\\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\",\"Execution\"],\"displayName\":\"Azure VM Run Command operations executing a unique PowerShell script\",\"description\":\"Identifies when Azure Run command is used to execute a PowerShell script on a VM that is unique.\\nThe uniqueness of the PowerShell script is determined by taking a combined hash of the cmdLets it imports\\nand the file size of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed\\nin your environment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"name\":\"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(ClientIP)\\n | extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]%]+)(%\\\\d+)?\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n | extend IPAddress = tostring(ClientIPValues[0])\\n // renaming time column so it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = TI_ipEntity, AccountCustomEntity = UserId, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"name\":\"a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Extracts plaintext IPv4 addresses\\nlet ipv4_plaintext_extraction_regex = @\\\"((?:(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(?:\\\\.)){3}(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]){1,3})\\\";\\n// Identified base64 encoded IPv4 addresses\\nlet ipv4_encoded_identification_regex = @\\\"\\\\=([a-zA-Z0-9\\\\/\\\\+]*(?:(?:MC|Au|wL|MS|Eu|xL|Mi|Iu|yL|My|Mu|zL|NC|Qu|0L|NS|Uu|1L|Ni|Yu|2L|Ny|cu|3L|OC|gu|4L|OS|ku|5L){1}[a-zA-Z0-9\\\\/\\\\+]{2,4}){3}[a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Extractes IPv4 addresses as hex values\\nlet ipv4_decoded_hex_extract = @\\\"((?:(?:61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|2f|2b|3d),){7,15})\\\";\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n// Identify requests with encoded IPv4 addresses\\n| where RequestURL matches regex ipv4_encoded_identification_regex\\n| project TimeGenerated, RequestURL\\n// Extract IP candidates in their base64 encoded format, significantly reducing the dataset\\n| extend extracted_encoded_ip_candidate = extract_all(ipv4_encoded_identification_regex, RequestURL)\\n// We could have more than one candidate, expand them out\\n| mv-expand extracted_encoded_ip_candidate to typeof(string)\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), make_set(RequestURL) by extracted_encoded_ip_candidate\\n// Pad if we need to\\n| extend extracted_encoded_ip_candidate = iff(strlen(extracted_encoded_ip_candidate) % 2 == 0, extracted_encoded_ip_candidate, strcat(extracted_encoded_ip_candidate, \\\"=\\\"))\\n// Now decode the candidate to a long array, we cannot go straight to string as it cannot handle non-UTF8, we need to strip that first\\n| extend extracted_encoded_ip_candidate = tostring(base64_decode_toarray(extracted_encoded_ip_candidate))\\n// Extract the IP candidates from the array\\n| extend hex_extracted = extract_all(ipv4_decoded_hex_extract, extracted_encoded_ip_candidate)\\n// Expand, it\u0027s still possible that we might have more than 1 IP\\n| mv-expand hex_extracted\\n// Now we should have a clean string. We need to put it back into a dynamic array to convert back to a string.\\n| extend hex_extracted = trim_end(\\\",\\\", tostring(hex_extracted))\\n| extend hex_extracted = strcat(\\\"[\\\",hex_extracted,\\\"]\\\")\\n| extend hex_extracted = todynamic(hex_extracted)\\n| extend extracted_encoded_ip_candidate = todynamic(extracted_encoded_ip_candidate)\\n// Convert the array back into a string\\n| extend decoded_ip_candidate = make_string(hex_extracted)\\n| summarize by decoded_ip_candidate, tostring(set_RequestURL), Start, End\\n// Now the IP candidates will be in plaintext, extract the IPs using a regex\\n| extend ipmatch = extract_all(ipv4_plaintext_extraction_regex, decoded_ip_candidate)\\n// If it\u0027s not an IP, throw it out\\n| where isnotnull(ipmatch)\\n| mv-expand ipmatch to typeof(string)\\n// Join with DeviceNetworkEvents to find instances where an IP of a machine in our MDE estate sent it\u0027s IP in a base64 encoded string\\n| join (\\n DeviceNetworkEvents\\n | summarize make_set(DeviceId), make_set(DeviceName) by RemoteIP\\n) on $left.ipmatch == $right.RemoteIP\\n| project Start, End, IPmatch=ipmatch, RequestURL=set_RequestURL, DeviceNames=set_DeviceName, DeviceIds=set_DeviceId, RemoteIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPmatch\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"IP address of Windows host encoded in web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded IP addresses. After identifying candidates the query\\njoins with DeviceNetworkEvents to idnetify any machine within the network using that IP address. Alerts indicate that the IP address of a machine\\nwithin your network was seen with it\u0027s IP address base64 encoded in an outbounf web request. This method of egressing the IP was seen used in POLONIUM\u0027s\\nRunningRAT tool, however the detection is generic.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"name\":\"cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where OriginalFileName has_any (procList) and not (Image has_any (procList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Lolbins Renamed\",\"description\":\"This query detects the execution of renamed Windows binaries (Lolbins). This is a common technique used by adversaries to evade detection. \\nRef: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/execution-of-renamed-lolbin.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"name\":\"3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 50;\\nlet aadFunc = (tableName:string){\\n // Failed Signins attempts with reasoning related to conditional access policies.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultDescription has_any (\\\"conditional access\\\", \\\"CA\\\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\nallSignins\\n| make-series DailyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1d by UserPrincipalName\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(DailyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand DailyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n// Filtering low count events per baselinethreshold\\n| where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n| extend AnomalyHour = TimeGenerated\\n| project UserPrincipalName, AnomalyHour, TimeGenerated, DailyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Accounts - Sign in Failure due to CA Spikes\",\"description\":\" Identifies spike in failed sign-ins from user accounts due to conditional access policied.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"name\":\"b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let oneDriveCalls = dynamic([\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content\u0027,\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/response.json:/content\u0027]);\\nlet oneDriveCallsRegex = dynamic([@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Uploaded\\\\/.*\\\\:\\\\/content\u0027,@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Downloaded\\\\/.*\\\\:\\\\/content\u0027]);\\nCommonSecurityLog\\n| where RequestURL has_any (oneDriveCalls) or RequestURL matches regex tostring(oneDriveCallsRegex[0]) or RequestURL matches regex tostring(oneDriveCallsRegex[1])\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive URLs\",\"description\":\"CreepyDrive uses OneDrive for command and control. This detection identifies URLs specific to CreepyDrive.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/011c84d8-85f0-4370-b864-24c13455aa94\",\"name\":\"011c84d8-85f0-4370-b864-24c13455aa94\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| extend timestamp = TimeGenerated, Account, MachineName = Computer, IpAddress\\n| join kind=inner\\n(\\nCoreAzureBackup\\n| where State =~ \\\"Deleted\\\"\\n| where OperationName =~ \\\"BackupItem\\\"\\n| extend data = split(BackupItemUniqueId, \\\";\\\")\\n| extend AzureLocation = data[0], VaultId=data[1], MachineName=data[2], DrivesBackedUp=data[3]\\n| project timestamp = TimeGenerated, AzureLocation, VaultId, tostring(MachineName), DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\\n)\\non MachineName\\n| project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"CoreBackUp Deletion in correlation with other related security alerts\",\"description\":\"This query will help detect attackers attempt to delete backup containers in correlation with other alerts that could have triggered to help possibly reveal more details of attacker activity. \\nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.\",\"lastUpdatedDateUTC\":\"2021-11-05T00:00:00Z\",\"createdDateUTC\":\"2021-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\"name\":\"1218175f-c534-421c-8070-5dcaabf28067\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 3; \\nZoomLogs \\n| where Event =~ \\\"chat_message.sent\\\" \\n| extend Channel = tostring(parse_json(ChatEvents).Channel) \\n| extend Message = tostring(parse_json(ChatEvents).Message) \\n| where Message matches regex \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\" \\n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\\n| extend ChannelCount = arraylength(Channels) \\n| where ChannelCount \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Suspicious link sharing pattern\",\"description\":\"Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. \\nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"name\":\"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"name\":\"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| join kind=rightanti (\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM New UM Service Child Process\",\"description\":\"This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\"name\":\"f845881e-2500-44dc-8ed7-b372af3e1e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog \\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) \u003c= short_uaLength or string_size(csUserAgent) \u003e= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount \u003c c_threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous User Agent connection attempt\",\"description\":\"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"name\":\"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend Alert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.EntityEmail\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, \\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"name\":\"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory has_any (\u0027Dynamic and Residential\u0027, \u0027Personal VPN\u0027)\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Cisco Umbrella - Connection to non-corporate private network\",\"description\":\"IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/631d02df-ab51-46c1-8d72-32d0cfec0720\",\"name\":\"631d02df-ab51-46c1-8d72-32d0cfec0720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nimProcessCreate\\n| where Process hassuffix \u0027solarwinds.businesslayerhost.exe\u0027\\n| where not(Process has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = ActorUsername,\\n HostCustomEntity = User,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes (Normalized Process Events)\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\"name\":\"0bd65651-1404-438b-8f63-eecddcec87b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = ( union isfuzzy=true\\n( Event\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and EventData has \\\"0x3e4\\\" and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 and LogonType == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nWindowsEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where EventData has \u0027wmiprvse.exe\u0027 and EventData has_any (\u0027rundll32\u0027) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 3\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where Account !endswith \\\"$\\\"\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, Image, Computer, UserName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via Remote WMI Execution\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\n Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d71fc38-f249-454e-8479-0a358382ef9a\",\"name\":\"3d71fc38-f249-454e-8479-0a358382ef9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-44228\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to log4j CVE-2021-44228\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228. Log4j is an open-source Apache logging library that is used in \\n many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\\n Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"name\":\"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center for IoT\",\"displayName\":\"Create incidents based on Microsoft Defender for IOT alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for IOT\",\"lastUpdatedDateUTC\":\"2019-12-24T00:00:00Z\",\"createdDateUTC\":\"2019-12-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"IoT\",\"dataTypes\":[\"SecurityAlert (ASC for IoT)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2e8fd50-8d66-11ec-b909-0242ac120002\",\"name\":\"d2e8fd50-8d66-11ec-b909-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID in (4624,4625) and LogonType in (10) and IpAddress in (\\\"::1\\\",\\\"127.0.0.1\\\")\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, TargetUserName, TargetLogonId, LogonType, IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential Remote Desktop Tunneling\",\"description\":\"This query detects remote desktop authentication attempts with a localhost source address which can indicate a tunneled login.\\nRef: https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c37711a4-5f44-4472-8afc-0679bc0ef966\",\"name\":\"c37711a4-5f44-4472-8afc-0679bc0ef966\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type == \\\"sha256\\\" | project IoC);\\nlet FilePaths = (iocs | where Type =~ \\\"FilePath\\\" | project IoC);\\nlet POST_URI = (iocs | where Type =~ \\\"URI1\\\" | project IoC);\\nlet GET_URI = (iocs | where Type =~ \\\"URI2\\\" | project IoC);\\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\\nlet ADFS_Servers1 = datatable(Computer:string)\\n[ \\\"\u003cADFS01\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\",\\n\\\"\u003cADFS02\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\"\\n];\\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \\\"Microsoft.IdentityServer.ServiceHost.exe\\\".\\nlet ADFS_Servers2 = \\n(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( WindowsEvent\\n| where EventID == 4688 and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\" and EventData has \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName == \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| distinct Computer\\n),\\n(DeviceProcessEvents\\n| where InitiatingProcessFileName == \u0027Microsoft.IdentityServer.ServiceHost.exe\u0027\\n| extend Computer = DeviceName\\n| distinct Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n);\\nlet ADFS_Servers =\\nADFS_Servers1\\n| union (ADFS_Servers2 | distinct Computer);\\n(union isfuzzy=true\\n(DeviceNetworkEvents\\n| where DeviceName in (ADFS_Servers)\\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" and EventID == \u00277\u0027\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ImageLoaded = EventDetail.[5].[\\\"#text\\\"], Hashes = EventDetail.[11].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\\n| extend Type = strcat(Type,\\\":\\\",EventID, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where DeviceName in (ADFS_Servers)\\n| extend FilePath = strcat(FolderPath, \u0027\\\\\\\\\u0027, FileName)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceImageLoadEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where EventDetail has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(W3CIISLog \\n| where ( csMethod == \u0027GET\u0027 and csUriStem has_any (GET_URI)) or (csMethod == \u0027POST\u0027 and csUriStem has_any (POST_URI))\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \\nby cIP, cIP_MethodCountType = \\\"Count of repeated entries, this is to reduce rowsets returned\\\", csMethod, \\ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\\n),\\n(imFileEvent\\n| where DvcHostname in (ADFS_Servers)\\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"NOBELIUM IOCs related to FoggyWeb backdoor\",\"description\":\"Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM.\\n FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server.\\n It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.\\n Reference: https://aka.ms/nobelium-foggy-web\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/61988db3-0565-49b5-b8e3-747195baac6e\",\"name\":\"61988db3-0565-49b5-b8e3-747195baac6e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]); \\nimProcessCreate\\n| where CommandLine has \\\"recycler\\\"\\n| where Process has_any (procList)\\n| extend FileName = tostring(split(Process, \u0027\\\\\\\\\u0027)[-1])\\n| where FileName in~ (procList)\\n| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin (Normalized Process Events)\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2021-06-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"name\":\"ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"name\":\"32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of malicious file artifacts\\nlet MaliciousFileArtifacts = dynamic ([\\\"lsass.dmp\\\",\\\"test.pwd\\\",\\\"lsremora.dll\\\",\\\"lsremora64.dll\\\",\\\"fgexec.exe\\\",\\\"pwdump\\\",\\\"kirbi\\\",\\\"wce_ccache\\\",\\\"wce_krbtkts\\\",\\\"wceaux.dll\\\",\\\"PwHashes\\\",\\\"SAM.out\\\",\\\"SECURITY.out\\\",\\\"SYSTEM.out\\\",\\\"NTDS.out\\\" \\\"DumpExt.dll\\\",\\\"DumpSvc.exe\\\",\\\"cachedump64.exe\\\",\\\"cachedump.exe\\\",\\\"pstgdump.exe\\\",\\\"servpw64.exe\\\",\\\"servpw.exe\\\",\\\"pwdump.exe\\\",\\\"fgdump-log\\\"]);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==11\\n| parse EventData with * \u0027TargetFilename\\\"\u003e\u0027 TargetFilename \\\"\u003c\\\" *\\n| where TargetFilename has_any (MaliciousFileArtifacts)\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, Image, ProcessGuid, TargetFilename\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetFilename\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Image\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - File Artifacts\",\"description\":\"This query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names.\\nRef: https://jpcertcc.github.io/ToolAnalysisResultSheet/\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/983a6922-894d-413c-9f04-d7add0ecc307\",\"name\":\"983a6922-894d-413c-9f04-d7add0ecc307\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let referencestarttime = 10d;\\nlet referenceendtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \\n {_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027, starttime=stime, endtime=etime)\\n | where DnsQueryTypeName in (\\\"A\\\", \\\"AAAA\\\")\\n | where ipv4_is_match(\\\"127.0.0.1\\\", SrcIpAddr) == False\\n | where DnsQuery !contains \\\"/\\\" and DnsQuery contains \\\".\\\"};\\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold\\n // Filter out previously seen IPs\\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold ) on SrcIpAddr\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected (ASIM DNS Schema)\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18dbdc22-b69f-4109-9e39-723d9465f45f\",\"name\":\"18dbdc22-b69f-4109-9e39-723d9465f45f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet AVHits = (iocs | where Type =~ \\\"AVDetection\\\"| project IoC);\\nSecurityAlert\\n| where ProviderName == \u0027MDATP\u0027\\n| extend ThreatName_ = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName_ has_any (AVHits)\\n| extend Directory = tostring(parse_json(Entities)[0].Directory), SHA256 = tostring(parse_json(tostring(parse_json(Entities)[0].FileHashes))[2].Value), FileName = tostring(parse_json(Entities)[0].Name), Hostname = tostring(parse_json(Entities)[6].FQDN)| extend AccountName = tostring(parse_json(tostring(parse_json(Entities)[6].LoggedOnUsers))[0].AccountName)\\n| project TimeGenerated, AlertName, ThreatName_, ProviderName, AlertSeverity, Description, RemediationSteps, ExtendedProperties, Entities, FileName,SHA256, Directory, Hostname, AccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Hostname , AccountCustomEntity = AccountName, FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"ACTINIUM AV hits - Feb 2022\",\"description\":\"Identifies a match in the Security Alert table for MDATP hits related to the ACTINIUM actor\",\"lastUpdatedDateUTC\":\"2022-02-04T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"name\":\"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet disallowed_ext = dynamic([\u0027ps1\u0027, \u0027exe\u0027, \u0027vbs\u0027, \u0027js\u0027, \u0027scr\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedExt = todynamic(MsgParts)[0][\u0027detectedExt\u0027]\\n| where attachedExt in (disallowed_ext)\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Suspicious attachment\",\"description\":\"Detects when email contains suspicious attachment (file type).\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\"name\":\"707494a5-8e44-486b-90f8-155d1797a8eb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetResourceType = tostring(target.type)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend isAdminConsent = targetModifiedProp[0].newValue\\n| extend Consent_ServicePrincipalNames = targetModifiedProp[5].newValue\\n| extend Consent_Permissions = targetModifiedProp[4].newValue\\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend Credential_KeyDescription = targetModifiedProp[0].newValue\\n| extend UpdatedProperties = targetModifiedProp[1].newValue\\n| extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent \u003e TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential added after admin consented to Application\",\"description\":\"This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11bda520-a965-4654-9a45-d09f372f71aa\",\"name\":\"11bda520-a965-4654-9a45-d09f372f71aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Success\\\"\\n// Extract data from the Authorization field\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n// Create a join key using the Caller (UPN)\\n| extend joinkey = tolower(Caller)\\n// Join the Run Command actions to UEBA data\\n| join kind = inner (\\n BehaviorAnalytics\\n // We are specifically interested in unusual logins\\n | where EventSource == \\\"Azure AD\\\" and ActivityInsights.ActionUncommonlyPerformedByUser == \\\"True\\\"\\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\\n | extend joinkey = tolower(UserPrincipalName)\\n) on joinkey\\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\\n| extend UEBAWindowStart = UEBAEventTime - 1h, UEBAWindowEnd = UEBAEventTime + 6h\\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n| extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operation executed during suspicious login window\",\"description\":\"Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address \\nthat has resulted in a recent user entity behaviour alert.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fe3c520-04f1-44b8-8398-782ed21435f8\",\"name\":\"3fe3c520-04f1-44b8-8398-782ed21435f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Low\",\"query\":\"let torProxies=dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\n_Im_Dns(domain_has_any=torProxies)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"name\":\"d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\\n// Azure Active Directory Connect - cb1056e2-e479-49de-ae31-7812af012ed8\\nlet appList = dynamic([\u0027cf6d7e68-f018-4e0a-a7b3-126e053fb88d\u0027,\u0027cb1056e2-e479-49de-ae31-7812af012ed8\u0027]);\\nlet operationNamesList = dynamic([\u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027,\u0027Microsoft.ADHybridHealthService/services/delete\u0027]);\\nAzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue in~ (operationNamesList)\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| where AppId !in (appList)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Suspicious Application\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance.\\nUsually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"name\":\"9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where NumberOfInfectedFiles \u003e 0\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"displayName\":\"AppServices AV Scan with Infected Files\",\"description\":\"Identifies if an AV scan finds infected files in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2199398-8942-4b8c-91a9-b0a707c5d147\",\"name\":\"b2199398-8942-4b8c-91a9-b0a707c5d147\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/HiveRansomwareJuly2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Hive Ransomware IOC - July 2022\",\"description\":\"Identifies a hash match related to Hive Ransomware across various data sources.\",\"lastUpdatedDateUTC\":\"2022-07-05T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ff56009-db01-4615-8211-d4fda21da02d\",\"name\":\"1ff56009-db01-4615-8211-d4fda21da02d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where AADOperationType =~ \\\"Assign\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ has_any (\\\"AppRole.Value\\\",\\\"DelegatedPermissionGrant.Scope\\\")\\n| extend Permission = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where Permission has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\\n| extend TargetId = iif(displayName_ =~ \u0027DelegatedPermissionGrant.Scope\u0027,\\n tostring(parse_json(tostring(TargetResources.modifiedProperties[2].newValue))),\\n tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue))))\\n| summarize by bin(TimeGenerated, 1h), OperationName, Initiator, Target, TargetId, Result\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Target\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure AD Role Management Permission Grant\",\"description\":\"Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company\u0027s directory.\\nAn adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"name\":\"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| where Data.NewValue == 1 or Data.NewValue \u003c Data.OldValue/2\\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Retention Reduced\",\"description\":\"AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.\",\"lastUpdatedDateUTC\":\"2021-11-02T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"name\":\"979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\DsrmAdminLogonBehavior\\\") and Details == \\\"DWORD (0x00000002)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"DSRM Account Abuse\",\"description\":\"This query detects an abuse of the DSRM account in order to maintain persistence and access to the organization\u0027s Active Directory.\\nRef: https://adsecurity.org/?p=1785\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82eb796-d1eb-43c8-a813-325ce3417cef\",\"name\":\"d82eb796-d1eb-43c8-a813-325ce3417cef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(DeviceFileEvents\\n| where ActionType == \\\"FileCreated\\\"\\n| where FileName endswith \\\".h0lyenc\\\" or FolderPath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), HostCustomEntity = DeviceName, Type, InitiatingProcessId, FileName, FolderPath, EventType = ActionType, Commandline = InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessSHA256, FileHashCustomEntity = SHA256\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\" \\n| where TargetFilePath endswith \\\".h0lyenc\\\" or TargetFilePath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname, DvcId, Type, EventType, FileHashCustomEntity = TargetFileSHA256, Hash, TargetFilePath, Commandline = ActingProcessCommandLine\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 File Extension Rename\",\"description\":\"Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\"name\":\"ba144bf8-75b8-406f-9420-ed74397f9479\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins = \\n table(tableName)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize count() by IPAddress\\n | where count_ \u003e signin_threshold\\n | summarize make_set(IPAddress);\\n suspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\u0027User name: ([^,]+)\u0027, 1, Message) \\n | extend ClientOS = extract(\u0027Client OS version: ([^,\\\\\\\"]+)\u0027, 1, Message)\\n | extend Location = extract(\u0027Source region: ([^,]{2})\u0027,1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\"description\":\"This query creates a list of IP addresses with a number failed login attempts to AAD \\nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\\nof these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\"name\":\"32555639-b639-4c2b-afda-c0ae0abefa55\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| sort by EndTime desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Monitor AWS Credential abuse or hijacking\",\"description\":\"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\"name\":\"53e936c6-6c30-4d12-8343-b8a0456e8429\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT malware hashes\",\"description\":\"This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceImageLoadEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"name\":\"fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let querystarttime = 2d;\\nlet queryendtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\n_Im_NetworkSession(starttime=querystarttime, endtime=queryendtime)\\n| where not(ipv4_is_private(DstIpAddr))\\n| project TimeGenerated, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\\n| sort by SrcIpAddr asc,TimeGenerated asc, DstIpAddr asc, DstPortNumber asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSrcIpAddr = next(SrcIpAddr, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SrcIpAddr == nextSrcIpAddr\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| project TimeGenerated, TimeDeltainSeconds, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\\n| summarize count(), sum(DstBytes), sum(SrcBytes), make_list(TimeDeltainSeconds) \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSrcBytes = sum(sum_SrcBytes), TotalDstBytes = sum(sum_DstBytes) \\nby bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber\\n| where TotalEvents \u003e TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\",\"customDetails\":{\"DstPortNumber\":\"DstPortNumber\",\"FrequencyCount\":\"TotalSrcBytes\",\"FrequencyTime\":\"MostFrequentTimeDeltaCount\",\"TotalDstBytes\":\"TotalDstBytes\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}} over port {{DstPortNumber}}\",\"alertDescriptionFormat\":\"Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/). The recurring frequency, reported as FrequencyTime in the custom details, and the total transferred volume reported as TotalDstBytes in the custom details, can help to determine the significance of this incident.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential beaconing activity (ASIM Network Session schema)\",\"description\":\"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\\\\\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"name\":\"b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let query_frequency = 15m;\\nlet missing_period = 1h;\\n//Enter a reference list of hostnames for your DC servers\\nlet DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\n//Alternatively, a Watchlist can be used\\n//let DCServersList = _GetWatchlist(\u0027HostName-DomainControllers\u0027) | project HostName;\\nHeartbeat\\n| summarize arg_max(TimeGenerated, *) by Computer\\n| where Computer in (DCServersList)\\n//You may specify the OS type of your Domain Controllers\\n//| where OSType == \u0027Windows\u0027\\n| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))\\n| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions\\n| sort by TimeGenerated asc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\",\"DefenseEvasion\"],\"displayName\":\"Missing Domain Controller Heartbeat\",\"description\":\"This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-11-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"name\":\"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous RDP Login Detections\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2020-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"name\":\"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name\\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"name\":\"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n//Exclude local addresses, using the ipv4_is_private operator\\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n W3CIISLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n //Exclude local addresses, using the ipv4_is_private operator\\n | where ipv4_is_private(cIP) == false and cIP !startswith \\\"fe80\\\" and cIP !startswith \\\"::\\\" and cIP !startswith \\\"127.\\\"\\n // renaming time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| where W3CIISLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId, cIP\\n| project W3CIISLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to W3CIISLog\",\"description\":\"Identifies a match in W3CIISLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-04-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\"name\":\"d564ff12-8f53-41b8-8649-44f76b37b99f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// How many greater than Service Connections you want to view per build/release\\nlet ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iif(\\n Type == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\n strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Abuse\",\"description\":\"Flags builds/releases that use a large number of service connections if they aren\u0027t manually in the allow list.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse \\nor dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"name\":\"01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let discord=dynamic([\\\"cdn.discordapp.com\\\", \\\"media.discordapp.com\\\"]);\\n _Im_WebSession(url_has_any=discord, eventresult=\u0027Success\u0027)\\n | where Url has \\\"attachments\\\"\\n | extend DiscordServerId = extract(@\\\"\\\\/attachments\\\\/([0-9]+)\\\\/\\\", 1, Url)\\n | summarize dcount(Url), make_set(SrcUsername), make_set(SrcIpAddr), make_set(Url), min(TimeGenerated), max(TimeGenerated), make_set(EventResult) by DiscordServerId\\n | mv-expand set_SrcUsername to typeof(string), set_Url to typeof(string), set_EventResult to typeof(string), set_SrcIpAddr to typeof(string)\\n | summarize by DiscordServerId, dcount_Url, set_SrcUsername, min_TimeGenerated, max_TimeGenerated, set_EventResult, set_SrcIpAddr, set_Url\\n | project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, Result=set_EventResult, SourceUser=set_SrcUsername, SourceIP=set_SrcIpAddr, RequestURL=set_Url\\n | where RequestURL has_any (\\\".bin\\\",\\\".exe\\\",\\\".dll\\\",\\\".bin\\\",\\\".msi\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Discord CDN Risky File Download (ASIM Web Session Schema)\",\"description\":\"Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment. Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads.\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"name\":\"4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Hive_threats = dynamic([\\\"Ransom:Win64/Hive\\\", \\\"Ransom:Win32/Hive\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Hive_threats) or ThreatFamilyName in~ (Hive_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Hive Ransomware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Hive Ransomware . In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device,\\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2022-07-11T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"name\":\"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let szOperationNames = dynamic([\\\"microsoft.compute/virtualMachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2\\n| join kind=leftsemi (\\n// Last day\u0027s activity is anomalous\\nAzureActivity\\n| where TimeGenerated \u003e= startofday(ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious number of resource creation or deployment activities\",\"description\":\"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"name\":\"050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n// Uncomment below to not alert for PIM activations\\n//| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Assigned Privileged Role\",\"description\":\"Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn\u0027t the responsibility of the account holder, investigate.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\"name\":\"48607a29-a26a-4abf-8078-a06dbdd174a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet aadFunc = (tableName:string){\\nlet identityLookup = table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\\n// collect window threshold breaches\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\\n| where FailedPrincipalCount \u003e= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend LocationDetails = todynamic(LocationDetails)\\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName, Type\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\\n| join kind= inner (\\ntable(tableName) // get data on success vs. failure history for each IP\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress, Type\\n| where GlobalFailPrincipalCount \u003e GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD application\",\"description\":\"Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2022-02-16T00:00:00Z\",\"createdDateUTC\":\"2020-03-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"name\":\"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host, AccountCustomEntity=User\\n),\\n(_Im_WebSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(SigninLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known IRIDIUM IP\",\"description\":\"IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"name\":\"d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Administrative roles to look for, default is all admin roles\\nlet roles = dynamic([\\\"Administrator\\\", \\\"Admin\\\"]);\\n// The maximum distances between and invite and acceptance\\nlet maxTimeBetweenInviteAccept = 30min;\\n// The delta (minutes) between the invite being sent and the account being escalated\\nlet deltaBetweenInviteEscalation = 60;\\n// Collect external user invitations\\nlet invite = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Invite external user\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"userPrincipalName\\\"])\\n| extend InviteInitiator = tostring(InitiatedBy.[\\\"user\\\"].[\\\"userPrincipalName\\\"])\\n| where isnotempty(InviteInitiator);\\n// Collect redeem events\\nlet redeem = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Redeem external user invite\\\"\\n| where Result =~ \\\"success\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"displayName\\\"]) | extend Target = tostring(extract(@\\\"UPN\\\\:\\\\s(.+)\\\\,\\\\sEmail\\\",1,Target))\\n| where isnotempty(Target);\\n// Union the inivtation and redeem data then run the sequence_detect kusto plugin\\ninvite\\n| union redeem\\n| order by TimeGenerated\\n| project TimeGenerated, Target, InviteInitiator, OperationName, TenantId\\n| evaluate sequence_detect(TimeGenerated, maxTimeBetweenInviteAccept, maxTimeBetweenInviteAccept, invite=(OperationName has \\\"Invite external user\\\"), redeem=(OperationName has \\\"Redeem external user invite\\\"), Target)\\n| join (\\nAuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n// Limit to external accounts\\n| where TargetResources.userPrincipalName has \\\"EXT\\\"\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n// Perform check for admin roles\\n| where RoleName has_any(roles)\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by TimeGenerated, OperationName, RoleName, Target, Initiator, Result\\n) on Target\\n// Calculate delta between the invite and the account escalation\\n| extend delta = datetime_diff(\\\"minute\\\", TimeGenerated, invite_TimeGenerated)\\n| where delta \u003c= deltaBetweenInviteEscalation\\n| project InvitationTime=invite_TimeGenerated, RedeemTime=redeem_TimeGenerated, GrantTime=TimeGenerated, ExternalUser=Target, RoleGranted=RoleName, AdminInitiator=Initiator, MinsBetweenInviteAndEscalation=delta\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ExternalUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AdminInitiator\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"New External User Granted Admin\",\"description\":\"This query will detect instances where a newly invited external user is granted an administrative role. By default this query\\nwill alert on any granted administrative role, however this can be modified using the roles variable if false positives occur\\nin your environment. The maximum delta between invite and escalation to admin is 60 minues, this can be configured using the \\ndeltaBetweenInviteEscalation variable.\",\"lastUpdatedDateUTC\":\"2022-06-16T00:00:00Z\",\"createdDateUTC\":\"2022-06-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"name\":\"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory contains \u0027Adult Themes\u0027 or\\n UrlCategory contains \u0027Adware\u0027 or\\n UrlCategory contains \u0027Alcohol\u0027 or\\n UrlCategory contains \u0027Illegal Downloads\u0027 or\\n UrlCategory contains \u0027Drugs\u0027 or\\n UrlCategory contains \u0027Child Abuse Content\u0027 or\\n UrlCategory contains \u0027Hate/Discrimination\u0027 or\\n UrlCategory contains \u0027Nudity\u0027 or\\n UrlCategory contains \u0027Pornography\u0027 or\\n UrlCategory contains \u0027Proxy/Anonymizer\u0027 or\\n UrlCategory contains \u0027Sexuality\u0027 or\\n UrlCategory contains \u0027Tasteless\u0027 or\\n UrlCategory contains \u0027Terrorism\u0027 or\\n UrlCategory contains \u0027Web Spam\u0027 or\\n UrlCategory contains \u0027German Youth Protection\u0027 or\\n UrlCategory contains \u0027Illegal Activities\u0027 or\\n UrlCategory contains \u0027Lingerie/Bikini\u0027 or\\n UrlCategory contains \u0027Weapons\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request Allowed to harmful/malicious URI category\",\"description\":\"It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"name\":\"ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// Add the environments expected username format regex below before deploying\\n let user_regex = \\\"\\\";\\n AuditLogs\\n | where OperationName =~ \\\"Add user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userAgent = tostring(AdditionalDetails[0].value)\\n | extend addingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend addingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend AddedBy = iif(isnotempty(addingUser), addingUser, addingApp)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend AddedUser = tostring(TargetResources[0].userPrincipalName)\\n | where AddedUser matches regex user_regex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Account Created Using Incorrect Naming Format\",\"description\":\"This query looks for accounts being created where the name does not match a defined pattern.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n The user_regex field in the query needs to be populated with the expected pattern for the environment before deployment.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"name\":\"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nlet ReasontoSubStatus = datatable(SubStatus:string,Reason:string) [\\n\\\"0xC000005E\\\", \\\"There are currently no logon servers available to service the logon request.\\\",\\n\\\"0xC0000064\\\", \\\"User logon with misspelled or bad user account\\\", \\n\\\"0xC000006A\\\", \\\"User logon with misspelled or bad password\\\",\\n\\\"0xC000006D\\\", \\\"Bad user name or password\\\",\\n\\\"0xC000006E\\\", \\\"Unknown user name or bad password\\\",\\n\\\"0xC000006F\\\", \\\"User logon outside authorized hours\\\",\\n\\\"0xC0000070\\\", \\\"User logon from unauthorized workstation\\\",\\n\\\"0xC0000071\\\", \\\"User logon with expired password\\\",\\n\\\"0xC0000072\\\", \\\"User logon to account disabled by administrator\\\",\\n\\\"0xC00000DC\\\", \\\"Indicates the Sam Server was in the wrong state to perform the desired operation\\\",\\n\\\"0xC0000133\\\", \\\"Clocks between DC and other computer too far out of sync\\\",\\n\\\"0xC000015B\\\", \\\"The user has not been granted the requested logon type (aka logon right) at this machine\\\",\\n\\\"0xC000018C\\\", \\\"The logon request failed because the trust relationship between the primary domain and the trusted domain failed\\\",\\n\\\"0xC0000192\\\", \\\"An attempt was made to logon, but the Netlogon service was not started\\\",\\n\\\"0xC0000193\\\", \\\"User logon with expired account\\\",\\n\\\"0xC0000224\\\", \\\"User is required to change password at next logon\\\",\\n\\\"0xC0000225\\\", \\\"Evidently a bug in Windows and not a risk\\\",\\n\\\"0xC0000234\\\", \\\"User logon with account locked\\\",\\n\\\"0xC00002EE\\\", \\\"Failure Reason: An Error occurred during Logon\\\",\\n\\\"0xC0000413\\\", \\\"Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\\\"\\n];\\n(union isfuzzy=true\\n(SecurityEvent \\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where SubStatus !=\u00270xc0000064\u0027 and Account !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId)\\n| lookup ReasontoSubStatus on SubStatus\\n| extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(\\n(WindowsEvent \\n| where EventID == 4625 and not(EventData has \u00270xc0000064\u0027)\\n| extend TargetAccount = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(EventData.TargetUserName endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubStatus = tostring(EventData.SubStatus)\\n| where SubStatus !=\u00270xc0000064\u0027 and TargetAccount !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"\\\")\\n| lookup ReasontoSubStatus on SubStatus\\n| extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend Activity=\\\"4625 - An account failed to log on.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend LogonType = tostring(EventData.LogonType)\\n| extend Status= tostring(EventData.Status)\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| extend WorkstationName = tostring(EventData.WorkstationName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend LogonTypeName=case(LogonType==2,\\\"2 - Interactive\\\", LogonType==3,\\\"3 - Network\\\", LogonType==4, \\\"4 - Batch\\\",LogonType==5, \\\"5 - Service\\\", LogonType==7, \\\"7 - Unlock\\\", LogonType==8, \\\"8 - NetworkCleartext\\\", LogonType==9, \\\"9 - NewCredentials\\\", LogonType==10, \\\"10 - RemoteInteractive\\\", LogonType==11, \\\"11 - CachedInteractive\\\",tostring(LogonType))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n)))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts by valid accounts within 10 mins\",\"description\":\"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"name\":\"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Build Variable Modified by New User.\",\"description\":\"Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify \\nor add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, \\njust detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed \\nmodifying them before.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\"name\":\"f8127962-7739-4211-a4a9-390a7a00e91f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet lbperiod = 14d;\\nlet knownrecipients = ProofpointPOD\\n| where TimeGenerated \u003e ago(lbperiod)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where SrcUserUpn != \u0027\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated between (ago(lbtime) .. now())\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend isProtected = todynamic(MsgParts)[0][\u0027isProtected\u0027]\\n| extend mimePgp = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where isProtected == \u0027true\u0027 or mimePgp == \u0027application/pgp-encrypted\u0027\\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple protected emails to unknown recipient\",\"description\":\"Detects when multiple protected messages where sent to early not seen recipient.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"name\":\"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlOriginal matches regex @\u0027\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - URI contains IP address\",\"description\":\"Malware can use IP address to communicate with C2.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\"name\":\"23005e87-2d3a-482b-b03d-edbebd1ae151\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated \u003e ago(14d)\\n| where sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| where TimeGenerated \u003e ago(1d)\\n| where Computer in (exchange_servers)\\n| where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious Exchange Request\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac9e233e-44d4-45eb-b522-6e47445f6582\",\"name\":\"ac9e233e-44d4-45eb-b522-6e47445f6582\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"imRegistry\\n | where EventType in (\\\"RegistryValueSet\\\", \\\"RegistryKeyCreated\\\")\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (imProcess\\n | where Process endswith \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass (ASIM Version)\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"name\":\"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Office 365 Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Office 365 alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Office 365\",\"lastUpdatedDateUTC\":\"2020-09-01T00:00:00Z\",\"createdDateUTC\":\"2020-04-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"name\":\"a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let mde_threats = dynamic([\\\"Behavior:Win32/SuspAzureRequest.A\\\", \\\"Behavior:Win32/SuspAzureRequest.B\\\", \\\"Behavior:Win32/SuspAzureRequest.C\\\", \\\"Behavior:Win32/LaunchingSuspCMD.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (mde_threats) or ThreatFamilyName in~ (mde_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory\",\"description\":\"This query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR. \\nIn Microsoft Sentinel, the SecurityAlerts table includes the name of the impacted device. Additionally, this query joins the DeviceInfo table to connect other information such as device group, \\nIP address, signed in users, and others allowing analysts using Microsoft Sentinel to have more context related to the alert. \\nReference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 , \\nhttps://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5db427b2-f406-4274-b413-e9fcb29412f8\",\"name\":\"5db427b2-f406-4274-b413-e9fcb29412f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NRT PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"name\":\"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^\u0027]*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"name\":\"d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\",\\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\",\\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\",\\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\",\\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\",\\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\",\\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\",\\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\",\\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\"name\":\"de58ee9e-b229-4252-8537-41a4c2f4045e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| extend file_ext = extract(@\u0027.*(\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| extend Filename = extract(@\u0027.*\\\\/*\\\\/(.*\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, SrcIpAddr, Identities, Filename\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request to blocklisted file type\",\"description\":\"Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"name\":\"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet aadFunc = (tableName:string){\\nlet GitHubFailedSSOLogins = (table(tableName) \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType != 0); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n) on UserPrincipalName \\n| where FailedLoginsCountInRunTime \u003e LearningThreshold\\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute Force Attack against GitHub Account\",\"description\":\"Attackers who are trying to guess your users\u0027 passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\"name\":\"12dcea64-bec2-41c9-9df2-9f28461b1295\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where NewProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service Control Services and Schedule Control Services\\n| union (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\"lastUpdatedDateUTC\":\"2022-01-30T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\"name\":\"155f40c6-610d-497d-85fc-3cf06ec13256\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Phosphorus group domains/IP\",\"description\":\"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"name\":\"a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let error403_count_threshold=200;\\n_Im_WebSession(eventresultdetails_in=\\\"403\\\")\\n| extend ParsedUrl=parse_url(Url)\\n| extend UrlHost=tostring(ParsedUrl[\\\"Host\\\"]), UrlSchema=tostring(ParsedUrl[\\\"Schema\\\"])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr\\n| where NumberOfErrors \u003e error403_count_threshold\\n| sort by NumberOfErrors desc\\n| extend Url=tostring(Urls[0])\",\"customDetails\":{\"NumberOfErrors\":\"NumberOfErrors\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of HTTP authentication failures from {{SrcIpAddr}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Persistence\",\"CredentialAccess\"],\"displayName\":\"Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)\",\"description\":\"This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\u003cbr\u003e\u003cbr\u003e\\nThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM. \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"name\":\"2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where OperationName in (\\\"Add eligible member (permanent)\\\", \\\"Add eligible member (eligible)\\\")\\n | extend Role = tostring(TargetResources[0].displayName)\\n | where Role contains \\\"admin\\\"\\n | extend AddedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedUser = tostring(TargetResources[2].userPrincipalName)\\n | project-reorder TimeGenerated, AddedUser, Role, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"User Added to Admin Role\",\"description\":\"Detects a user being added to a new privileged role. Monitor these additions to ensure the users are made eligible for these roles are intended to have these levels of access.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"name\":\"dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 10;\\n let default_ad_attributes = dynamic([\\\"LastDirSyncTime\\\", \\\"StsRefreshTokensValidFrom\\\", \\\"Included Updated Properties\\\", \\\"AccountEnabled\\\", \\\"Action Client Name\\\", \\\"SourceAnchor\\\"]);\\n AuditLogs\\n | where OperationName =~ \\\"Add user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend properties = TargetResources[0].modifiedProperties\\n | mv-expand properties\\n | evaluate bag_unpack(properties)\\n | summarize count() by displayName, TenantId\\n | where displayName !in (default_ad_attributes)\\n | top threshold by count_ desc\\n | summarize make_set(displayName) by TenantId\\n | join kind=inner (AuditLogs\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \\\"Add user\\\"\\n | extend CreatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend AccountProperties = TargetResources[0].modifiedProperties\\n | mv-expand AccountProperties\\n | extend PropName = tostring(AccountProperties.displayName)) on TenantId\\n | summarize makeset(PropName) by TimeGenerated, CorrelationId, CreatedUserPrincipalName, CreatingUserPrincipalName, tostring(set_displayName)\\n | extend missing_props = set_difference(todynamic(set_displayName), set_PropName)\\n | where array_length(missing_props) \u003e 0\\n | join kind=innerunique (AuditLogs\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \\\"Add user\\\"\\n | extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)) on CorrelationId, CreatedUserPrincipalName\\n | extend ExpectedProperties = set_displayName\\n | project-away set_displayName, set_PropName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatingUserPrincipalName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatedUserPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User account created without expected attributes defined\",\"description\":\"This query looks for accounts being created that do not have attributes populated that are commonly populated in the tenant.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"name\":\"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Low\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4720\\n| where AccountType == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n),\\n(WindowsEvent\\n| where EventID == 4720\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Activity=\\\"4720 - A user account was created.\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n))\\n| join ((union isfuzzy=true\\n(SecurityEvent \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732\\n// TargetSid is the builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid\\n),\\n( WindowsEvent \\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732 and EventData has \\\"S-1-5-32-544\\\"\\n//TargetSid is the builin Admins group: S-1-5-32-544\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Activity=\\\"4732 - A member was added to a security-enabled local group.\\\"\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid)\\n))\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \\n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"CreatedUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"New user created and added to the built-in administrators group\",\"description\":\"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"name\":\"d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DuoSecurityAuthentication_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(access_device_ip_s)\\n // renaming time column so it is clear the log this came from\\n | extend Duo_TimeGenerated = isotimestamp_t\\n)\\non $left.TI_ipEntity == $right.access_device_ip_s\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\\n| extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Duo Security\",\"description\":\"Identifies a match in DuoSecurity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"name\":\"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectServer = column_ifexists(\u0027ObjectServer\u0027, \\\"\\\"), ObjectType = column_ifexists(\u0027ObjectType\u0027, \\\"\\\"), ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\")\\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\\n| where ObjectServer =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Starting or Stopping HealthService to Avoid Detection\",\"description\":\"This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\\n The query requires a SACL to audit for access request to the service.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-03-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n| join (\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberRemoved\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n) on UPN\\n| where TimeDeleted \u003e TimeAdded\\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"External user added and removed in short timeframe\",\"description\":\"This detection flags the occurances of external user accounts that are added to a Team and then removed within\\none hour.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9367dff0-941d-44e2-8875-cb48570c7add\",\"name\":\"9367dff0-941d-44e2-8875-cb48570c7add\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has \\\"\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_DLLs\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppInit DLLs Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows or HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library.\\nRef: https://attack.mitre.org/techniques/T1546/010/\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\"name\":\"8d537f3c-094f-430c-a588-8a87da36ee3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nlet user_agents=dynamic([\\n \u0027(hydra)\u0027,\\n \u0027 arachni/\u0027,\\n \u0027 BFAC \u0027,\\n \u0027 brutus \u0027,\\n \u0027 cgichk \u0027,\\n \u0027core-project/1.0\u0027,\\n \u0027 crimscanner/\u0027,\\n \u0027datacha0s\u0027,\\n \u0027dirbuster\u0027,\\n \u0027domino hunter\u0027,\\n \u0027dotdotpwn\u0027,\\n \u0027FHScan Core\u0027,\\n \u0027floodgate\u0027,\\n \u0027get-minimal\u0027,\\n \u0027gootkit auto-rooter scanner\u0027,\\n \u0027grendel-scan\u0027,\\n \u0027 inspath \u0027,\\n \u0027internet ninja\u0027,\\n \u0027jaascois\u0027,\\n \u0027 zmeu \u0027,\\n \u0027masscan\u0027,\\n \u0027 metis \u0027,\\n \u0027morfeus fucking scanner\u0027,\\n \u0027n-stealth\u0027,\\n \u0027nsauditor\u0027,\\n \u0027pmafind\u0027,\\n \u0027security scan\u0027,\\n \u0027springenwerk\u0027,\\n \u0027teh forest lobster\u0027,\\n \u0027toata dragostea\u0027,\\n \u0027 vega/\u0027,\\n \u0027voideye\u0027,\\n \u0027webshag\u0027,\\n \u0027webvulnscan\u0027,\\n \u0027 whcc/\u0027,\\n \u0027 Havij\u0027,\\n \u0027absinthe\u0027,\\n \u0027bsqlbf\u0027,\\n \u0027mysqloit\u0027,\\n \u0027pangolin\u0027,\\n \u0027sql power injector\u0027,\\n \u0027sqlmap\u0027,\\n \u0027sqlninja\u0027,\\n \u0027uil2pn\u0027,\\n \u0027ruler\u0027,\\n \u0027Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)\u0027\\n ]);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Hack Tool User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by known hack tools\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"name\":\"30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process endswith \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, ActingProcessId, Dvc\\n | join kind=inner (imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ActingProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively (ASIM Version)\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\\n This query uses the Advanced Security Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"name\":\"84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has_all (\\\"member to role\\\", \\\"add\\\")\\n | where Result =~ \\\"Success\\\"\\n | extend type_ = tostring(TargetResources[0].type)\\n | where type_ =~ \\\"ServicePrincipal\\\"\\n | where isnotempty(TargetResources)\\n | extend ServicePrincipal = tostring(TargetResources[0].displayName)\\n | extend SPID = tostring(TargetResources[0].id)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"Role.DisplayName\\\"\\n | extend TargetRole = parse_json(tostring(TargetResources_0_modifiedProperties.newValue))\\n | where TargetRole contains \\\"admin\\\"\\n | extend AddedByApp = iif(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)),\\n tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName),\\n tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n )\\n | extend AddedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedBy = iif(isnotempty(AddedByApp), AddedByApp, AddedByUser)\\n | extend IpAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, ServicePrincipal, SPID, TargetRole, AddedBy, IpAddress\\n | project-away AddedByApp, AddedByUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"SPID\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned Privileged Role\",\"description\":\"Detects a privileged role being added to a Service Principal.\\n Ensure that any assignment to a Service Principal is valid and appropriate - Service Principals should not be assigned to very highly privileged roles such as Global Admin.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"name\":\"8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = ago(5m);\\nDuoSecurityTrustMonitor_CL\\n| where TimeGenerated \u003e= timeframe\\n| extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Trust Monitor Event\",\"description\":\"This query identifies when a new trust monitor event is detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"name\":\"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 6d;\\n// Adjust this to adjust the key export detection timeframe\\n//let timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer);\\n// Look for ADFS servers where Named Pipes event are present\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"),\\n TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\\n TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\"),\\n Image = column_ifexists(\\\"Image\\\", \\\"\\\"),\\n PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\"),\\n EventType = column_ifexists(\\\"EventType\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n// Look for Pipe related to querying the WID\\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Exclude expected processes\\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS Database Named Pipe Connection\",\"description\":\"This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\"lastUpdatedDateUTC\":\"2021-11-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3617d76d-b15e-4c6f-985e-a1dac73c592d\",\"name\":\"3617d76d-b15e-4c6f-985e-a1dac73c592d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"NRT MFA Rejected by User\",\"description\":\"Identifies occurrences where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\"name\":\"5436f471-b03d-41cb-b333-65891f887c43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"GitHubRepo\\n| where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\",\"entityMappings\":[],\"displayName\":\"GitHub Security Vulnerability in Repository\",\"description\":\"This alerts when there is a new security vulnerability in a GitHub repository.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-10T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"name\":\"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent\\n| where EventID == 4688\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n),\\n(WindowsEvent\\n| where EventID == 4688 and EventData has \u0027rundll32.exe\u0027 and EventData has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n) )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/961b6a81-5c53-40b6-9800-4f661a8faea7\",\"name\":\"961b6a81-5c53-40b6-9800-4f661a8faea7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet Command_Line = (iocs | where Type =~ \\\"CommandLine\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and InitiatingProcessCommandLine has_any (Command_Line))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (@\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and ActingProcessCommandLine has_any (Command_Line))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or ( CommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DEV-0586 Actor IOC - January 2022\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as DEV-0586\\n Refrence: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"name\":\"66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MessageIP = extract(IPRegex, 0, Message)\\n | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)\\n | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CS_ipEntity\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity\\n| project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"name\":\"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P3D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some columns to make output clearer\\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some things to make the output clearer\\n| project-rename TimeDeleted = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, IPCustomEntity = CreatingIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeletingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletingIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Azure DevOps Pipeline Created and Deleted on the Same Day\",\"description\":\"An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \\nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \\nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \\ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"name\":\"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed. \\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated \u003e= ago(auditLookback) and TimeGenerated \u003c ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName has \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount \u003e threshold\\n;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated \u003e= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| extend IpAddress = case(\\nisnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\nisnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n\u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Rare application consent\",\"description\":\"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\"name\":\"69b7723c-2889-469f-8b55-a2d355ed9c87\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | mv-expand SingleIP = split(IPAddresses, \\\", \\\") to typeof(string)\\n // renaming time column so it is clear the log this came from\\n | extend DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, SingleIP\\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-27T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"name\":\"c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nDeviceProcessEvents\\n//looks for execution from a shell\\n| where InitiatingProcessFileName in (parentProcesses)\\n// main filter\\n| where FileName =~ \\\"AdFind.exe\\\" or SHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or ProcessCommandLine has_any (args)\\n| extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, CommandLineCustomEntity = ProcessCommandLine, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLineCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-04-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"name\":\"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url\\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to Syslog data\",\"description\":\"Identifies a match in Syslog data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/af435ca1-fb70-4de1-92c1-7435c48482a9\",\"name\":\"af435ca1-fb70-4de1-92c1-7435c48482a9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let admin_asn = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by AutonomousSystemNumber);\\n let admin_locations = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by Location);\\n let admin_devices = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where isnotempty(deviceId)\\n | summarize by deviceId);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where AutonomousSystemNumber !in (admin_asn) and deviceId !in (admin_devices) and Location !in (admin_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentications of Privileged Accounts Outside of Expected Controls\",\"description\":\"Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days.\\n Privileged accounts are a key target for threat actors, monitoring for logins from these accounts that deviate from normal activity can help identify compromised accounts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\"name\":\"a357535e-f722-4afe-b375-cff362b2b376\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation\\n| parse ExtendedProperties with * \u0027User-Agent\\\\\\\\\\\":\\\\\\\\\\\"\u0027 UserAgent2 \u0027\\\\\\\\\u0027 *\\n| parse ExtendedProperties with * \u0027UserAgent\\\", \\\"Value\\\": \\\"\u0027 UserAgent1 \u0027\\\"\u0027 *\\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == \u0027AzureActiveDirectoryStsLogon\u0027, UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != \u0027-\u0027\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \u0027\\\\\\\"\u0027\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"Malformed user agent\",\"description\":\"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\\nMalformed user agents can be an indication of such malware.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"name\":\"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount \u003e triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated \u003e ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Name\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Possible contact with a domain generated by a DGA\",\"description\":\"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\"name\":\"aac495a9-feb1-446d-b08e-a1164a539452\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"ThreatIntelligenceIndicator\\n| where Action == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n GitHubAudit\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to GitHub_CL\",\"description\":\"Identifies a match in GitHub_CL table from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"name\":\"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-11T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"name\":\"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"ThreatIntelligence\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"Persistence\",\"LateralMovement\"],\"displayName\":\"(Preview) Microsoft Threat Intelligence Analytics\",\"description\":\"This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity.\\n\\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.\",\"lastUpdatedDateUTC\":\"2021-07-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\"name\":\"074ce265-f684-41cd-af07-613c5f3e6d0d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP\\n ),\\n (_Im_Dns(domain_has_any=DomainNames)\\n | extend IPAddress = SrcIpAddr, DNSName = DnsQuery, Host = Dvc),\\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | extend IPAddress = RemoteIp, Host = Computer\\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ),\\n (\\n _Im_WebSession(url_has_any=DomainNames)\\n | extend IPCustomEntity=IpAddr, HostCustomEntity=Hostname, AccoutCustomEntity=User\\n )\\n)\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known STRONTIUM group domains - July 2019\",\"description\":\"Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"name\":\"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n WireData | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n // renaming time column so it is clear the log this came from\\n | extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where WireData_TimeGenerated \u003c ExpirationDateTime\\n| summarize WireData_TimeGenerated = arg_max(WireData_TimeGenerated, *) by IndicatorId, RemoteIP\\n| project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to WireData\",\"description\":\"Identifies a match in WireData from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"name\":\"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let match_window = 3m;\\nAzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\") \\n| where ActivityStatusValue == \\\"Success\\\"\\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\\n| join kind = inner\\n(AzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/write\\\") \\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\\n) on Caller, TimeKey\\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, \u0027 , \u0027, OperationNameValue1)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UserIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New CloudShell User\",\"description\":\"Identifies when a user creates an Azure CloudShell for the first time.\\nMonitor this activity to ensure only expected user are using CloudShell\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5170c3c4-b8c9-485c-910d-a21d965ee181\",\"name\":\"5170c3c4-b8c9-485c-910d-a21d965ee181\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 30m;\\nlet accountthreshold = 10;\\nlet successCodes = dynamic([0, 50144]);\\nADFSSignInLogs\\n| extend IngestionTime = ingestion_time()\\n| where IngestionTime \u003e ago(queryfrequency)\\n| where not(todynamic(AuthenticationDetails)[0].authenticationMethod == \\\"Integrated Windows Authentication\\\")\\n| summarize\\n DistinctFailureCount = dcountif(UserPrincipalName, ResultType !in (successCodes)),\\n DistinctSuccessCount = dcountif(UserPrincipalName, ResultType in (successCodes)),\\n SuccessAccounts = make_set_if(UserPrincipalName, ResultType in (successCodes), 250),\\n arg_min(TimeGenerated, *)\\n by IPAddress\\n| where DistinctFailureCount \u003e DistinctSuccessCount and DistinctFailureCount \u003e= accountthreshold\\n//| extend SuccessAccounts = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic([\\\"null\\\"]))\\n//| mv-expand SuccessAccounts\\n| project TimeGenerated, Category, OperationName, IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against ADFSSignInLogs\",\"description\":\"Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window.\\nReference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference\",\"lastUpdatedDateUTC\":\"2022-05-04T00:00:00Z\",\"createdDateUTC\":\"2022-03-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"ADFSSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"name\":\"6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Add non-approved user principal names to the list below to search for their account creation/deletion activity\\n// ex: dynamic([\\\"UPN1\\\", \\\"upn123\\\"])\\nlet nonapproved_users = dynamic([]);\\nAuditLogs\\n| where OperationName == \\\"Add user\\\" or OperationName == \\\"Delete user\\\"\\n| where Result == \\\"success\\\"\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| where InitiatingUser has_any (nonapproved_users)\\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\\n| extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account created or deleted by non-approved user\",\"description\":\"Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\"name\":\"11b4c19d-2a79-4da3-af38-b067e1273dee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID in (17,18)\\n| where EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\")\\n| extend Account = UserName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00275145\u0027\\n// %%4418 looks for presence of CreatePipeInstance value \\n| where AccessList has \u0027%%4418\u0027 \\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00275145\u0027 and EventData has \u0027%%4418\u0027 and EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027 \\n// %%4418 looks for presence of CreatePipeInstance value \\n| extend AccessList= tostring(EventData.AccessList)\\n| where AccessList has \u0027%%4418\u0027 \\n| extend RelativeTargetName= tostring(EventData.RelativeTargetName)\\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\"],\"displayName\":\"Solorigate Named Pipe\",\"description\":\"Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2020-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"name\":\"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain\\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to Syslog\",\"description\":\"Identifies a match in Syslog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\"name\":\"19e01883-15d8-4eb6-a7a5-3276cd668388\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed attempts from same client IP\",\"description\":\"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \\npotentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \\nthat is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd78a122-d377-415a-afe9-f22e08d2112c\",\"name\":\"dd78a122-d377-415a-afe9-f22e08d2112c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Add other permissions to this list as needed\\n let permissions = dynamic([\\\"Mail.Read\\\", \\\"offline_access\\\", \\\"Files.Read\\\", \\\"Notes.Read\\\", \\\"ChannelMessage.Read\\\", \\\"Chat.Read\\\", \\\"TeamsActivity.Read\\\",\\n \\\"Group.Read\\\", \\\"EWS.AccessAsUser.All\\\", \\\"EAS.AccessAsUser.All\\\"]);\\n AuditLogs\\n | where OperationName =~ \\\"Add app role assignment to service principal\\\"\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"AppRole.Value\\\" or TargetResources_0_modifiedProperties.displayName =~ \\\"DelegatedPermissionGrant.Scope\\\"\\n | extend Permissions = split((parse_json(tostring(TargetResources_0_modifiedProperties.newValue))), \\\" \\\")\\n | where Permissions has_any (permissions)\\n | summarize AddedPermissions=make_set(Permissions) by CorrelationId\\n | join kind=inner (AuditLogs\\n | where OperationName =~ \\\"Add app role assignment to service principal\\\") on CorrelationId\\n | extend InitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n | extend ServicePrincipal = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[4].newValue)))\\n | extend SPID = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[6].newValue)))\\n | extend InitiatedBy = pack(\\\"User\\\", InitiatedBy, \\\"UA\\\", UserAgent, \\\"IPAddress\\\", IpAddress)\\n | mv-expand kind=array AddedPermissions\\n | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(InitiatedBy), make_set(AddedPermissions) by SPID, ServicePrincipal\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipal\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"SPID\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned App Role With Sensitive Access\",\"description\":\"Detects a Service Principal being assigned an app role that has sensitive access such as Mail.Read.\\n A threat actor who compromises a Service Principal may assign it an app role to allow it to access sensitive data, or to perform other actions.\\n Ensure that any assignment to a Service Principal is valid and appropriate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"name\":\"d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, NewProcessId, Computer\\n | join kind=inner (SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ParentProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend newProcess = Process\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.NewProcessId == $right.ProcessId, timekey, Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"name\":\"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where TimeGenerated \u003e ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 5 downloads/uploads from a new user agent today\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e ago(endtime) \\n| where RecordType =~ szSharePointFileOperation \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via devices with previously unseen user agents\",\"description\":\"Identifies if the number of documents uploaded or downloaded from device(s) associated\\nwith a previously unseen user agent exceeds a threshold (default is 5).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"name\":\"f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where AADOperationType =~ \\\"Assign\\\"\\n| where ActivityDisplayName =~ \\\"Add app role assignment to service principal\\\"\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"AppRole.Value\\\"\\n| extend AppRole = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where AppRole has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\\n| extend TargetId = tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue)))\\n| project TimeGenerated, OperationName, Initiator, Target, TargetId, Result\\n| join kind=innerunique (\\n AuditLogs\\n | where LoggedByService =~ \\\"Core Directory\\\"\\n | where Category =~ \\\"RoleManagement\\\"\\n | where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n | where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n | where displayName_ =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n | where RoleName contains \\\"Admin\\\"\\n | extend Initiator = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend InitiatorId = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend TargetUser = tostring(TargetResources.userPrincipalName)\\n | extend Target = iif(isnotempty(TargetUser), TargetUser, tostring(TargetResources.displayName))\\n | extend TargetType = tostring(TargetResources.type)\\n | extend TargetId = tostring(TargetResources.id)\\n | project TimeGenerated, OperationName, RoleName, Initiator, InitiatorId, Target, TargetId, TargetType, Result\\n) on $left.TargetId == $right.InitiatorId\\n| extend TimeRoleMgGrant = TimeGenerated, TimeAdminPromo = TimeGenerated1, ServicePrincipal = Initiator1, ServicePrincipalId = InitiatorId,\\n TargetObject = Target1, TargetObjectId = TargetId1, TargetObjectType = TargetType\\n| where TimeRoleMgGrant \u003c TimeAdminPromo\\n| project TimeRoleMgGrant, TimeAdminPromo, RoleName, ServicePrincipal, ServicePrincipalId, TargetObject, TargetObjectId, TargetObjectType\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ServicePrincipal\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetObject\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"Persistence\"],\"displayName\":\"Admin promotion after Role Management Application Permission Grant\",\"description\":\"This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).\\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission Allows an app to manage permission grants for application permissions to any API.\\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"name\":\"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated \u003e= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal \u003e 2*prev6hAvgCumTotal or last1hAvgRatePerSec \u003e 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec \u003e 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - average attack detection rate increase\",\"description\":\"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"name\":\"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Full Admin policy created and then attached to Roles, Users or Groups\",\"description\":\"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"name\":\"34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\n IdentityInfo\\n | where TimeGenerated \u003e ago(starttime)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | mv-expand AssignedRoles\\n | where AssignedRoles matches regex \u0027Admin\u0027\\n | summarize Roles = make_list(AssignedRoles) by AccountUPN = tolower(AccountUPN)\\n | join kind=inner (\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultType != 0\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n ) on $left.AccountUPN == $right.UserPrincipalName\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, Roles = tostring(Roles)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\n allSignins\\n | make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1h by UserPrincipalName, Roles\\n | extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n | mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n // Filtering low count events per baselinethreshold\\n | where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n | extend AnomalyHour = TimeGenerated\\n | project UserPrincipalName, Roles, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, Roles, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Privileged Accounts - Sign in Failure Spikes\",\"description\":\" Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\",\"lastUpdatedDateUTC\":\"2022-01-25T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\"name\":\"106813db-679e-4382-a51b-1bfc463befc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to PaloAlto data\",\"description\":\"Identifies a match in PaloAlto data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"name\":\"884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in~ (SensitiveOperationList)\\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPMax\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup.\\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"name\":\"95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\\n| mv-expand AdditionalDetails\\n),\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| where NewDomainValue has \\\"Federated\\\"\\n)\\n)\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\"name\":\"ac891683-53c3-4f86-86b4-c361708e2b2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"// Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)[\u0027foo@bar.com\u0027, \u0027test@foo.com\u0027];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist = datatable(OperationNamePart:string)[\u0027Security.\u0027,\u0027Project.\u0027,\u0027AuditLog.\u0027,\u0027Extension.\u0027];\\n// Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)[\u0027Group.UpdateGroupMembership.Add\u0027,\u0027Library.ServiceConnectionExecuted\u0027,\u0027Pipelines.PipelineModified\u0027,\\n\u0027Release.ReleasePipelineModified\u0027, \u0027Git.RefUpdatePoliciesBypassed\u0027];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Impact\"],\"displayName\":\"Azure DevOps Personal Access Token (PAT) misuse\",\"description\":\"This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=preview-page\\nUse this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"name\":\"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Agent Pool Created Then Deleted\",\"description\":\"As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this \\ndetection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), \\nas an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\"name\":\"26a3b261-b997-4374-94ea-6c37f67f4f39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n( _Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA1=\u0027 SHA1 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known GALLIUM domains and hashes\",\"description\":\"GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \\n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-12-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/52aec824-96c1-4a03-8e44-bb70532e6cea\",\"name\":\"52aec824-96c1-4a03-8e44-bb70532e6cea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 5136 and EventData contains \\\"\u003cData Name=\\\\\\\"ObjectDN\\\\\\\"\u003eCN=AdminSDHolder,CN=System\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AdminSDHolder Modifications\",\"description\":\"This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence. \\nAdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory.\\nThis query searches for the event id 5136 where the Object DN is AdminSDHolder.\\nRef: https://attack.stealthbits.com/adminsdholder-modification-ad-persistence\",\"lastUpdatedDateUTC\":\"2022-01-20T00:00:00Z\",\"createdDateUTC\":\"2021-12-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"name\":\"8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\" or OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| extend Federated = iif(OperationName =~ \\\"Set domain authentication\\\", iif(NewDomainValue has \\\"Federated\\\", True, False), True)\\n| where Federated == True\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserOrApp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"NRT Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\"name\":\"327cd4ed-ca42-454b-887c-54e1c91363c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Defender Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Endpoint alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Endpoint\",\"lastUpdatedDateUTC\":\"2019-10-24T00:00:00Z\",\"createdDateUTC\":\"2019-10-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"name\":\"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"Low\",\"query\":\"let PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nWindowsEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \\\"success\\\"\\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \\nTargetUserName = tolower(tostring(TargetResources[0].displayName))\\n| project TimeGenerated, AccountType, Account, Computer = \\\"\\\", Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| where SyslogMessage matches regex \\\".*password changed for.*\\\"\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\\n(union isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\\n| where Total \u003e PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\\n| where Total \u003e TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Multiple Password Reset by user\",\"description\":\"This query will determine multiple password resets by user across multiple data sources. \\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \\nand certain permission levels within an environment.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-09-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\"name\":\"d804b39c-03a4-417c-a949-bdbf21fa3305\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.7.2\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet sha256s = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet ips = (iocs | where Type =~ \\\"ip\\\" | project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\" | project IoC);\\nlet dyndomains = todynamic(toscalar((domains | summarize make_set(IoC))));\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has_any (file_paths)\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName in (file_paths)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(imFileEvent\\n| where TargetFileName in (file_paths)\\n or\\n TargetFileSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n (CommonSecurityLog\\n| where FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event // File iocs\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 *\\n| where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nWindowsFirewall\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(\\n _Im_NetworkSession(srcipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n (\\n _Im_NetworkSession(dstipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = DstIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n(_Im_Dns(domain_has_any=dyndomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\\n)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange Server Vulnerabilities Disclosed March 2021 IoC Match\",\"description\":\"This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog (F5)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"name\":\"09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nimAuthentication\\n| where TimeGenerated \u003e timeframe\\n| where EventType==\u0027Logon\u0027 and EventResult==\u0027Success\u0027\\n| where isnotempty(SrcGeoCountry)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)\\n , NumOfCountries = dcount(SrcGeoCountry)\\n by TargetUserId, TargetUsername, TargetUserType\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetUsername\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User login from different countries within 3 hours (Uses Authentication Normalization)\",\"description\":\"This query searches for successful user logins from different countries within 3 hours.\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/67775878-7f8b-4380-ac54-115e1e828901\",\"name\":\"67775878-7f8b-4380-ac54-115e1e828901\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX=10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = (ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"\\\")\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true);\\nlet TI_IP_List=IP_TI | summarize NIPs=dcount(TI_ipEntity), IP_List=make_set( TI_ipEntity) \\n| project IP_List=iff(NIPs \u003e HAS_ANY_MAX, dynamic([]), IP_List);\\n_Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(TI_IP_List)))\\n | extend tilist = toscalar(TI_IP_List)\\n | mv-expand tilist\\n | extend SingleIP=tostring(tilist)\\n | project-away tilist\\n | where has_ipv4(DnsResponseName, SingleIP)\\n | extend DNS_TimeGenerated = TimeGenerated\\n| join IP_TI\\n on $left.SingleIP == $right.TI_ipEntity\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"SubType\":\"EventSubType\",\"DnsQuery\":\"DnsQuery\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any IP IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"name\":\"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has \\\"TVqQAAMAAAAEAAA\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName));\\nprocessEvents};\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"name\":\"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center\",\"severitiesFilter\":[\"Low\",\"Medium\",\"High\"],\"displayName\":\"Create incidents based on Microsoft Defender for Cloud\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud\",\"lastUpdatedDateUTC\":\"2021-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"name\":\"d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// Filter out other servers in the AD FS farm\\nlet ADFSServersList = dynamic([\\\"ADFS02.domain.com\\\",\\\"ADFS03.domain.com\\\"]);\\n// Start by identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer !in (ADFSServersList)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer\\n);\\n// Look for ADFS servers receiving connections over port 80\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n| where EventID == 3\\n// Look for endpoints connecting to the AD FS server over port 80\\n| extend DestinationPort = column_ifexists(\\\"DestinationPort\\\", \\\"\\\"), Image = column_ifexists(\\\"Image\\\", \\\"\\\"), Initiated = column_ifexists(\\\"Initiated\\\", \\\"\\\"), SourceIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\"), DestinationIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\")\\n| where DestinationPort == 80\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Look for the System process receiving connections\\n| where process == \u0027System\u0027 and Initiated == \u0027false\u0027\\n| where DestinationIp !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027)\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName, IPCustomEntity = SourceIp\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote HTTP Network Connection\",\"description\":\"This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor\\ntrying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1faf5e8-6958-11ec-90d6-0242ac120003\",\"name\":\"c1faf5e8-6958-11ec-90d6-0242ac120003\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4720 and TargetUserName endswith \\\"$\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectUserName, SubjectUserSid, SubjectLogonId, TargetUserName, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Fake computer account created\",\"description\":\"This query detects domain user accounts creation (event ID 4720) where the username ends with $. \\nAccounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights.html\",\"lastUpdatedDateUTC\":\"2022-01-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\"name\":\"04384937-e927-4595-8f3c-89ff58ed231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Sept 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"name\":\"7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"name\":\"6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let queryfrequency = 1h;\\nlet wait_for_deletion = 10m;\\nlet account_created =\\n AuditLogs \\n | where ActivityDisplayName == \\\"Add service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend creationTime = ActivityDateTime\\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_activity =\\n AADServicePrincipalSignInLogs\\n | extend Activities = pack(\\\"ActivityTime\\\", TimeGenerated ,\\\"IpAddress\\\", IPAddress, \\\"ResourceDisplayName\\\", ResourceDisplayName)\\n | extend AppID = AppId\\n | summarize make_list(Activities) by AppID;\\nlet account_deleted =\\n AuditLogs \\n | where OperationName == \\\"Remove service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend deletionTime = ActivityDateTime\\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_credentials =\\n AuditLogs\\n | where OperationName has_all (\\\"Update application\\\", \\\"Certificates and secrets management\\\")\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend credentialCreationTime = ActivityDateTime;\\nlet roles_assigned =\\n AuditLogs\\n | where ActivityDisplayName == \\\"Add app role assignment to service principal\\\"\\n | extend AppID = tostring(TargetResources[1].displayName)\\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\\\"AppRole.Value\\\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\\\"\\\")\\n | extend AssignedRoles = pack(\\\"Role\\\", AssignedRole)\\n | summarize make_list(AssignedRoles) by AppID;\\naccount_created\\n| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))\\n| join kind= inner (account_activity) on AppID\\n| join kind= inner (account_deleted) on AppID\\n| join kind= inner (account_credentials) on AppID\\n| join kind= inner (roles_assigned) on AppID\\n| where deletionTime - creationTime between (time(0s)..wait_for_deletion)\\n| extend AliveTime = deletionTime - creationTime\\n| project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_creator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_deleter\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_creator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_deleter\"}]}],\"tactics\":[\"CredentialAccess\",\"PrivilegeEscalation\",\"InitialAccess\"],\"displayName\":\"Suspicious Service Principal creation activity\",\"description\":\"This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\",\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\"name\":\"ec21493c-2684-4acd-9bc2-696dbad72426\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceVendor =~ \u0027Palo Alto Networks\u0027\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain\\n | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, \\n DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to PaloAlto\",\"description\":\"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"name\":\"caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Tarrask malware IOC - April 2022\",\"description\":\"Identifies a hash match related to Tarrask malware across various data sources.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\"name\":\"2560515c-07d1-434e-87fb-ebe3af267760\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\\n| mv-expand props\\n| extend UserAgent = tostring(AdditionalDetails[0].value)\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| extend DisplayName = tostring(props.displayName)\\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\\n| extend Type = tostring(TargetResources[0].type)\\n| project-away props\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName has \\\"Consent to application\\\"\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | extend AppId = tostring(TargetResources[0].id)\\n | project AppName, AppId, CorrelationId) on CorrelationId\\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Mail.Read Permissions Granted to Application\",\"description\":\"This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"name\":\"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Active Directory Identity Protection\",\"displayName\":\"Create incidents based on Azure Active Directory Identity Protection alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"name\":\"bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where OperationName =~ \\\"Delete user\\\"\\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n| extend UserPrincipalName = extract(@\u0027([a-f0-9]{32})?(.*)\u0027, 2, tostring(TargetResources[0].userPrincipalName))\\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\\n| join kind=inner (\\n AuditLogs\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where OperationName =~ \\\"Add user\\\"\\n | extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | project-rename Creation_TimeGenerated = TimeGenerated\\n) on UserPrincipalName\\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\\n| where TimeDelta between (time(0s) .. queryperiod)\\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\\n| extend timestamp = Deletion_TimeGenerated, CustomAccountEntity = UserPrincipalName, IPCustomEntity = DeletedByIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CustomAccountEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account Created and Deleted in Short Timeframe\",\"description\":\"Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"name\":\"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated \u003e ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\\n| where dcount_sld \u003e threshold\\n// Filter out previously seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld \u003e threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"name\":\"ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_locations =\\n union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location;\\n union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend LocationDetails_dynamic = column_ifexists(\\\"LocationDetails_dynamic\\\", \\\"\\\")\\n | extend DeviceDetail_dynamic = column_ifexists(\\\"DeviceDetail_dynamic\\\", \\\"\\\")\\n | extend LocationDetails = iif(isnotempty(LocationDetails_dynamic), LocationDetails_dynamic, parse_json(LocationDetails_string))\\n | extend DeviceDetail = iif(isnotempty(DeviceDetail_dynamic), DeviceDetail_dynamic, parse_json(DeviceDetail_string))\\n | extend City = tostring(LocationDetails.city)\\n | extend State = tostring(LocationDetails.state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend DeviceId = tostring(DeviceDetail.deviceId)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(UserAgent), make_set(Place), make_set(DeviceId) by UserPrincipalName, Location, Category\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentication Attempt from New Country\",\"description\":\"Detects when there is a log in attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\"name\":\"9713e3c0-1410-468d-b79e-383448434b2d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n VMConnection\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| where VMConnection_TimeGenerated \u003c ExpirationDateTime\\n| summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId, RemoteIp\\n| project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to VMConnection\",\"description\":\"Identifies a match in VMConnection from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/017e095a-94d8-430c-a047-e51a11fb737b\",\"name\":\"017e095a-94d8-430c-a047-e51a11fb737b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let domains =\\n SigninLogs\\n | where ResultType == 0\\n | extend domain = split(UserPrincipalName, \\\"@\\\")[1]\\n | extend domain = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tolower(tostring(domain));\\n AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend AddingUser = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), \\\"\\\")\\n | extend AddingApp = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)) , tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName), \\\"\\\")\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingApp)\\n | project-away AddingApp, AddingUser\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | where isnotempty(AddedUrls)\\n | mv-expand AddedUrls\\n | extend Domain = extract(\\\"^(?:https?:\\\\\\\\/\\\\\\\\/)?(?:[^@\\\\\\\\/\\\\\\\\n]+@)?(?:www\\\\\\\\.)?([^:\\\\\\\\/?\\\\\\\\n]+)/\\\", 1, replace_string(tolower(tostring(AddedUrls)), \u0027\\\"\u0027, \\\"\\\"))\\n | where isnotempty(Domain)\\n | extend Domain = strcat(split(Domain, \\\".\\\")[-2], \\\".\\\", split(Domain, \\\".\\\")[-1])\\n | where Domain !in (domains)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, AddedBy, UserAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"URL Added to Application from Unknown Domain\",\"description\":\"Detects a URL being added to an application where the domain is not one that is associated with the tenant.\\n The query uses domains seen in sign in logs to determine if the domain is associated with the tenant.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"name\":\"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Collect the alert events\\nlet alertData = SecurityAlert \\n| where DisplayName has \\\"Potential malware uploaded to\\\" \\n| extend Entities = parse_json(Entities) \\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"ip\\\" \\n| extend AttackerIP = tostring(Entities[\u0027Address\u0027]), AttackerCountry = tostring(Entities[\u0027Location\u0027][\u0027CountryName\u0027]);\\n//Parse the file data\\nlet FileData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"file\\\" \\n| extend MaliciousFileDirectory = tostring(Entities[\u0027Directory\u0027]), MaliciousFileName = tostring(Entities[\u0027Name\u0027]), MaliciousFileHashes = tostring(Entities[\u0027FileHashes\u0027]);\\n//Combine the File and IP data together\\nipData \\n| join (FileData) on VendorOriginalId \\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create a type column so we can track if it was a File storage or blobl storage upload \\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\") \\n| join (\\n union\\n StorageFileLogs, \\n StorageBlobLogs \\n //File upload operations \\n | where OperationName =~ \\\"PutBlob\\\" or OperationName =~ \\\"PutRange\\\"\\n //Parse out the uploader IP \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename from the Uri \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don\u0027t work\\n //We can work around this by making it an array then converting it to hex from an int \\n | extend base64Char = base64_decode_toarray(ResponseMd5) \\n | mv-expand base64Char \\n | extend hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) \u003c 2, strcat(\\\"0\\\", hexChar), hexChar) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable \\n | extend Md5Hash = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the summarise into a ClientIP row \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize UploadedFileInfo=make_list(p), FilesUploaded=count() by ClientIP \\n | join kind=leftouter (\\n union\\n StorageFileLogs,\\n StorageBlobLogs \\n | where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\" \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0]) \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize DeletedFileInfo=make_list(p), FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP == $right.ClientIP \\n| mvexpand UploadedFileInfo \\n| extend LinkedMaliciousFileName = UploadedFileInfo.FileName \\n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash \\n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo \\n| extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = \\\"MD5\\\", IPCustomEntity = AttackerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Linked Malicious Storage Artifacts\",\"description\":\"An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"name\":\"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| where FilterModulesSpamScoresOverall == \u0027100\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - High risk message not discarded\",\"description\":\"Detects when email with high risk score was not rejected or discarded by filters.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"name\":\"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n (_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession(url_has_any=DomainNames) \\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Account=User\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known CERIUM domains and hashes\",\"description\":\"CERIUM malicious webserver and hash values for maldocs and malware. \\n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"name\":\"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AuditLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| where Audit_TimeGenerated \u003c ExpirationDateTime\\n| summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url\\n| project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nOperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to AuditLogs\",\"description\":\"Identifies a match in AuditLogs from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\"name\":\"ab4b6944-a20d-42ab-8b63-238426525801\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated \u003e= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = VMProcess\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n | project-away exePathArr;\\nlet computers = VMComputer\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind = inner (processes) on AgentId, Machine, Process\\n | join kind = inner (computers) on AgentId, Machine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"FirstPid\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Directory\",\"columnName\":\"DirectoryName\"},{\"identifier\":\"Name\",\"columnName\":\"Filename\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Domains Found in VM Insights\",\"description\":\"Identifies connections to Solorigate-related DNS records based on VM insights data\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMProcess\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMComputer\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"name\":\"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\nlet wef_fails =\\nWindowsEvent\\n| where EventID == 4625\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains \u0027auth\u0027 and ProcessName != \u0027sudo\u0027\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails) or IPAddress in (wef_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, Type = Type\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed host logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"name\":\"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let timeRange = 24h;\\nlet failureCountThreshold = 5;\\nlet authenticationWindow = 20m;\\nlet aadFunc = (tableName:string){\\n table(tableName)\\n| where AppDisplayName has \\\"Azure Portal\\\"\\n| extend\\n DeviceDetail = todynamic(DeviceDetail),\\n //Status = todynamic(Status),\\n LocationDetails = todynamic(LocationDetails)\\n| extend\\n OS = tostring(DeviceDetail.operatingSystem),\\n Browser = tostring(DeviceDetail.browser),\\n //StatusCode = tostring(Status.errorCode),\\n //StatusDetails = tostring(Status.additionalDetails),\\n State = tostring(LocationDetails.state),\\n City = tostring(LocationDetails.city),\\n Region = tostring(LocationDetails.countryOrRegion)\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\") \\n// bin outcomes based on authenticationWindow\\n| summarize take_anyif(UserPrincipalName, not(UserPrincipalName matches regex @\\\"[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\")),\\n take_anyif(UserDisplayName, isnotempty(UserDisplayName)), FailureOrSuccessCount = count() by FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, authenticationWindow), ResultType\\n// sort for sessionizing - by UserPrincipalName and time of the authentication outcome\\n| sort by UserPrincipalName asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName != prev(UserPrincipalName) or prev(FailureOrSuccess) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(FailureOrSuccessCount, FailureOrSuccess == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(FailureOrSuccess), IPAddress = make_set(IPAddress), make_set(Browser), make_set(City), make_set(State), make_set(Region), make_set(ResultType) by SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, Type\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_FailureOrSuccess, \\\"Success\\\") != 0\\n| where array_index_of(list_FailureOrSuccess, \\\"Success\\\") == array_length(list_FailureOrSuccess) - 1\\n| project-away SessionStartedUtc, list_FailureOrSuccess\\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= failureCountThreshold \\n// expand out ip for entity assignment\\n| mv-expand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n};\\n let aadSignin = aadFunc(\\\"SigninLogs\\\");\\n let aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\n union isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against Azure Portal\",\"description\":\"Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\nDefault Failure count is 5 and default Time Window is 20 minutes.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\"name\":\"23de46ea-c425-4a77-b456-511ae4855d69\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic([\\\"microsoft.compute/snapshots/write\\\", \\\"microsoft.network/networksecuritygroups/write\\\", \\\"microsoft.storage/storageaccounts/listkeys/action\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \\\"listkeys/action\\\"\\n| where ActivityStatusValue =~ \\\"Success\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on CallerIpAddress, Caller, OperationNameValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Rare subscription-level operations in Azure\",\"description\":\"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \\n For example this monitors for the operation name \u0027Create or Update Snapshot\u0027 which is used for creating backups but could be misused by attackers \\n to dump hashes or extract sensitive information from the disk.\",\"lastUpdatedDateUTC\":\"2022-03-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\"name\":\"84cf1d59-f620-4fee-b569-68daf7008b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"name\":\"bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nimFileEvent\\n| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = User, \\n HostCustomEntity = DvcHostname,\\n FileHashCustomEntity = TargetFileMD5,\\n AlgorithmCustomEntity = \\\"MD5\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimFileEvent)\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"name\":\"8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Cryptominer\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| summarize N_Events=count() by SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The host {{SrcIpAddr}} is potentially running a crypto miner\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by crypto miners and indicates crypto mining activity on the client.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"A host is potentially running a crypto miner (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.\u003cbr\u003eYou can add custom crypto mining indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"name\":\"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let EventCountThreshold = 25;\\n// To avoid any False Positives, filtering using AppId is recommended.\\n// For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\n// The AppId 8cae6e77-e04e-42ce-b5cb-50d82bce26b1 has been added as it correspond to Microsoft Policy Insights Provider Data Plane performing VaultGet operations for policies checks.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\",\\\"8cae6e77-e04e-42ce-b5cb-50d82bce26b1\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\\n| where count_ \u003e EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Mass secret retrieval from Azure Key Vault\",\"description\":\"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment \\nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\"lastUpdatedDateUTC\":\"2022-07-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"name\":\"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Crypto Miner User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by crypto miners in proxy logs.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"name\":\"dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\",\\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\",\\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\",\\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\",\\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\",\\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage),\\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage),\\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage),\\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NRT Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used.\\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\"name\":\"2b701288-b428-4fb8-805e-e4372c574786\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 95]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60m;\\nlet queryfrequency = 1d;\\nlet queryperiod = 14d;\\nlet aadFunc = (tableName: string) {\\n // Get successful signins to Teams\\n let signinData =\\n table(tableName)\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where AppDisplayName has \\\"Teams\\\" and ConditionalAccessStatus =~ \\\"success\\\"\\n | extend Country = tostring(todynamic(LocationDetails)[\u0027countryOrRegion\u0027])\\n | where isnotempty(Country) and isnotempty(IPAddress);\\n // Calculate prevalence of countries\\n let countryPrevalence =\\n signinData\\n | summarize CountCountrySignin = count() by Country\\n | extend TotalSignin = toscalar(signinData | summarize count())\\n | extend CountryPrevalence = toreal(CountCountrySignin) / toreal(TotalSignin) * 100;\\n // Count signins by user and IP address\\n let userIpSignin =\\n signinData\\n | summarize CountIPSignin = count(), Country = any(Country), ListSigninTimeGenerated = make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n // Calculate delta between the IP addresses with the most and minimum activity by user\\n let userIpDelta =\\n userIpSignin\\n | summarize MaxIPSignin = max(CountIPSignin), MinIPSignin = min(CountIPSignin), DistinctCountries = dcount(Country), make_set(Country) by UserPrincipalName\\n | extend UserIPDelta = toreal(MaxIPSignin - MinIPSignin) / toreal(MaxIPSignin) * 100;\\n // Collect Team operations the user account has performed within a time range of the suspicious signins\\n OfficeActivity\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | project OperationTimeGenerated = TimeGenerated, UserId = tolower(UserId), Operation\\n | join kind = inner(\\n userIpDelta\\n // Check users with activity from distinct countries\\n | where DistinctCountries \u003e= minimumCountries\\n // Check users with high IP delta\\n | where UserIPDelta \u003e= deltaThreshold\\n // Add information about signins and countries\\n | join kind = leftouter userIpSignin on UserPrincipalName\\n | join kind = leftouter countryPrevalence on Country\\n // Check activity that comes from nonprevalent countries\\n | where CountryPrevalence \u003c countryPrevalenceThreshold\\n | project\\n UserPrincipalName,\\n SuspiciousIP = IPAddress,\\n UserIPDelta,\\n SuspiciousSigninCountry = Country,\\n SuspiciousCountryPrevalence = CountryPrevalence,\\n EventTimes = ListSigninTimeGenerated\\n ) on $left.UserId == $right.UserPrincipalName\\n // Check the signins occured 60 min before the Teams operations\\n | mv-expand SigninTimeGenerated = EventTimes\\n | extend SigninTimeGenerated = todatetime(SigninTimeGenerated)\\n | where OperationTimeGenerated between (SigninTimeGenerated .. (SigninTimeGenerated + projectedEndTime))\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize arg_max(SigninTimeGenerated, *) by UserPrincipalName, SuspiciousIP, OperationTimeGenerated\\n| summarize\\n ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(\\\"Operation\\\", tostring(Operation), \\\"OperationTime\\\", OperationTimeGenerated)))\\n by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence\\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Anomalous login followed by Teams action\",\"description\":\"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta \u003e= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP\u0027s country, only keeping IP\u0027s where the country is unusual for the tenant (dynamic ranges)\\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2020-06-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"name\":\"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous SSH Login Detection\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c094384d-7ea7-4091-83be-18706ecca981\",\"name\":\"c094384d-7ea7-4091-83be-18706ecca981\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Low\",\"query\":\"let minersDomains=dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\"]);\\n_Im_Dns(domain_has_any=minersDomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"name\":\"99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let core_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where ResultType == 0\\n | extend domain = tolower(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n let alternative_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where isnotempty(AlternateSignInName)\\n | where ResultType == 0\\n | extend domain = tolower(split(AlternateSignInName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add User\\\"\\n | extend AddingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddingSPN = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingSPN)\\n | extend UserAdded = tostring(TargetResources[0].userPrincipalName)\\n | extend Domain = tolower(split(UserAdded, \\\"@\\\")[1])\\n | where Domain !in (core_domains) and Domain !in (alternative_domains)\\n | project-away AddingUser\\n | project-reorder TimeGenerated, UserAdded, Domain, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserAdded\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account created from non-approved sources\",\"description\":\"This query looks for account being created from a domain that is not regularly seen in a tenant.\\n Attackers may attempt to add accounts from these sources as a means of establishing persistant access to an environment.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"name\":\"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| where TimeGenerated \u003e ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\\n| where dcount_Name \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name \u003e threshold\\n | project ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Rare client observed with high reverse DNS lookup count\",\"description\":\"Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"name\":\"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\n let ioc_lookBack = 14d;\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n | where isnotempty(FileHashValue)\\n | extend FileHashValue = toupper(FileHashValue)\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique ( union isfuzzy=true \\n (SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(FileHash)\\n ),\\n (WindowsEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(EventData.FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(EventData.FileHash)\\n )\\n )\\n on $left.FileHashValue == $right.FileHash\\n | where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n | summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, FileHash\\n | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n Process, FileHash, Computer, Account, Event, FileHashValue, FileHashType\\n | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to Security Event\",\"description\":\"Identifies a match in Security Event data from any File Hash IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"name\":\"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n| where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, DeviceName\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=DeviceName, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise - MDE\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\"name\":\"957cb240-f45d-4491-9ba5-93430a3c08be\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\", \\\"Set-TransportRule\\\")\\nand not(UserId has_any (\u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\u0027, \u0027NT AUTHORITY\\\\\\\\SYSTEM (w3wp)\u0027, \u0027devilfish-applicationaccount\u0027) and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend ClientIPOnly = tostring(extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?\u0027, dynamic([\\\"IPAddress\\\"]), ClientIP)[0][0])\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIPOnly\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"Collection\"],\"displayName\":\"Rare and potentially high-risk Office operations\",\"description\":\"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\"lastUpdatedDateUTC\":\"2022-05-24T00:00:00Z\",\"createdDateUTC\":\"2019-02-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\"name\":\"2fc5d810-c9cc-491a-b564-841427ae0e50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique ( \\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) \\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| where isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n))\\n)\\non $left.EmailSenderAddress == $right.TargetUserName\\n| where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, TargetUserName\\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend\\ntimestamp = SecurityEvent_TimeGenerated,\\nAccountCustomEntity = TargetUserName,\\nIPCustomEntity = IpAddress,\\nHostCustomEntity = Computer,\\nURLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityEvent\",\"description\":\"Identifies a match in SecurityEvent table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"name\":\"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let endpointData = \\n(union isfuzzy=true\\n(SecurityEvent\\n | where EventID == 4688\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n ),\\n (WindowsEvent\\n | where EventID == 4688\\n | extend NewProcessName = tostring(EventData.NewProcessName)\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n | extend TargetUserName = tostring(EventData.TargetUserName)\\n ));\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, \u0027/\u0027)[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Network endpoint to host executable correlation\",\"description\":\"Correlates blocked URLs hosting [malicious] executables with host endpoint data\\nto identify potential instances of executables of the same name having been recently run.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicro\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\"name\":\"5efb0cfd-063d-417a-803b-562eae5b0301\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need to exhibit execution of more \\\"new\\\" connections than this number.\\nlet NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)) \\n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iff(\\nType == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\nstrcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| where CurrentCount \u003e= HistoricCount + NewConnectionThreshold\\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \\n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend timestamp = StartTime, AccountCustomEntity = ActorUPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Addition/Abuse - Historic allow list\",\"description\":\"This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and \\nnot historically included in the allow list Build/Release runs. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"name\":\"3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let SpringShell_threats = dynamic([\\\"Trojan:Python/SpringShellExpl\\\", \\\"Exploit:Python/SpringShell\\\", \\\"Backdoor:PHP/Remoteshell.V\\\", \\\"SpringShell\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (SpringShell_threats) or ThreatFamilyName in~ (SpringShell_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"AV detections related to SpringShell Vulnerability\",\"description\":\"This query looks for Microsoft Defender AV detections related to SpringShell Vulnerability. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, \\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"name\":\"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project TimeGenerated, Total, baseline, anomalies, score;\\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e ago(2d)\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) \\n | where HourlyCount \u003e 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\\n | order by HourlyCount desc \\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100 \\n| where PercentofTotal \u003e percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\\n| order by PercentofTotal desc \\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Exchange workflow MailItemsAccessed operation anomaly\",\"description\":\"Identifies anomalous increases in Exchange mail items accessed operations.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"name\":\"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let cmdTokens0 = dynamic([\u0027vbscript\u0027,\u0027jscript\u0027]);\\nlet cmdTokens1 = dynamic([\u0027mshtml\u0027,\u0027RunHTMLApplication\u0027]);\\nlet cmdTokens2 = dynamic([\u0027Execute\u0027,\u0027CreateObject\u0027,\u0027RegRead\u0027,\u0027window.close\u0027]);\\n(union isfuzzy=true \\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688 and EventData has_all(cmdTokens2) and EventData has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(EventData has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"NOBELIUM - Script payload stored in Registry\",\"description\":\"This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"name\":\"3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let OMIVulnerabilityPatchVersion = \\\"OMIVulnerabilityPatchVersion:1.13.40-0\\\";\\nHeartbeat\\n| where Category == \\\"Direct Agent\\\"\\n| summarize arg_max(TimeGenerated,*) by Computer\\n| parse strcat(\\\"Version:\\\" , Version) with * \\\"Version:\\\" Major:long \\\".\\\"\\nMinor:long \\\".\\\" Patch:long \\\"-\\\" *\\n| parse OMIVulnerabilityPatchVersion with * \\\"OMIVulnerabilityPatchVersion:\\\"\\nOMIVersionMajor:long \\\".\\\" OMIVersionMinor:long \\\".\\\" OMIVersionPatch:long \\\"-\\\" *\\n| where Major \u003cOMIVersionMajor or (Major==OMIVersionMajor and Minor\\n\u003cOMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and\\nPatch\u003cOMIVersionPatch) \\n| project Version, Major,Minor,Patch,\\nComputer,ComputerIP,OSType,OSName,ResourceId\",\"customDetails\":{\"HostIp\":\"ComputerIP\",\"OSType\":\"OSType\",\"OSName\":\"OSName\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"OMI Vulnerability Exploitation\",\"description\":\"Following the September 14th, 2021 release of three Elevation of Privilege\\n(EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one\\nunauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in\\nthe Open Management Infrastructure (OMI) Framework.\\nThis detection validates that any OMS-agent that is reporting to the Microsoft\\nSentinel workspace is updated with the patch. The detection will go over the\\nheartbeats received from all agents over the last day and will create alert\\nfor those agents who are not updated.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-09-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"name\":\"c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n | where Result =~ \\\"success\\\"\\n | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)\\n | extend displayName = tostring(TargetResources[0].displayName)\\n | extend displayName2 = tostring(TargetResources[3].displayName)\\n | extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n | join kind = rightanti (AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n | where Result =~ \\\"success\\\"\\n | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)\\n | extend displayName = tostring(TargetResources[0].displayName)\\n | extend displayName2 = tostring(TargetResources[3].displayName)\\n | extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n | extend ElevatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) on ElevatedRole, ElevatedUser\\n | project-reorder ElevatedUser, ElevatedRole, ResultReason,ElevatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ElevatedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ElevatedBy\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account Elevated to New Role\",\"description\":\"Detects an account that is elevated to a new role where that account has not had that role in the last 14 days.\\n Role elevations are a key mechanism for gaining permissions, monitoring which users have which roles, and for anomalies in those roles is useful for finding suspicious activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"name\":\"d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let threshold = 3;\\nPulseConnectSecure\\n| where Messages contains \\\"Unauthenticated request url /dana-na/\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Source_IP\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, IPCustomEntity = Source_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack\",\"description\":\"This query identifies exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893) to the VPN server\",\"lastUpdatedDateUTC\":\"2022-05-11T00:00:00Z\",\"createdDateUTC\":\"2022-05-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"name\":\"bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"AWSGuardDuty | extend tokens = split(ActivityType,\\\":\\\") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\\\"/\\\") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),\\\"High\\\",iff(Severity between (4.0..6.9), \\\"Medium\\\", iff(Severity between (1.0..3.9),\\\"Low\\\",\\\"Unknown\\\")))\",\"customDetails\":{\"ThreatPurpose\":\"ThreatPurpose\",\"ResourceTypeAffected\":\"ResourceTypeAffected\",\"UniqueFindingId\":\"UniqueFindingId\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Arn\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"AWSAcoundId\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"{{Title}}\",\"alertDescriptionFormat\":\"{{Description}}\",\"alertTacticsColumnName\":\"ThreatPurpose\",\"alertSeverityColumnName\":\"Severity\"},\"displayName\":\"AWS Guard Duty Alert\",\"description\":\"Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"name\":\"b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let UA_threats = dynamic([\\\"FoxBlade\\\", \\\"WhisperGate\\\", \\\"Lasainraw\\\", \\\"SonicVote\\\"]);\\n SecurityAlert\\n | where ProviderName == \\\"MDATP\\\"\\n | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n | where ThreatFamilyName in (UA_threats)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Ukraine threats\",\"description\":\"This query looks for Microsoft Defender AV detections for malware observed in relation to the war in Ukraine.\\n Ref: https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/ \",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\"name\":\"cf3ede88-a429-493b-9108-3e46d3c741f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let timeRange = 6h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeRange)\\n| where EventID == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SecurityEvent - Multiple authentication failures followed by a success\",\"description\":\"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\\npossible mis-configuration of a service account within an environment.\\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by a success for an account within 1 hour to surface an alert.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"name\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(_Im_Dns (domain_has_any=domains)\\n | extend DNSName = DnsQuery\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\"name\":\"2790795b-7dba-483e-853f-44aa0bc9c985\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors \u003e 400\\n| sort by NumberOfErrors desc\\n| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Wazuh - Large Number of Web errors from an IP\",\"description\":\"Identifies instances where Wazuh logged over 400 \u0027403\u0027 Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-21T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\"name\":\"78979d32-e63f-4740-b206-cfb300c735e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcIpAddr)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientIP = SrcIpAddr\\n )\\non $left.TI_ipEntity == $right.ClientIP\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientIP\\n| project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUserUpn\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender IP in TI list\",\"description\":\"Email sender IP in TI list.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\"name\":\"2b328487-162d-4034-b472-59f1d53684a1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal == \u0027\u0027\\n| extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Empty User Agent Detected\",\"description\":\"Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"name\":\"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == 500121\\n| where Status has \\\"MFA Denied; user declined the authentication\\\" or Status has \\\"MFA denied; Phone App Reported Fraud\\\"\\n| extend Type = Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Explicit MFA Deny\",\"description\":\"User explicitly denies MFA push, indicating that login was not expected and the account\u0027s password may be compromised.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\"name\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.3\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName: string) {\\nlet failed_signins = table(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\";\\nlet disabled_users = failed_signins | summarize by UserPrincipalName;\\ntable(tableName)\\n | where ResultType == 0\\n | where isnotempty(UserPrincipalName)\\n | where UserPrincipalName !in (disabled_users)\\n| summarize\\n successfulAccountsTargettedCount = dcount(UserPrincipalName),\\n successfulAccountSigninSet = make_set(UserPrincipalName, 100),\\n successfulApplicationSet = make_set(AppDisplayName, 100)\\n by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountsTargettedCount \u003c 50\\n | where isnotempty(successfulAccountsTargettedCount)\\n | join kind=inner (failed_signins\\n| summarize\\n StartTime = min(TimeGenerated),\\n EndTime = max(TimeGenerated),\\n totalDisabledAccountLoginAttempts = count(),\\n disabledAccountsTargettedCount = dcount(UserPrincipalName),\\n applicationsTargeted = dcount(AppDisplayName),\\n disabledAccountSet = make_set(UserPrincipalName, 100),\\n disabledApplicationSet = make_set(AppDisplayName, 100)\\nby IPAddress, Type\\n| order by totalDisabledAccountLoginAttempts desc) on IPAddress\\n| project StartTime, EndTime, IPAddress, totalDisabledAccountLoginAttempts, disabledAccountsTargettedCount, disabledAccountSet, disabledApplicationSet, successfulApplicationSet, successfulAccountsTargettedCount, successfulAccountSigninSet, Type\\n| order by totalDisabledAccountLoginAttempts};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| join kind=leftouter (\\n BehaviorAnalytics\\n | where ActivityType in (\\\"FailedLogOn\\\", \\\"LogOn\\\")\\n | where EventSource =~ \\\"Azure AD\\\"\\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress, UserPrincipalName\\n | project-rename IPAddress = SourceIPAddress\\n | summarize\\n Users = make_set(UserPrincipalName, 100),\\n UsersInsights = make_set(UsersInsights, 100),\\n DevicesInsights = make_set(DevicesInsights, 100),\\n IPInvestigationPriority = sum(InvestigationPriority)\\n by IPAddress\\n) on IPAddress\\n| extend SFRatio = toreal(toreal(disabledAccountsTargettedCount)/toreal(successfulAccountsTargettedCount))\\n| where SFRatio \u003e= 0.5\\n| sort by IPInvestigationPriority desc\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts using the IP through which successful signins from other accounts have happened.\\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.\",\"lastUpdatedDateUTC\":\"2023-11-23T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e147e4dc-849c-49e9-9e8b-db4581951ff4\",\"name\":\"e147e4dc-849c-49e9-9e8b-db4581951ff4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let baseline_time = 14d;\\nlet detection_time = 1h;\\nDynamics365Activity\\n| where TimeGenerated between(ago(baseline_time)..ago(detection_time))\\n| where UserType =~ \u0027admin\u0027\\n| extend Message = tostring(split(OriginalObjectId, \u0027 \u0027)[0])\\n| summarize by UserId\\n| join kind=rightanti\\n(Dynamics365Activity\\n| where TimeGenerated \u003e ago(detection_time)\\n| where UserType =~ \u0027admin\u0027)\\non UserId\\n| summarize Actions = make_set(Message), MostRecentAction = max(TimeGenerated), IPs=make_set(ClientIP), UserAgents = make_set(UserAgent) by UserId\\n| extend timestamp = MostRecentAction, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New Dynamics 365 Admin Activity\",\"description\":\"Detects users conducting administrative activity in Dynamics 365 where they have not had admin rights before.\",\"lastUpdatedDateUTC\":\"2022-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Dynamics365\",\"dataTypes\":[\"Dynamics365Activity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\"name\":\"ba144bf8-75b8-406f-9420-ed74397f9479\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins = \\n table(tableName)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize count() by IPAddress\\n | where count_ \u003e signin_threshold\\n | summarize make_set(IPAddress);\\n suspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\u0027User name: ([^,]+)\u0027, 1, Message) \\n | extend ClientOS = extract(\u0027Client OS version: ([^,\\\\\\\"]+)\u0027, 1, Message)\\n | extend Location = extract(\u0027Source region: ([^,]{2})\u0027,1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"User\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"IP with multiple failed Microsoft Entra ID logins successfully logs in to Palo Alto VPN\",\"description\":\"This query creates a list of IP addresses with the number of failed login attempts to Entra ID \\nabove a set threshold ( default of 5 ). It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"name\":\"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.8\",\"severity\":\"Low\",\"query\":\"let DistinctSecretsThreshold = 10;\\nlet EventCountThreshold = 50;\\n// To avoid any False Positives, filtering using AppId is recommended.\\n// The AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\n// The AppId 8cae6e77-e04e-42ce-b5cb-50d82bce26b1 has been added as it correspond to Microsoft Policy Insights Provider Data Plane performing VaultGet operations for policies checks.\\nlet AllowedAppId = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\",\\\"8cae6e77-e04e-42ce-b5cb-50d82bce26b1\\\"]);\\nlet OperationList = dynamic([\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where OperationName in (OperationList) and ResourceType =~ \\\"VAULTS\\\"\\n| where not(identity_claim_appid_g in (AllowedAppId) and OperationName == \u0027VaultGet\u0027)\\n| extend\\n ResourceId,\\n ResultType = column_ifexists(\\\"ResultType\\\", \\\"\\\"),\\n identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = column_ifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"\\\"),\\n identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s = column_ifexists(\\\"identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s\\\", \\\"\\\"),\\n identity_claim_oid_g = column_ifexists(\\\"identity_claim_oid_g\\\", \\\"\\\"),\\n identity_claim_upn_s = column_ifexists(\\\"identity_claim_upn_s\\\", \\\"\\\")\\n| extend\\n CallerObjectId = iff(isempty(identity_claim_oid_g), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g),\\n CallerObjectUPN = iff(isempty(identity_claim_upn_s), identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s, identity_claim_upn_s)\\n| as _Retrievals\\n| where CallerObjectId in (toscalar(\\n _Retrievals\\n | where ResultType == \\\"Success\\\"\\n | summarize Count = dcount(requestUri_s) by OperationName, CallerObjectId\\n | where Count \u003e DistinctSecretsThreshold\\n | summarize make_set(CallerObjectId,10000)\\n))\\n| extend\\n requestUri_s = column_ifexists(\\\"requestUri_s\\\", \\\"\\\"),\\n id_s = column_ifexists(\\\"id_s\\\", \\\"\\\"),\\n CallerIPAddress = column_ifexists(\\\"CallerIPAddress\\\", \\\"\\\"),\\n clientInfo_s = column_ifexists(\\\"clientInfo_s\\\", \\\"\\\")\\n| summarize\\n EventCount = count(),\\n StartTime = min(TimeGenerated),\\n EndTime = max(TimeGenerated),\\n ResourceList = make_set(Resource, 50),\\n OperationNameList = make_set(OperationName, 50),\\n RequestURLList = make_set(requestUri_s, 50),\\n ResourceId = max(ResourceId),\\n CallerIPList = make_set(CallerIPAddress, 50),\\n clientInfo_sList = make_set(clientInfo_s, 50),\\n CallerIPMax = max(CallerIPAddress)\\n by ResourceType, ResultType, identity_claim_appid_g, CallerObjectId, CallerObjectUPN\\n | where EventCount \u003e EventCountThreshold\\n| project-reorder StartTime, EndTime, EventCount, ResourceId,ResourceType,identity_claim_appid_g, CallerObjectId, CallerObjectUPN, ResultType, ResourceList, OperationNameList, RequestURLList, CallerIPList, clientInfo_sList\\n| extend timestamp = EndTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"CallerObjectId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPMax\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Mass secret retrieval from Azure Key Vault\",\"description\":\"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment and also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"name\":\"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.7\",\"severity\":\"Medium\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = (union isfuzzy=true \\n(SecurityEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\")\\n| where AccountType =~ \\\"User\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, \\nGroupAddTargetAccount = TargetAccount, GroupAddTargetUserName = TargetUserName, GroupAddTargetDomainName = TargetDomainName, GroupAddTargetSid = TargetSid, \\nGroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserName = SubjectUserName, GroupAddSubjectDomainName = SubjectDomainName, GroupAddSubjectUserSid = SubjectUserSid, \\nGroupSid = MemberSid\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n| where AccountType =~ \\\"User\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, \\nGroupAddTargetAccount = TargetAccount, GroupAddTargetUserName = tostring(EventData.TargetUserName), GroupAddTargetDomainName = tostring(EventData.TargetDomainName), GroupAddTargetSid = TargetSid, \\nGroupAddSubjectAccount = Account, GroupAddSubjectUserName = tostring(EventData.SubjectUserName), GroupAddSubjectDomainName = tostring(EventData.SubjectDomainName), GroupAddSubjectUserSid = SubjectUserSid, \\nGroupSid = MemberSid\\n));\\nlet GroupCreated = (union isfuzzy=true \\n(SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, \\nGroupCreateTargetAccount = TargetAccount, GroupCreateTargetUserName = TargetUserName, GroupCreateTargetDomainName = TargetDomainName,\\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserName = SubjectUserName, GroupCreateSubjectDomainName = SubjectDomainName, GroupCreateSubjectUserSid = SubjectUserSid, \\nGroupSid = TargetSid\\n),\\n(WindowsEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\", \\\"Machine\\\", iff(SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", iff(isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")))\\n| where AccountType =~ \\\"User\\\"\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName) \\n| extend TargetSid = tostring(EventData.TargetSid) \\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, \\nGroupCreateTargetAccount = TargetAccount, GroupCreateTargetUserName = tostring(EventData.TargetUserName), GroupCreateTargetDomainName = tostring(EventData.TargetDomainName), \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserName = tostring(EventData.SubjectUserName), GroupCreateSubjectDomainName = tostring(EventData.SubjectDomainName),GroupCreateSubjectUserSid = SubjectUserSid, \\nGroupSid = TargetSid\\n));\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid\\n| extend GroupCreateHostName = tostring(split(GroupCreateComputer , \\\".\\\")[0]), DomainIndex = toint(indexof(GroupCreateComputer , \u0027.\u0027))\\n| extend GroupCreateHostNameDomain = iff(DomainIndex != -1, substring(GroupCreateComputer , DomainIndex + 1), GroupCreateComputer)\\n| extend GroupAddHostName = tostring(split(GroupAddComputer , \\\".\\\")[0]), DomainIndex = toint(indexof(GroupAddComputer , \u0027.\u0027))\\n| extend GroupAddHostNameDomain = iff(DomainIndex != -1, substring(GroupAddComputer , DomainIndex + 1), GroupAddComputer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GroupCreateSubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"GroupCreateSubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"GroupCreateSubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GroupCreateTargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"GroupAddSubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"GroupAddSubjectDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GroupCreateComputer\"},{\"identifier\":\"HostName\",\"columnName\":\"GroupCreateHostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"GroupCreateHostNameDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GroupAddComputer\"},{\"identifier\":\"HostName\",\"columnName\":\"GroupAddHostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"GroupAddHostNameDomain\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Group created then added to built in domain local or global group\",\"description\":\"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"name\":\"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"union isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has \\\"vmware-vmdmp.log\\\"\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(imFileEvent\\n| where TargetFileName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\\n)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"[Deprecated] - SUNSPOT log file creation\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/972c89fa-c969-4d12-932f-04d55d145299\",\"name\":\"972c89fa-c969-4d12-932f-04d55d145299\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"( union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| extend FileName = Process, ProcessCommandLine = CommandLine\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(DeviceProcessEvents\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\nor ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1 \\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\"), ProcessCommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend FileName = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"[Deprecated] - MSHTML vulnerability CVE-2021-40444 attack\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"name\":\"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let lbtime = 1h;\\nlet tls_ciphers = dynamic([\u0027RC4-SHA\u0027, \u0027DES-CBC3-SHA\u0027]);\\nProofpointPOD\\n| where EventType == \u0027message\u0027\\n| where TlsCipher in (tls_ciphers)\\n| extend IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"ProofpointPOD - Weak ciphers\",\"description\":\"Detects when weak TLS ciphers are used.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5239248b-abfb-4c6a-8177-b104ade5db56\",\"name\":\"5239248b-abfb-4c6a-8177-b104ade5db56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.8\",\"severity\":\"Medium\",\"query\":\"let RunCommandData = materialize ( AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue =~ \\\"Microsoft.Compute/virtualMachines/runCommand/action\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has_any (\\\"Succeeded\\\", \\\"Success\\\")\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress, Scope\\n| join kind=leftouter (\\n DeviceFileEvents\\n | where InitiatingProcessFileName == \\\"RunCommandExtension.exe\\\"\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\\n) on VirtualMachineName\\n// We need to filter by time sadly, this is the only way to link events\\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, Scope\\n| join kind=inner(\\n DeviceEvents\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | where InitiatingProcessCommandLine has \\\"-File\\\"\\n // Extract the script name based on the structure used by the RunCommand extension\\n | extend PowershellFileName = extract(@\\\"\\\\-File\\\\s(script[0-9]{1,9}\\\\.ps1)\\\", 1, InitiatingProcessCommandLine)\\n // Discard results that didn\u0027t successfully extract, these are not run command related\\n | where isnotempty(PowershellFileName)\\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\\n | where PSCommand != PowershellFileName \\n // Now we normalise the cmdlets, we\u0027re aiming to hash them to find scripts using rare combinations\\n | extend PSCommand = toupper(PSCommand)\\n | order by PSCommand asc\\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\\n) on $left.FileName == $right.PowershellFileName\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName, Scope\\n| order by StartTime asc \\n// We generate the hash based on the cmdlets called and the size of the powershell script\\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\\nlet totals = toscalar (RunCommandData\\n| summarize count());\\nlet hashTotals = RunCommandData\\n| summarize HashCount=count() by ScriptFingerprintHash;\\nRunCommandData\\n| join kind=leftouter (\\nhashTotals\\n) on ScriptFingerprintHash\\n// Calculate prevalence, while we don\u0027t need this, it may be useful for responders to know how rare this script is in relation to normal activity\\n| extend Prevalence = toreal(HashCount) / toreal(totals) * 100\\n// Where the hash was only ever seen once.\\n| where HashCount == 1\\n| extend timestamp = StartTime\\n| extend CallerName = tostring(split(Caller, \\\"@\\\")[0]), CallerUPNSuffix = tostring(split(Caller, \\\"@\\\")[1])\\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerName, CallerUPNSuffix, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, Scope\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"CallerName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"CallerUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"VirtualMachineName\"},{\"identifier\":\"AzureID\",\"columnName\":\"Scope\"}]}],\"tactics\":[\"LateralMovement\",\"Execution\"],\"displayName\":\"Azure VM Run Command operations executing a unique PowerShell script\",\"description\":\"Identifies when Azure Run command is used to execute a PowerShell script on a VM that is unique.\\nThe uniqueness of the PowerShell script is determined by taking a combined hash of the cmdLets it imports and the file size of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed in your environment.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"name\":\"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (DomainNames) \\n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n (_Im_Dns (domain_has_any=DomainNames)\\n | extend DNSName = DnsQuery \\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (_Im_WebSession (url_has_any=DomainNames)\\n | extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer = DeviceName \\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (DomainNames) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ),\\n (AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallNetworkRule\\\"\\n | where msg_s has_any (DomainNames)\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" to \\\" TargetIP \\\":\\\" TargetPortInt:int *\\n | parse kind=regex flags=U msg_s with * \\\". Action\\\\\\\\: \\\" Action1a \\\"\\\\\\\\.\\\"\\n | parse msg_s with * \\\". Policy: \\\" Policy \\\". Rule Collection Group: \\\" RuleCollectionGroup \\\".\\\" *\\n | parse msg_s with * \\\" Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule \\n | extend IPCustomEntity = SourceIP\\n ),\\n (AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | where msg_s has_any (DomainNames)\\n | parse msg_s with \\\"DNS Request: \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" - \\\" QueryID:int \\\" \\\" RequestType \\\" \\\" RequestClass \\\" \\\" hostname \\\". \\\" protocol \\\" \\\" details\\n | extend\\n ResponseDuration = extract(\\\"[0-9]*.?[0-9]+s$\\\", 0, msg_s),\\n SourcePort = tostring(SourcePortInt),\\n QueryID = tostring(QueryID)\\n | project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\\n | order by TimeGenerated\\n | extend IPCustomEntity = SourceIP\\n ),\\n (AZFWApplicationRule\\n | where Fqdn has_any (DomainNames)\\n | extend IPCustomEntity = SourceIp\\n ),\\n (AZFWDnsQuery\\n | where isnotempty(QueryName)\\n | where QueryName has_any (DomainNames)\\n | extend DNSName = QueryName\\n | extend IPCustomEntity = SourceIp\\n )\\n ) \\n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Known Barium domains\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"name\":\"c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.3\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where ScanStatus == \\\"Failed\\\"\\n| extend timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"AzureID\",\"columnName\":\"_ResourceId\"}]}],\"displayName\":\"AppServices AV Scan Failure\",\"description\":\"Identifies if an AV scan fails in Azure App Services.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\"name\":\"65c78944-930b-4cae-bd79-c3664ae30ba7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(AuditLogs\\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend _parsedIntiatedByUser = parse_json(tostring(InitiatedBy.user))\\n| extend _parsedIntiatedByApp = parse_json(tostring(InitiatedBy.app))\\n| extend IPAddress = tostring(_parsedIntiatedByUser.ipAddress)\\n| extend InitiatedByUser = iff(isnotempty(tostring(_parsedIntiatedByUser.userPrincipalName)),\\n tostring(_parsedIntiatedByUser.userPrincipalName), tostring(_parsedIntiatedByApp.displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\")\\n| extend _parsedRequestParameters = parse_json(RequestParameters)\\n| extend InstanceProfileName = tostring(_parsedRequestParameters.InstanceProfileName)\\n| extend TargetUser = tostring(_parsedRequestParameters.userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, UserName = tostring(split(User, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(User, \u0027@\u0027, 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Multi-Factor Authentication Disabled for a User\",\"description\":\"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to deactivate MFA for a user.\",\"lastUpdatedDateUTC\":\"2024-01-16T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"name\":\"f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog =~ \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject=~\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\SecurityProviders\\\\\\\\WDigest\\\\\\\\UseLogonCredential\\\" and Details !=\\\"DWORD (0x00000000)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"WDigest downgrade attack\",\"description\":\"When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory.\\nRef: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"name\":\"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@\u0027\\\\A(.*?)@\u0027, 1, SrcUserUpn)\\n| extend sender_domain = extract(@\u0027@(.*)$\u0027, 1, SrcUserUpn)\\n| extend recipient = extract(@\u0027\\\\A(.*?)@\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| extend recipient_domain = extract(@\u0027@(.*)$\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Possible data exfiltration to private email\",\"description\":\"Detects when sender sent email to the non-corporate domain and recipient\u0027s username is the same as sender\u0027s username.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"name\":\"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = column_ifexists(\\\"ResultType\\\", \\\"NoResultType\\\"), \\nrequestUri_s = column_ifexists(\\\"requestUri_s\\\", \\\"None\\\"), \\nidentity_claim_oid_g = column_ifexists(\\\"identity_claim_oid_g\\\", \\\"None\\\"), CallerIPAddress = column_ifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), \\nclientInfo_s = column_ifexists(\\\"clientInfo_s\\\", \\\"None\\\"), \\nidentity_claim_upn_s = column_ifexists(\\\"identity_claim_upn_s\\\", \\\"None\\\"),\\nidentity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = column_ifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in~ (SensitiveOperationList)\\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=make_list(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, identity_claim_upn_s, clientInfo_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = StartTimeUtc\\n| extend Name = tostring(split(identity_claim_upn_s,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(identity_claim_upn_s,\u0027@\u0027,1)[0]), AadUserId = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AadUserId\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPMax\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup.\\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7\",\"name\":\"58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Filter GCP Audit Logs to exclude service accounts\\nGCPAuditLogs \\n| where PrincipalEmail !endswith \\\"gserviceaccount.com\\\"\\n// Exclude system-related authentication information\\n| where AuthenticationInfo !has (\\\"system:\\\")\\n// Extract GCP request name and relevant attributes\\n| extend GCPRequestName= parse_json(Request).name\\n| extend\\n GCPAccoutType= tostring(split(GCPRequestName, \\\"/\\\")[2]),\\n GCPUserIdentity = iff(isempty(tostring(split(GCPRequestName, \\\"/\\\")[3])), tostring(parse_json(AuthenticationInfo).principalEmail), \\\"na\\\"), \\n GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),\\n GCPCallerUA = tostring(parse_json(RequestMetadata).callerSuppliedUserAgent)\\n// Filter out empty or service account identities\\n| where isnotempty(GCPUserIdentity) and GCPUserIdentity !endswith \\\"gserviceaccount.com\\\"\\n// Select relevant attributes for further analysis\\n| project\\n PrincipalEmail,\\n GCPUserIdentity,\\n GCPAccoutType,\\n GCPRequestName,\\n GCPCallerUA,\\n Request,\\n RequestMetadata,\\n GCPUserIp,\\n MethodName,\\n ServiceName,\\n GCPEventTime= TimeGenerated,\\n ProjectId\\n// Join GCP Audit Logs with SecurityAlert data based on user identity and IP\\n| join kind=inner ( \\n SecurityAlert \\n // Exclude alerts from Azure Sentinel\\n | where ProductName !in (\\\"Azure Sentinel\\\")\\n // Extract IP entities from alert data\\n | extend AlertIPEntity= tostring(extract(@\\\"\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\", 0, Entities))\\n | extend\\n AlertUserUPN = tostring(extract(@\u0027\\\\b[\\\\w\\\\.\\\\-]+@[\\\\w\\\\.\\\\-]+\\\\b\u0027, 0, Entities)),\\n AlertTime= TimeGenerated\\n // Filter out empty user identities and IP entities\\n | where isnotempty(AlertIPEntity) and isnotempty(AlertUserUPN)\\n )\\n on $left.GCPUserIdentity == $right.AlertUserUPN and $left.GCPUserIp == $right.AlertIPEntity\\n// Summarize the data, calculating time differences and aggregating attributes\\n| summarize\\n FirstAlert=min(AlertTime),\\n LastAlert=max(AlertTime),\\n TimeDiff=datetime_diff(\u0027minute\u0027, min(AlertTime), min(GCPEventTime)),\\n MethodName=make_set(MethodName),\\n ServiceName= make_set(ServiceName),\\n GCPProjctId=make_set(ProjectId),\\n Request=make_set(Request),\\n GCPCallerUA=make_set(GCPCallerUA)\\n by\\n AlertUserUPN,\\n AlertIPEntity,\\n GCPUserIp,\\n GCPUserIdentity,\\n AlertSeverity,\\n AlertName,\\n AlertLink,\\n Description,\\n Tactics,\\n ProductName,\\n SystemAlertId,\\n GCPAccoutType\\n// Extend the data with additional attributes\\n| extend\\n Name = tostring(split(GCPUserIdentity, \\\"@\\\")[0]),\\n UPNSuffix = tostring(split(GCPUserIdentity, \\\"@\\\")[1])\",\"customDetails\":{\"AlertName\":\"AlertName\",\"FirstAlert\":\"FirstAlert\",\"LastAlert\":\"LastAlert\",\"TimeDiff\":\"TimeDiff\",\"MethodName\":\"MethodName\",\"GCPProjctId\":\"GCPProjctId\",\"GCPCallerUA\":\"GCPCallerUA\",\"ServiceName\":\"ServiceName\",\"AlertUserUPN\":\"AlertUserUPN\",\"SystemAlertId\":\"SystemAlertId\",\"Tactics\":\"Tactics\",\"Request\":\"Request\",\"CorrelationWith\":\"GCPAuditLogs\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"GCPUserIp\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A user {{GCPUserUPN}} has been linked to {{AlertName}}, and has potentially suspicious behavior within the GCP environment from, originating from the IP address {{GCPUserIp}}.\",\"alertDescriptionFormat\":\" This detection compiles and correlates unauthorized user access alerts originating from {{ProductName}} With Alert Description \u0027{{Description}}\u0027 observed activity in GCP environmeny. It focuses on Microsoft Security, specifically targeting user bhaviour and network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint users suspicious activity to access both Azure and GCP resources. \\n\\n Microsoft Security ALert Link : \u0027{{AlertLink}}\u0027\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":\"AlertSeverity\"},\"tactics\":[\"InitialAccess\",\"Execution\",\"Persistence\",\"PrivilegeEscalation\",\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Cross-Cloud Suspicious user activity observed in GCP Envourment\",\"description\":\"\\nThis detection query aims to correlate potentially suspicious user activities logged in Google Cloud Platform (GCP) Audit Logs with security alerts originating from Microsoft Security products. This correlation facilitates the identification of potential cross-cloud security incidents. By summarizing these findings, the query provides valuable insights into cross-cloud identity threats and their associated details, enabling organizations to respond promptly and mitigate potential risks effectively.\\n\",\"lastUpdatedDateUTC\":\"2023-10-06T00:00:00Z\",\"createdDateUTC\":\"2023-10-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"GCPAuditLogsDefinition\",\"dataTypes\":[\"GCPAuditLogs\"]},{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"name\":\"8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let timeframe = ago(5m);\\nDuoSecurityTrustMonitor_CL\\n| where TimeGenerated \u003e= timeframe\\n| extend AccountName = tostring(split(surfaced_auth_user_name_s, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(surfaced_auth_user_name_s, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"surfaced_auth_user_name_s\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"surfaced_auth_access_device_ip_s\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Trust Monitor Event\",\"description\":\"This query identifies when a new trust monitor event is detected.\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2021-02-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\"name\":\"d804b39c-03a4-417c-a949-bdbf21fa3305\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet sha256s = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet ips = (iocs | where Type =~ \\\"ip\\\" | project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\" | project IoC);\\nlet dyndomains = todynamic(toscalar((domains | summarize make_set(IoC))));\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has_any (file_paths)\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName in (file_paths)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(imFileEvent\\n| where TargetFileName in (file_paths)\\n or\\n TargetFileSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n (CommonSecurityLog\\n| where FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event // File iocs\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 *\\n| where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nWindowsFirewall\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(\\n _Im_NetworkSession(srcipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n (\\n _Im_NetworkSession(dstipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = DstIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n(_Im_Dns(domain_has_any=dyndomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\\n)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"[Deprecated] - Exchange Server Vulnerabilities Disclosed March 2021 IoC Match\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-03-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog (F5)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"name\":\"ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let CombinedSignInLogs = union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs;\\n // Combine AADNonInteractiveUserSignInLogs and SigninLogs into a single table\\n // Fetch Azure IP address ranges data from a JSON file hosted on GitHub\\n let AzureRanges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n [\\\"https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/MSFTIPRanges/ServiceTags_Public.json\\\"] with(format=\u0027multijson\u0027)\\n // Load Azure IP address ranges from the JSON file hosted on GitHub\\n | mv-expand values\\n // Expand the values column into separate rows\\n | extend Name = values.name, AddressPrefixes = tostring(values.properties.addressPrefixes);\\n // Create additional columns for the name and address prefixes\\n // Identify known locations to be excluded from analysis\\n let ExcludedKnownLocations = CombinedSignInLogs\\n // Filter the combined logs based on the specified time range\\n | where TimeGenerated between (ago(14d)..ago(1d))\\n // Filter by specific ResultType\\n | where ResultType == 0\\n // Summarize the logs by location\\n | summarize by Location;\\n // Find sign-in locations matching specific criteria\\n let MatchedLocations = materialize(CombinedSignInLogs\\n // Filter the combined logs based on the specified time range\\n | where TimeGenerated \u003e ago(1d)\\n // Exclude specific ResultTypes\\n | where ResultType !in (50126, 50053, 50074, 70044)\\n // Exclude known locations\\n | where Location !in (ExcludedKnownLocations));\\n // Match IP addresses of matched locations with Azure IP address ranges\\n let MatchedIPs = MatchedLocations\\n // Use the \u0027ipv4_lookup\u0027 function to match IP addresses with Azure IP address ranges\\n | evaluate ipv4_lookup(AzureRanges, IPAddress, AddressPrefixes)\\n // Project only the IPAddress column\\n | project IPAddress;\\n // Exclude IP addresses that are already matched with Azure IP address ranges\\n let MaxSetSize = 5; // Set the maximum size limit for make_set\\n let ExcludedIPs = MatchedLocations\\n // Filter out IP addresses that are already matched\\n | where not (IPAddress in (MatchedIPs))\\n // Exclude empty or null Location values\\n | where isnotempty(Location)\\n // Handle dynamic and string column values for LocationDetails and DeviceDetail\\n | extend LocationDetails_dynamic = column_ifexists(\\\"LocationDetails_dynamic\\\", \\\"\\\")\\n | extend DeviceDetail_dynamic = column_ifexists(\\\"DeviceDetail_dynamic\\\", \\\"\\\")\\n | extend LocationDetails = iif(isnotempty(LocationDetails_dynamic), LocationDetails_dynamic, parse_json(LocationDetails_string))\\n | extend DeviceDetail = iif(isnotempty(DeviceDetail_dynamic), DeviceDetail_dynamic, parse_json(DeviceDetail_string))\\n // Extract location details (city and state)\\n | extend City = tostring(LocationDetails.city)\\n | extend State = tostring(LocationDetails.state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend DeviceId = tostring(DeviceDetail.deviceId)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n // Summarize the data based on UserPrincipalName, Location, and Category\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated),\\n make_set(Result, MaxSetSize), make_set(IPAddress, MaxSetSize),\\n make_set(UserAgent, MaxSetSize), make_set(Place, MaxSetSize),\\n make_set(DeviceId, MaxSetSize) by UserPrincipalName, Location, Category\\n // Extract the username prefix and suffix from UserPrincipalName\\n | extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0]);\\n ExcludedIPs // Output the final result set\\n | extend IP = set_IPAddress[0]\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentication Attempt from New Country\",\"description\":\"Detects when there is a login attempt from a country that has not seen a successful login in the previous 14 days.\\nThreat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\nAuthentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\nRef: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"name\":\"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin), indexId = indexof(tostring(UserIdentityPrincipalid),\\\":\\\")\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| where SessionIssuerUserName !contains \\\"AWSReservedSSO\\\"\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, indexId\\n| extend timestamp = StartTimeUtc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used and the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"name\":\"6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let queryfrequency = 1h;\\nlet wait_for_deletion = 10m;\\nlet account_created =\\n AuditLogs \\n | where ActivityDisplayName == \\\"Add service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend creationTime = ActivityDateTime\\n | extend CreatorUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CreatorIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_activity =\\n AADServicePrincipalSignInLogs\\n | extend Activities = pack(\\\"ActivityTime\\\", TimeGenerated ,\\\"IpAddress\\\", IPAddress, \\\"ResourceDisplayName\\\", ResourceDisplayName)\\n | extend AppID = AppId\\n | summarize make_list(Activities) by AppID;\\nlet account_deleted =\\n AuditLogs \\n | where OperationName == \\\"Remove service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend deletionTime = ActivityDateTime\\n | extend DeleterUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend DeleterIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_credentials =\\n AuditLogs\\n | where OperationName has_all (\\\"Update application\\\", \\\"Certificates and secrets management\\\")\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend credentialCreationTime = ActivityDateTime;\\nlet roles_assigned =\\n AuditLogs\\n | where ActivityDisplayName == \\\"Add app role assignment to service principal\\\"\\n | extend AppID = tostring(TargetResources[1].displayName)\\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\\\"AppRole.Value\\\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\\\"\\\")\\n | extend AssignedRoles = pack(\\\"Role\\\", AssignedRole)\\n | summarize make_list(AssignedRoles) by AppID;\\naccount_created\\n| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))\\n| join kind= inner (account_activity) on AppID\\n| join kind= inner (account_deleted) on AppID\\n| join kind= inner (account_credentials) on AppID\\n| join kind= inner (roles_assigned) on AppID\\n| where deletionTime - creationTime between (time(0s)..wait_for_deletion)\\n| extend AliveTime = deletionTime - creationTime\\n| project AADTenantId, AppID, creationTime, deletionTime, CreatorUserPrincipalName, DeleterUserPrincipalName, CreatorIPAddress, DeleterIPAddress, list_Activities, list_AssignedRoles, AliveTime\\n| extend CreatorName = tostring(split(CreatorUserPrincipalName, \\\"@\\\")[0]), CreatorUPNSuffix = tostring(split(CreatorUserPrincipalName, \\\"@\\\")[1])\\n| extend DeleterName = tostring(split(DeleterUserPrincipalName, \\\"@\\\")[0]), DeleterSuffix = tostring(split(DeleterUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatorUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"CreatorName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"CreatorUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeleterUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"DeleterName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"DeleterSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CreatorIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeleterIPAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"PrivilegeEscalation\",\"InitialAccess\"],\"displayName\":\"Suspicious Service Principal creation activity\",\"description\":\"This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2021-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\",\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"name\":\"c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nDeviceProcessEvents\\n//looks for execution from a shell\\n| where InitiatingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where FileName =~ \\\"AdFind.exe\\\" or SHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or ProcessCommandLine has_any (args)\\n| extend HostName = split(DeviceName, \u0027.\u0027, 0)[0], DnsDomain = strcat_array(array_slice(split(DeviceName, \u0027.\u0027), 1, -1), \u0027.\u0027), FileHashAlgorithm = \\\"SHA256\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"InitiatingProcessFileName\"},{\"identifier\":\"CommandLine\",\"columnName\":\"ProcessCommandLine\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"SHA256\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage\",\"description\":\"This query identifies the host and account that executed AdFind, by hash and filename, in addition to the flags commonly utilized by various threat actors during the reconnaissance phase.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-04-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11bda520-a965-4654-9a45-d09f372f71aa\",\"name\":\"11bda520-a965-4654-9a45-d09f372f71aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.10\",\"severity\":\"High\",\"query\":\"AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has_any (\\\"Success\\\", \\\"Succeeded\\\")\\n// Extract data from the Authorization field\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n// Create a join key using the Caller (UPN)\\n| extend joinkey = tolower(Caller)\\n// Join the Run Command actions to UEBA data\\n| join kind = inner (\\n BehaviorAnalytics\\n // We are specifically interested in unusual logins\\n | where EventSource == \\\"Azure AD\\\" and ActivityInsights.ActionUncommonlyPerformedByUser == \\\"True\\\"\\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\\n | extend joinkey = tolower(UserPrincipalName)\\n) on joinkey\\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\\n| extend UEBAWindowStart = UEBAEventTime - 1h, UEBAWindowEnd = UEBAEventTime + 6h\\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n| extend AccountName = tostring(split(Caller, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(Caller, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operation executed during suspicious login window\",\"description\":\"Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address that has resulted in a recent user entity behaviour alert.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\"name\":\"738702fd-0a66-42c7-8586-e30f0583f8fe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"High\",\"query\":\"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName has \\\"svchost.exe\\\" and FileName has \\\"NetSetupSvc.dll\\\"\\n| extend HashAlgorithm = \\\"SHA1\\\"\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingProcessAccountDomain\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"InitiatingProcessSHA1\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"TEARDROP memory-only dropper\",\"description\":\"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window\u0027s defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\"name\":\"5ef06767-b37c-4818-b035-47de950d0046\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.4\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688\\n| where Process has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688 and EventData has_any (build_processes)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (build_processes)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663 and EventData has_any (\\\"0x6\\\", \\\"0x4\\\", \\\"0X100\\\") and EventData has_any (\\\".cs\\\", \\\".cpp\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| extend AccessMask = tostring(EventData.AccessMask) \\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n))\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"name\":\"1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"PIM\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has \\\"Disable PIM Alert\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n \u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\\n| extend AccountName = tostring(split(InitiatedBy, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(InitiatedBy, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatedBy\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Detect PIM Alert Disabling activity\",\"description\":\"Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Microsoft Entra ID (Azure AD) organization. \\nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"name\":\"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 1;\\nunion isfuzzy=true(\\nAZFWApplicationRule\\n| where Action == \\\"Deny\\\"\\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\\n| where count_ \u003e= [\\\"threshold\\\"]),\\n(AZFWNetworkRule\\n| where Action == \\\"Deny\\\"\\n| extend Fqdn = DestinationIp\\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\\n| where count_ \u003e= [\\\"threshold\\\"]),\\n(AZFWFlowTrace\\n| where Action == \\\"Deny\\\"\\n| extend Fqdn = DestinationIp\\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\\n| where count_ \u003e= [\\\"threshold\\\"]),\\n(AZFWIdpsSignature\\n| where Action == \\\"Deny\\\"\\n| extend Fqdn = DestinationIp\\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\\n| where count_ \u003e= [\\\"threshold\\\"]),\\n(AzureDiagnostics\\n| where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n| extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n| extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n| extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n| extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n| extend Protocol = tostring(msg_a[0]), SourceIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), DestinationIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), Action = tostring(msg_a[7])\\n| where Action == \\\"Deny\\\"\\n| extend Fqdn = iff(DestinationIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",DestinationIp)\\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\\n| where count_ \u003e= [\\\"threshold\\\"])\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIp\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Fqdn\"}]}],\"tactics\":[\"Discovery\",\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Several deny actions registered\",\"description\":\"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2020-10-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWNetworkRule\",\"AZFWFlowTrace\",\"AZFWIdpsSignature\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\"name\":\"ec21493c-2684-4acd-9bc2-696dbad72426\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Duration to look back for recent logs (1 hour)\\nlet ioc_lookBack = 14d; // Duration to look back for recent threat intelligence indicators (14 days)\\n// Create a list of top-level domains (TLDs) in our threat feed for later validation of extracted domains\\nlet list_tlds = \\n ThreatIntelligenceIndicator\\n | where isnotempty(DomainName)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now()\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\nlet Domain_Indicators = \\n ThreatIntelligenceIndicator\\n // Filter to pick up only IOC\u0027s that contain the entities we want (in this case, DomainName)\\n | where isnotempty(DomainName)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now()\\n | extend TI_DomainEntity = DomainName;\\nDomain_Indicators\\n // Join with CommonSecurityLog to find potential malicious activity\\n | join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceVendor =~ \u0027Palo Alto Networks\u0027\\n | where DeviceEventClassID =~ \u0027url\u0027\\n // Uncomment the line below to only alert on allowed connections\\n // | where DeviceAction !~ \\\"block-url\\\"\\n // Extract domain from RequestURL, if not present, extract it from AdditionalExtensions\\n | extend PA_Url = coalesce(RequestURL, \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !in~ (\u0027None\u0027, \u0027http://None\u0027, \u0027https://None\u0027) and PA_Url !startswith \\\"http://\\\" and PA_Url !startswith \\\"https://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), PA_Url)\\n | extend PA_Url = iif(PA_Url !in~ (\u0027None\u0027, \u0027http://None\u0027, \u0027https://None\u0027) and PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url)\\n | extend Domain = trim(@\\\"\\\"\\\"\\\", tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n // Split out the top-level domain (TLD) for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n // Validate parsed domain by checking TLD against TLDs from the threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.TI_DomainEntity == $right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and Domain and keep only the latest CommonSecurityLog_TimeGenerated\\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain\\n // Select the desired fields for the final result set\\n | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod, Type, TI_DomainEntity\\n // Add a new field \u0027timestamp\u0027 for convenience, using the CommonSecurityLog_TimeGenerated as its value\\n | extend timestamp = CommonSecurityLog_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"PA_Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map Domain entity to PaloAlto\",\"description\":\"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"name\":\"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\",\\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\",\\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\",\\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage),\\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage),\\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage),\\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend AccountName = tostring(split(User, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(User, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events for ToR proxies\",\"description\":\"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2024-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"SyslogAma\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"name\":\"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.4\",\"severity\":\"Low\",\"query\":\"// Replace these with the username or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic([\u0027vip1@email.com\u0027,\u0027vip2@email.com\u0027]);\\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\\nlet allowed_users = dynamic([]);\\nLAQueryLogs\\n| where QueryText has_any (vips) or QueryText has_any (\u0027_GetWatchlist(\\\"VIPUsers\\\")\u0027, \\\"_GetWatchlist(\u0027VIPUsers\u0027)\\\")\\n| where AADEmail !in (allowed_users)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, AccountName = tostring(split(AADEmail, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(AADEmail, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"RequestTarget\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Users searching for VIP user activity\",\"description\":\"This query monitors for users running Log Analytics queries that contain filters for specific, defined VIP user accounts or the VIPUser watchlist template.\\nUse this detection to alert for users specifically searching for activity of sensitive users.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\"name\":\"2b701288-b428-4fb8-805e-e4372c574786\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 95]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60m;\\nlet queryfrequency = 1d;\\nlet queryperiod = 14d;\\nlet aadFunc = (tableName: string) {\\n // Get successful signins to Teams\\n let signinData =\\n table(tableName)\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where AppDisplayName has \\\"Teams\\\" and ConditionalAccessStatus =~ \\\"success\\\"\\n | extend Country = tostring(todynamic(LocationDetails)[\u0027countryOrRegion\u0027])\\n | where isnotempty(Country) and isnotempty(IPAddress);\\n // Calculate prevalence of countries\\n let countryPrevalence =\\n signinData\\n | summarize CountCountrySignin = count() by Country\\n | extend TotalSignin = toscalar(signinData | summarize count())\\n | extend CountryPrevalence = toreal(CountCountrySignin) / toreal(TotalSignin) * 100;\\n // Count signins by user and IP address\\n let userIpSignin =\\n signinData\\n | summarize CountIPSignin = count(), Country = any(Country), ListSigninTimeGenerated = make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n // Calculate delta between the IP addresses with the most and minimum activity by user\\n let userIpDelta =\\n userIpSignin\\n | summarize MaxIPSignin = max(CountIPSignin), MinIPSignin = min(CountIPSignin), DistinctCountries = dcount(Country), make_set(Country) by UserPrincipalName\\n | extend UserIPDelta = toreal(MaxIPSignin - MinIPSignin) / toreal(MaxIPSignin) * 100;\\n // Collect Team operations the user account has performed within a time range of the suspicious signins\\n OfficeActivity\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | where not (Operation in~ (\\\"MemberAdded\\\", \\\"MemberRemoved\\\") and CommunicationType in~ (\\\"GroupChat\\\", \\\"OneonOne\\\")) // These events have been noisy and are related to initiaing chat conversation and not admin operations.\\n | project OperationTimeGenerated = TimeGenerated, UserId = tolower(UserId), Operation\\n | join kind = inner(\\n userIpDelta\\n // Check users with activity from distinct countries\\n | where DistinctCountries \u003e= minimumCountries\\n // Check users with high IP delta\\n | where UserIPDelta \u003e= deltaThreshold\\n // Add information about signins and countries\\n | join kind = leftouter userIpSignin on UserPrincipalName\\n | join kind = leftouter countryPrevalence on Country\\n // Check activity that comes from nonprevalent countries\\n | where CountryPrevalence \u003c countryPrevalenceThreshold\\n | project\\n UserPrincipalName,\\n SuspiciousIP = IPAddress,\\n UserIPDelta,\\n SuspiciousSigninCountry = Country,\\n SuspiciousCountryPrevalence = CountryPrevalence,\\n EventTimes = ListSigninTimeGenerated\\n ) on $left.UserId == $right.UserPrincipalName\\n // Check the signins occured 60 min before the Teams operations\\n | mv-expand SigninTimeGenerated = EventTimes\\n | extend SigninTimeGenerated = todatetime(SigninTimeGenerated)\\n | where OperationTimeGenerated between (SigninTimeGenerated .. (SigninTimeGenerated + projectedEndTime))\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize arg_max(SigninTimeGenerated, *) by UserPrincipalName, SuspiciousIP, OperationTimeGenerated\\n| summarize\\n ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(\\\"Operation\\\", tostring(Operation), \\\"OperationTime\\\", OperationTimeGenerated)))\\n by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence\\n| extend AccountName = tostring(split(UserPrincipalName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuspiciousIP\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Anomalous login followed by Teams action\",\"description\":\"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta \u003e= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP\u0027s country, only keeping IP\u0027s where the country is unusual for the tenant (dynamic ranges). \\nPlease note, if the initial logic of prevalence to find suspicious logon activity is noisy then consider adding filtering based on Location. \\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\"lastUpdatedDateUTC\":\"2024-12-17T00:00:00Z\",\"createdDateUTC\":\"2020-06-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"name\":\"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for AzureNetworkAnalytics_CL logs\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and AzureNetworkAnalytics_CL logs for NSG Flow information\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n | extend PIPs = split(PublicIPs_s, \u0027|\u0027, 0)\\n | extend PIP = tostring(PIPs[0])\\n )\\n on $left.TI_ipEntity == $right.PIP\\n // Filter out logs that occurred after the expiration of the corresponding indicator\\n | where AzureNetworkAnalytics_CL_TimeGenerated \u003c ExpirationDateTime\\n // Filter out NSG Flow logs that are not allowed (FlowStatus_s == \\\"A\\\")\\n | where FlowStatus_s == \\\"A\\\"\\n // Group the results by IndicatorId and PIP (Public IP), and keep the log entry with the latest timestamp\\n | summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId, PIP\\n // Select the desired output fields\\n | project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n // Extract hostname and DNS domain from the Computer field\\n | extend HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\\n // Rename the timestamp field\\n | extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"TI_ipEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\"description\":\"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/720d12c6-a08c-44c4-b18f-2236412d59b0\",\"name\":\"720d12c6-a08c-44c4-b18f-2236412d59b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process !~ \\\"sdelete.exe\\\"\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-r\\\", \\\"-s\\\", \\\"-q\\\", \\\"c:/\\\")\\n | where CommandLine !has (\\\"sdelete\\\")\\n | extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n | extend AccountName = tostring(split(TargetAccount, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(TargetAccount, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"name\":\"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.4\",\"severity\":\"High\",\"query\":\"let servicelist = dynamic([\u0027Services\\\\\\\\HealthService\u0027, \u0027Services\\\\\\\\Sense\u0027, \u0027Services\\\\\\\\WinDefend\u0027, \u0027Services\\\\\\\\MsSecFlt\u0027, \u0027Services\\\\\\\\DiagTrack\u0027, \u0027Services\\\\\\\\SgrmBroker\u0027, \u0027Services\\\\\\\\SgrmAgent\u0027, \u0027Services\\\\\\\\AATPSensorUpdater\u0027 , \u0027Services\\\\\\\\AATPSensor\u0027, \u0027Services\\\\\\\\mpssvc\u0027]);\\nlet filename = dynamic([\\\"subinacl.exe\\\",\u0027SetACL.exe\u0027]);\\nlet parameters = dynamic ([\u0027/deny=SYSTEM\u0027, \u0027/deny=S-1-5-18\u0027, \u0027/grant=SYSTEM=r\u0027, \u0027/grant=S-1-5-18=r\u0027, \u0027n:SYSTEM;p:READ\u0027, \u0027n1:SYSTEM;ta:remtrst;w:dacl\u0027]);\\nlet FullAccess = dynamic([\u0027A;CI;KA;;;SY\u0027, \u0027A;ID;KA;;;SY\u0027, \u0027A;CIID;KA;;;SY\u0027]);\\nlet ReadAccess = dynamic([\u0027A;CI;KR;;;SY\u0027, \u0027A;ID;KR;;;SY\u0027, \u0027A;CIID;KR;;;SY\u0027]);\\nlet DenyAccess = dynamic([\u0027D;CI;KR;;;SY\u0027, \u0027D;ID;KR;;;SY\u0027, \u0027D;CIID;KR;;;SY\u0027]);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName has_any (servicelist)\\n| parse EventData with * \u0027OldSd\\\"\u003e\u0027 OldSd \\\"\u003c\\\" *\\n| parse EventData with * \u0027NewSd\\\"\u003e\u0027 NewSd \\\"\u003c\\\" *\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename)\\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670 and EventData has_any (servicelist) and EventData has \u0027Key\u0027\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (servicelist)\\n| extend OldSd = tostring(EventData.OldSd)\\n| extend NewSd = tostring(EventData.NewSd)\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend ProcessId = tostring(EventData.ProcessId)\\n| extend Activity= \\\"4670 - Permissions on an object were changed.\\\"\\n| extend HandleId = tostring(EventData.HandleId)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688 and EventData has_any (filename) and EventData has_any (servicelist) and EventData has_any (parameters)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename)\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountDomain = tostring(EventData.AccountDomain)\\n| extend Activity=\\\"4688 - A new process has been created.\\\"\\n| extend EventSourceName=Provider\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename)\\n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend AccountName = tostring(split(Account, \\\"\\\\\\\\\\\")[0]), AccountNTDomain = tostring(split(Account, \\\"\\\\\\\\\\\")[1])\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Service Registry ACL Modification\",\"description\":\"Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified.\\n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity.\\n Reference on guidance for enabling registry auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule\\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\"lastUpdatedDateUTC\":\"2024-06-14T00:00:00Z\",\"createdDateUTC\":\"2021-01-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02f6c2e5-219d-4426-a0bf-ad67abc63d53\",\"name\":\"02f6c2e5-219d-4426-a0bf-ad67abc63d53\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let lookback_start = 7d;\\nlet lookback_end = 1d;\\nlet timedelta = 5s;\\n// Get a list of previously seen DLLs being loaded\\nlet known_dlls = (Event\\n| where TimeGenerated between(ago(lookback_start)..ago(lookback_end))\\n| where EventID == 7\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend LoadedItems = parse_json(tostring(parse_json(tostring(EvData.DataItem)).EventData)).[\\\"Data\\\"]\\n| mv-expand LoadedItems\\n| where tostring(LoadedItems.[\\\"@Name\\\"]) =~ \\\"ImageLoaded\\\"\\n| extend DLL = tostring(LoadedItems.[\\\"#text\\\"])\\n| summarize by DLL);\\n// Get Image Load events related to svchost.exe\\nEvent\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n// Image Load Event in Sysmon\\n| where EventID == 7\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Images = parse_json(tostring(parse_json(tostring(EvData.DataItem)).EventData)).[\\\"Data\\\"]\\n| mv-expand Images\\n// Parse out executing process\\n| where tostring(Images.[\\\"@Name\\\"]) =~ \\\"Image\\\"\\n| extend Image = tostring(Images.[\\\"#text\\\"])\\n| where Image endswith \\\"\\\\\\\\svchost.exe\\\"\\n// Parse out loaded DLLs\\n| extend LoadedItems = parse_json(tostring(parse_json(tostring(EvData.DataItem)).EventData)).[\\\"Data\\\"]\\n| mv-expand LoadedItems\\n| where tostring(LoadedItems.[\\\"@Name\\\"]) =~ \\\"ImageLoaded\\\"\\n| extend DLL = tostring(LoadedItems.[\\\"#text\\\"])\\n| extend Image = tostring(Image)\\n| extend ImageLoadTime = TimeGenerated\\n// Join with processes with a command line related to COM Event System\\n| join kind = inner(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n// Sysmon process execution events\\n| where EventID == 1\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend ParentImage = tostring(column_ifexists(\\\"ParentImage\\\", \\\"NotAvailable\\\"))\\n// Command line related to COM Event System\\n| where ParentImage endswith \\\"\\\\\\\\svchost.exe\\\"\\n//| where ParentCommandLine has_all (\\\" -k LocalService\\\",\\\" -p\\\",\\\" -s EventSystem\\\")\\n| extend ProcessExecutionTime = TimeGenerated) on $left.Image == $right.ParentImage\\n// Check timespan between DLL load and process creation\\n| extend delta = ProcessExecutionTime - ImageLoadTime\\n| where ImageLoadTime \u003c= ProcessExecutionTime and delta \u003c= timedelta\\n// Filter to only newly seen DLLs\\n| where DLL !in (known_dlls)\\n| extend ParentCommandLine = tostring(column_ifexists(\\\"ParentCommandLine\\\", \\\"NotAvailable\\\"))\\n| project-reorder ImageLoadTime, ProcessExecutionTime , Image, ParentCommandLine, DLL\\n| extend Hashes = tostring(column_ifexists(\\\"Hashes\\\", \\\"NotAvailable, NotAvailable\\\"))\\n| extend Hashes = split(Hashes, \\\",\\\")\\n| mv-apply Hashes on (summarize FileHashes = make_bag(pack(tostring(split(Hashes, \\\"=\\\")[0]), tostring(split(Hashes, \\\"=\\\")[1]))))\\n| extend SHA1 = tostring(FileHashes.SHA1)\\n| extend HashAlgo = \\\"SHA1\\\"\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend Name = tostring(split(UserName, \\\"\\\\\\\\\\\")[1]), NTDomain = tostring(split(UserName, \\\"\\\\\\\\\\\")[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"SHA1\"},{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgo\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"COM Event System Loading New DLL\",\"description\":\"This query uses Sysmon Image Load (Event ID 7) and Process Create (Event ID 1) data to look for COM Event System being used to load a newly seen DLL.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"name\":\"d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// Filter out other servers in the AD FS farm\\nlet ADFSServersList = dynamic([\\\"ADFS02.domain.com\\\",\\\"ADFS03.domain.com\\\"]);\\n// Start by identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer !in (ADFSServersList)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer\\n);\\n// Look for ADFS servers receiving connections over port 80\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n| where EventID == 3\\n// Look for endpoints connecting to the AD FS server over port 80\\n| extend DestinationPort = column_ifexists(\\\"DestinationPort\\\", \\\"\\\"), Image = column_ifexists(\\\"Image\\\", \\\"\\\"), Initiated = column_ifexists(\\\"Initiated\\\", \\\"\\\"), SourceIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\"), DestinationIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\")\\n| where DestinationPort == 80\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Look for the System process receiving connections\\n| where process == \u0027System\u0027 and Initiated == \u0027false\u0027\\n| where DestinationIp !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027)\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(UserName, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(UserName, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIp\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote HTTP Network Connection\",\"description\":\"This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f171045-88ab-4634-baae-a7b6509f483b\",\"name\":\"5f171045-88ab-4634-baae-a7b6509f483b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"let Dev0530_threats = dynamic([\\\"Trojan:Win32/SiennaPurple.A\\\", \\\"Ransom:Win32/SiennaBlue.A\\\", \\\"Ransom:Win32/SiennaBlue.B\\\"]);\\nSecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Dev0530_threats) or ThreatFamilyName in~ (Dev0530_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n| join kind=inner (DeviceInfo\\n | extend DeviceName = tolower(DeviceName)\\n) on $left.CompromisedEntity == $right.DeviceName\\n| summarize by bin(TimeGenerated, 1d), DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId, CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Dev-0530 actors\",\"description\":\"This query looks for Microsoft Defender AV detections related to Dev-0530 actors.\\nIn Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f9949656-473f-4503-bf43-a9d9890f7d08\",\"name\":\"f9949656-473f-4503-bf43-a9d9890f7d08\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for AppServiceHTTPLogs\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n // Filter out indicators without relevant IP address fields\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n // Filtering out rows where the Confidence Score is less than 50 as they would not have an Alert Priority label. \\n | where ConfidenceScore \u003e 50\\n // Select the IP entity based on availability of different IP fields\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n // Determine AlertPriority based on ConfidenceScore\\n | extend AlertPriority = case(ConfidenceScore \u003e 82, \\\"High\\\",\\n ConfidenceScore \u003e 74, \\\"Medium\\\",\\n \\\"Low\\\")\\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and AppServiceHTTPLogs to identify potential malicious activity\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n AppServiceHTTPLogs | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(CIp)\\n | extend WebApp = split(_ResourceId, \u0027/\u0027)[8]\\n | extend AppService_TimeGenerated = TimeGenerated // Rename time column for clarity\\n )\\n on $left.TI_ipEntity == $right.CIp\\n // Filter out logs that occurred after the expiration of the corresponding indicator\\n | where AppService_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and CIp, and keep the log entry with the latest timestamp\\n | summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp\\n // Select the desired output fields\\n | project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, \u0027/\u0027)[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId, Type\\n // Extract hostname and DNS domain from the CsHost field\\n | extend HostName = tostring(split(CsHost, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(CsHost, \u0027.\u0027), 1, -1), \u0027.\u0027))\\n // Rename the timestamp field\\n | extend timestamp = AppService_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"CsUsername\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CIp\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":null,\"alertDescriptionFormat\":null,\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":\"AlertPriority\"},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to AppServiceHTTPLogs\",\"description\":\"Identifies a match in AppServiceHTTPLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9a7f6651-801b-491c-a548-8b454b356eaa\",\"name\":\"9a7f6651-801b-491c-a548-8b454b356eaa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZincOctober2022IOCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_path = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet commandline = (iocs | where Type =~ \\\"commandline\\\" | project IoC);\\n(union isfuzzy=true \\n(DeviceNetworkEvents\\n| where InitiatingProcessFolderPath has_any (file_path) or InitiatingProcessCommandLine has_any (commandline)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where Image has_any (file_path) or CommandLine has_any (commandline)\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostEntity = Computer , AccountEntity = UserName, ProcessEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1])\\n), \\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path)) or ( InitiatingProcessCommandLine has_any (commandline)) or (InitiatingProcessFolderPath has_any (file_path)) or (InitiatingProcessFolderPath has_any (commandline)) or (FolderPath has_any (file_path)) or (FolderPath has_any (commandline))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName , AccountEntity = InitiatingProcessAccountName, ProcessEntity = InitiatingProcessFileName\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessFolderPath has_any (file_path)) or (InitiatingProcessFolderPath has_any (commandline)) or (FolderPath has_any (file_path)) or (FolderPath has_any (commandline)) or ( InitiatingProcessCommandLine has_any (commandline)) or ( InitiatingProcessCommandLine has_any (file_path))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName , AccountEntity = RequestAccountName, ProcessEntity = InitiatingProcessFileName, AlgorithmEntity = \\\"SHA256\\\", FileHashEntity = InitiatingProcessSHA256\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path)) or ( InitiatingProcessCommandLine has_any (commandline)) or (InitiatingProcessFolderPath has_any (file_path)) or (InitiatingProcessFolderPath has_any (commandline)) or (FolderPath has_any (file_path)) or (FolderPath has_any (commandline))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName , AccountEntity = InitiatingProcessAccountName, ProcessEntity = InitiatingProcessFileName\\n),\\n(SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path)) or ( CommandLine has_any (commandline)) or (NewProcessName has_any (file_path)) or (NewProcessName has_any (commandline)) or (ParentProcessName has_any (file_path)) or (ParentProcessName has_any (commandline))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostEntity = Computer , AccountEntity = Account, ProcessEntity = NewProcessName\\n)\\n)\\n| extend HostName = tostring(split(HostEntity, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(HostEntity, \u0027.\u0027), 1, -1), \u0027.\u0027))\\n| extend Name = tostring(split(AccountEntity, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(AccountEntity, \u0027@\u0027, 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"RemoteIP\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Zinc Actor IOCs files - October 2022\",\"description\":\"Identifies a match across filename and commandline IOC\u0027s related to an actor tracked by Microsoft as Zinc.\\nReference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-09-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\"name\":\"4b93c5af-d20b-4236-b696-a28b8c51407f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n(union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe+spanoftime)\\n // A user account was created\\n | where EventID == 4720\\n | where AccountType =~ \\\"User\\\"\\n | project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToCreate = SubjectAccount, CreatedBySubjectUserName = SubjectUserName, CreatedBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToCreate = SubjectUserSid, UserPrincipalName\\n ),\\n (\\n WindowsEvent\\n | where TimeGenerated \u003e ago(timeframe+spanoftime)\\n // A user account was created\\n | where EventID == 4720\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | where AccountType =~ \\\"User\\\"\\n | extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n | extend SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName)\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n | extend Activity = \\\"4720 - A user account was created.\\\"\\n | extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName) \\n | project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToCreate = SubjectAccount, CreatedBySubjectUserName = SubjectUserName, CreatedBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToCreate = SubjectUserSid, UserPrincipalName\\n )\\n )\\n| join kind = inner \\n(\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n | where EventID == 4726\\n | where AccountType == \\\"User\\\"\\n | project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToDelete = SubjectAccount, DeletedBySubjectUserName = SubjectUserName, DeletedBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToDelete = SubjectUserSid, UserPrincipalName\\n ),\\n (WindowsEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n | where EventID == 4726\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n | extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | where AccountType == \\\"User\\\"\\n | extend SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName)\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n | extend Activity = \\\"4726 - A user account was deleted.\\\"\\n | extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName) \\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToDelete = SubjectAccount, DeletedBySubjectUserName = SubjectUserName, DeletedBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToDelete = SubjectUserSid, UserPrincipalName\\n )\\n )\\n) on Computer, TargetAccount\\n| where deletionTime - creationTime \u003c spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete, TargetUserName, TargetDomainName, \\nCreatedBySubjectUserName, CreatedBySubjectDomainName, DeletedBySubjectUserName, DeletedBySubjectDomainName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountUsedToCreate\"},{\"identifier\":\"Name\",\"columnName\":\"CreatedBySubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"CreatedBySubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountUsedToDelete\"},{\"identifier\":\"Name\",\"columnName\":\"DeletedBySubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"DeletedBySubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"TargetDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account created and deleted within 10 mins\",\"description\":\"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a172107d-794c-48c0-bc26-d3349fe10b4d\",\"name\":\"a172107d-794c-48c0-bc26-d3349fe10b4d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Dev-0530_July2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\n(union isfuzzy=true \\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) \\nand InitiatingProcessCommandLine has (\u0027sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID, CommandLine\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and ActingProcessCommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\\n| where Hashes[0] =~ \\\"SHA256\\\"\\n| where (Hashes[1] has_any (sha256Hashes)) or ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = tostring(Hashes[1])\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(EmailEvents\\n| where SenderFromAddress == \u0027H0lyGh0st@mail2tor.com\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = SenderIPv4, AccountCustomEntity = SenderFromAddress \\n),\\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) or FileHash in (sha256Hashes)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch , FileHash\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\"), FileHashCustomEntity = FileHash\\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAZFWApplicationRule\\n| where Fqdn has_any (IPList)\\n| extend IPCustomEntity = SourceIp\\n),\\n(\\nAZFWNetworkRule\\n| where DestinationIp has_any (IPList)\\n| extend IPCustomEntity = SourceIp\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"[Deprecated] - Dev-0530 IOC - July 2022\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceProcessEvents\",\"DeviceNetworkEvents\",\"EmailEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWNetworkRule\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"name\":\"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectServer = column_ifexists(\u0027ObjectServer\u0027, \\\"\\\"), ObjectType = column_ifexists(\u0027ObjectType\u0027, \\\"\\\"), ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\")\\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\\n| where ObjectServer =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(TargetAccount, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(TargetAccount, @\u0027\\\\\u0027)[0])\\n| extend timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Starting or Stopping HealthService to Avoid Detection\",\"description\":\"This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\\n The query requires a SACL to audit for access request to the service.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2021-03-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"name\":\"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n (_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession(url_has_any=DomainNames) \\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Account=User\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| where msg_s has_any (DomainNames)\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" to \\\" TargetIP \\\":\\\" TargetPortInt:int *\\n| parse kind=regex flags=U msg_s with * \\\". Action\\\\\\\\: \\\" Action1a \\\"\\\\\\\\.\\\"\\n| parse msg_s with * \\\". Policy: \\\" Policy \\\". Rule Collection Group: \\\" RuleCollectionGroup \\\".\\\" *\\n| parse msg_s with * \\\" Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule \\n| extend IPCustomEntity = SourceIP\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| where msg_s has_any (DomainNames)\\n| parse msg_s with \\\"DNS Request: \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" - \\\" QueryID:int \\\" \\\" RequestType \\\" \\\" RequestClass \\\" \\\" hostname \\\". \\\" protocol \\\" \\\" details\\n| extend\\n ResponseDuration = extract(\\\"[0-9]*.?[0-9]+s$\\\", 0, msg_s),\\n SourcePort = tostring(SourcePortInt),\\n QueryID = tostring(QueryID)\\n| project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\\n| order by TimeGenerated\\n| extend IPCustomEntity = SourceIP\\n),\\n(AZFWApplicationRule\\n| where Fqdn has_any (DomainNames)\\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (DomainNames)\\n| extend DNSName = QueryName\\n| extend IPCustomEntity = SourceIp\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"[Deprecated] - Known Ruby Sleet domains and hashes\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"name\":\"d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\",\\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\",\\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\",\\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\",\\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\",\\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\",\\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\",\\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\",\\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend HostName = iff(Computer has \u0027.\u0027, substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer)\\n| extend DnsDomain = iff(Computer has \u0027.\u0027, substring(Computer,indexof(Computer,\u0027.\u0027)+1),\\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"name\":\"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"ThreatIntelligence\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"Persistence\",\"LateralMovement\"],\"displayName\":\"(Preview) Microsoft Defender Threat Intelligence Analytics\",\"description\":\"This rule generates an alert when a Microsoft Defender Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity.\",\"lastUpdatedDateUTC\":\"2023-03-15T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\"name\":\"a35f2c18-1b97-458f-ad26-e033af18eb99\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.8\",\"severity\":\"Low\",\"query\":\"// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nunion isfuzzy=true\\n(\\nSecurityEvent\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType == \\\"User\\\"\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = iff(MemberName == \\\"-\\\", MemberName, substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3))\\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, \\nSubjectAccount, SubjectUserName, SubjectDomainName, SubjectUserSid\\n),\\n(\\nWindowsEvent\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = iff(MemberName == \\\"-\\\", MemberName, substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3))\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName), \\nTargetAccount = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName), \\nSubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, \\nSubjectAccount, SubjectUserName, SubjectDomainName, SubjectUserSid\\n)\\n| extend GroupAddedMemberTo = TargetAccount, AddedByAccount = SubjectAccount, AddedByAccountName = SubjectUserName, AddedByAccountDomainName = SubjectDomainName, \\nAddedByAccountSid = SubjectUserSid, AddedMemberName = SimpleMemberName, AddedMemberSid = MemberSid\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"SubjectUserSid\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AddedMemberName\"},{\"identifier\":\"Sid\",\"columnName\":\"AddedMemberSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account added to built in domain local or global group\",\"description\":\"Identifies when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ff56009-db01-4615-8211-d4fda21da02d\",\"name\":\"1ff56009-db01-4615-8211-d4fda21da02d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\" and LoggedByService =~ \\\"Core Directory\\\" and OperationName in~ (\\\"Add delegated permission grant\\\", \\\"Add app role assignment to service principal\\\")\\n| mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\" and array_length(TargetResource.modifiedProperties) \u003e 0 and isnotnull(TargetResource.displayName)\\n | extend props = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = props on\\n (\\n where Property.displayName in~ (\\\"AppRole.Value\\\",\\\"DelegatedPermissionGrant.Scope\\\")\\n | extend DisplayName = tostring(Property.displayName), PermissionGrant = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where PermissionGrant has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| mv-apply Property = props on\\n (\\n where Property.displayName =~ \\\"ServicePrincipal.DisplayName\\\"\\n | extend TargetAppDisplayName = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| mv-apply Property = props on\\n (\\n where Property.displayName =~ \\\"ServicePrincipal.ObjectID\\\"\\n | extend TargetAppServicePrincipalId = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| project TimeGenerated, OperationName, Result, PermissionGrant, TargetAppDisplayName, TargetAppServicePrincipalId, InitiatingAppName, InitiatingAppServicePrincipalId,\\nInitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIpAddress, TargetResources, AdditionalDetails, CorrelationId\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetAppDisplayName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"TargetAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Microsoft Entra ID Role Management Permission Grant\",\"description\":\"Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company\u0027s directory.\\nAn adversary could use this permission to add an Microsoft Entra ID object to an Admin directory role and escalate privileges.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66276b14-32c5-4226-88e3-080dacc31ce1\",\"name\":\"66276b14-32c5-4226-88e3-080dacc31ce1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet AccountAllowList = dynamic([\u0027SYSTEM\u0027]);\\nlet SubCategoryList = dynamic([\\\"Logoff\\\", \\\"Account Lockout\\\", \\\"User Account Management\\\", \\\"Authorization Policy Change\\\"]); // Add any Category in the list to be allowed or disallowed\\nlet tokens = dynamic([\\\"clear\\\", \\\"remove\\\", \\\"success:disable\\\",\\\"failure:disable\\\"]); \\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountName = SubjectUserName, AccountDomain = SubjectDomainName, DeviceName = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n// | where InitiatingProcessFileName =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountName = tostring(split(User, @\u0027\\\\\u0027)[1]), AccountUPNSuffix = tostring(split(User, @\u0027\\\\\u0027)[0]), DeviceName = Computer\\n)\\n)\\n| extend Account = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Audit policy manipulation using auditpol utility\",\"description\":\"This detects attempts to manipulate audit policies using auditpol command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but if the results show unrelated false positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6116dc19-475a-4148-84b2-efe89c073e27\",\"name\":\"6116dc19-475a-4148-84b2-efe89c073e27\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2022-12-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\"name\":\"39198934-62a0-4781-8416-a81265c03fd6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend AppDisplayName = tostring(TargetResource.displayName),\\n AppClientId = tostring(TargetResource.id),\\n props = TargetResource.modifiedProperties\\n )\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| mv-apply ConsentFull = props on \\n (\\n where ConsentFull.displayName =~ \\\"ConsentAction.Permissions\\\"\\n )\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull has_all (\\\"user.read\\\", \\\"offline_access\\\", \\\"mail.readwrite\\\", \\\"mail.send\\\", \\\"files.read.all\\\")\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantInitiatedByAppName = tostring(InitiatedBy.app.displayName)\\n| extend GrantInitiatedByAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend GrantInitiatedByUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend GrantInitiatedByAadUserId = tostring(InitiatedBy.user.id)\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(GrantInitiatedByUserPrincipalName), GrantInitiatedByUserPrincipalName, GrantInitiatedByAppName)\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend GrantUserAgent = AdditionalDetail.value\\n )\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantInitiatedByUserPrincipalName, GrantInitiatedByAadUserId, GrantInitiatedByAppName, GrantInitiatedByAppServicePrincipalId, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n | mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend props = TargetResource.modifiedProperties,\\n AppClientId = tostring(TargetResource.id)\\n )\\n | mv-apply Property = props on \\n (\\n where Property.displayName =~ \\\"AppAddress\\\" and Property.newValue has \\\"AddressType\\\"\\n | extend AppReplyURLs = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n | mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\" and array_length(TargetResource.modifiedProperties) \u003e 0 and isnotnull(TargetResource.displayName)\\n | extend GrantAuthentication = tostring(TargetResource.displayName)\\n )\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantInitiatedByUserPrincipalName, GrantInitiatedByAadUserId, GrantInitiatedByAppName, GrantInitiatedByAppServicePrincipalId, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedByUserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(GrantInitiatedByUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GrantInitiatedByUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"GrantInitiatedByAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"GrantInitiatedByAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"GrantIpAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to PwnAuth\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"name\":\"29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nimProcessCreate\\n| where ((Process has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((Process has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\\n// Increase risk score if recent alerts for the host\\n| join kind=leftouter (\\n SecurityAlert\\n | where ProviderName =~ \\\"MDATP\\\"\\n | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n | mv-expand todynamic(Entities)\\n | extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n | where isnotempty(DvcId)\\n // Higher risk score are for Defender alerts related to threat actor\\n | extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n | project DvcId, AlertRiskScore) \\n on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend AccountName = tostring(split(ActorUsername, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(ActorUsername, @\u0027\\\\\u0027)[0])\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ActingProcessFilename\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021 (ASIM Version)\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0a3f4f4f-46ad-4562-acd6-f17730a5aef4\",\"name\":\"0a3f4f4f-46ad-4562-acd6-f17730a5aef4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where CommandLine has_any (\\\"New-Mailbox\\\",\\\"Update-RoleGroupMember\\\") and CommandLine has \\\"HealthMailbox55x2yq\\\"\\n| project TimeGenerated, DeviceName = Computer, AccountName = SubjectUserName, AccountDomain = SubjectDomainName, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n| extend InitiatingProcessAccount = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\\n),\\n(DeviceProcessEvents\\n| where ProcessCommandLine has_any (\\\"New-Mailbox\\\",\\\"Update-RoleGroupMember\\\") and ProcessCommandLine has \\\"HealthMailbox55x2yq\\\"\\n| extend timestamp = TimeGenerated, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName\\n| extend InitiatingProcessAccount = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\\n)\\n)\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Unusual identity creation using exchange powershell\",\"description\":\" The query below identifies creation of unusual identity by the Europium actor to mimic Microsoft Exchange Health Manager Service account using Exchange PowerShell commands\\n Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-09-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Microsoft Entra ID Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2023-11-02T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/757e6a79-6d23-4ae6-9845-4dac170656b5\",\"name\":\"757e6a79-6d23-4ae6-9845-4dac170656b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P2D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// Tenants IDs can be found by navigating to Azure Active Directory then from menu on the left, select External Identities, then from menu on the left, select Cross-tenant access settings and from the list shown of Tenants\\nlet ExpectedTenantIDs = dynamic([\\\"List of expected tenant IDs\\\",\\\"Tenant ID 2\\\"]);\\nAuditLogs\\n| where OperationName has \\\"Add a partner to cross-tenant access setting\\\"\\n| mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type =~ \\\"Policy\\\"\\n | extend Properties = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = Properties on\\n (\\n where Property.displayName =~ \\\"tenantId\\\"\\n | extend ExtTenantIDAdded = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where ExtTenantIDAdded !in (ExpectedTenantIDs)\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Cross-tenant Access Settings Organization Added\",\"description\":\"Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Microsoft Entra ID Cross-tenant Access Settings.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\"name\":\"45b903c5-6f56-4969-af10-ae62ac709718\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n))\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n))\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)\\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @\\\"\\\\\\\")[1]), AccountNTDomain = tostring(split(Account, @\\\"\\\\\\\")[0])\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Rare RDP Connections\",\"description\":\"Identifies when an RDP connection is new or rare related to any logon type by a given account today compared with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2020-01-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"name\":\"a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT20M\",\"queryPeriod\":\"PT20M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 10;\\nlet successCountThreshold = 1;\\n// let authenticationWindow = 20m; // Implicit in the analytic rule query period \\nimAuthentication\\n| where TargetUserType != \\\"NonInteractive\\\"\\n| summarize \\n StartTime = min(TimeGenerated), \\n EndTime = max(TimeGenerated), \\n IpAddresses = make_set (SrcDvcIpAddr, 100),\\n ReportedBy = make_set (strcat (EventVendor, \\\"/\\\", EventProduct), 100),\\n FailureCount = countif(EventResult==\u0027Failure\u0027),\\n SuccessCount = countif(EventResult==\u0027Success\u0027)\\n by \\n TargetUserId, TargetUsername, TargetUserType \\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| extend\\n IpAddresses = strcat_array(IpAddresses, \\\", \\\"), \\n ReportedBy = strcat_array(ReportedBy, \\\", \\\")\\n| extend\\n Name = iif(\\n TargetUsername contains \\\"@\\\"\\n , tostring(split(TargetUsername, \u0027@\u0027, 0)[0])\\n , TargetUsername\\n ),\\n UPNSuffix = iif(\\n TargetUsername contains \\\"@\\\"\\n , tostring(split(TargetUsername, \u0027@\u0027, 1)[0])\\n , \\\"\\\"\\n )\",\"customDetails\":{\"IpAddresses\":\"IpAddresses\",\"ReportedBy\":\"ReportedBy\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against user credentials (Uses Authentication Normalization)\",\"description\":\"Identifies evidence of brute force activity against a user based on multiple authentication failures and at least one successful authentication within a given time window.\\nNote that the query does not enforce any sequence, and does not require the successful authentication to occur last.\\nThe default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"name\":\"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 25;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds\\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n | where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| extend ResultType = column_ifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = column_ifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by CallerIPAddress;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project CallerIPAddress, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join kind = innerunique (\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(2d)\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend ResultType = column_ifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = column_ifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = column_ifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\"),identity_claim_oid_g = column_ifexists(\\\"identity_claim_oid_g\\\", \\\"\\\"),\\n identity_claim_upn_s = column_ifexists(\\\"identity_claim_upn_s\\\", \\\"\\\")\\n| extend\\n CallerObjectId = iff(isempty(identity_claim_oid_g), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g),\\n CallerObjectUPN = iff(isempty(identity_claim_upn_s), identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s, identity_claim_upn_s)\\n| extend id_s = column_ifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = column_ifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = column_ifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g, requestUri_s, clientInfo_s\\n) on CallerIPAddress\\n| extend\\n CallerObjectId = iff(isempty(identity_claim_oid_g), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g),\\n CallerObjectUPN = iff(isempty(identity_claim_upn_s), identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s, identity_claim_upn_s)\\n| summarize EventCount=count(), OperationNameList = make_set(OperationName,1000), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(CallerObjectId, 100), AccountMax = arg_max(CallerObjectId,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountMax\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure Key Vault access TimeSeries anomaly\",\"description\":\"Identifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm to find large deviations from baseline Azure Key Vault access patterns.\\nAny sudden increase in the count of Azure Key Vault accesses can be an indication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"name\":\"009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has \\\"Consent to application\\\"\\n | where Result =~ \\\"failure\\\"\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend userAgent = iif(AdditionalDetails[0].key == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))\\n | where isnotempty(TargetResources)\\n | extend TargetAppName = tostring(TargetResources[0].displayName)\\n | extend TargetAppId = tostring(TargetResources[0].id)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"MethodExecutionResult.\\\"\\n | extend TargetPropertyDisplayName = tostring(TargetResources_0_modifiedProperties.displayName)\\n | extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\\n | where FailureReason contains \\\"Risky\\\"\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, OperationName, Result, TargetAppName, TargetAppId, FailureReason, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, userAgent\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"AppId\",\"columnName\":\"TargetAppId\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAppName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"End-user consent stopped due to risk-based consent\",\"description\":\"Detects a user\u0027s consent to an OAuth application being blocked due to it being too risky.\\n These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"name\":\"95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"imAuthentication\\n| where EventResult ==\u0027Failure\u0027\\n| where EventResultDetails == \u0027User disabled\u0027\\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\\n , applicationsTargeted = dcount(TargetAppName)\\n , applicationSet = make_set(TargetAppName) \\n by SrcDvcIpAddr, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind=leftouter \\n (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n imAuthentication\\n | where EventResult==\u0027Success\u0027\\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on SrcDvcIpAddr\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcDvcIpAddr\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2023-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"name\":\"3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let SpringShell_threats = dynamic([\\\"Trojan:Python/SpringShellExpl\\\", \\\"Exploit:Python/SpringShell\\\", \\\"Backdoor:PHP/Remoteshell.V\\\", \\\"SpringShell\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (SpringShell_threats) or ThreatFamilyName in~ (SpringShell_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"AV detections related to SpringShell Vulnerability\",\"description\":\"This query looks for Microsoft Defender AV detections related to the SpringShell vulnerability. In Microsoft Sentinel, the SecurityAlerts table includes only the Device Name of the affected device.\\n This query joins the DeviceInfo table to clearly connect other information such as device group, IP, logged-on users, etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/\",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"name\":\"a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"High\",\"query\":\"let mde_threats = dynamic([\\\"Behavior:Win32/SuspAzureRequest.A\\\", \\\"Behavior:Win32/SuspAzureRequest.B\\\", \\\"Behavior:Win32/SuspAzureRequest.C\\\", \\\"Behavior:Win32/LaunchingSuspCMD.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (mde_threats) or ThreatFamilyName in~ (mde_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by bin(TimeGenerated, 1d), DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId, CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory\",\"description\":\"This query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR. \\nIn Microsoft Sentinel, the SecurityAlerts table includes the name of the impacted device. Additionally, this query joins the DeviceInfo table to connect other information such as device group, IP address, signed in users, and others allowing analysts using Microsoft Sentinel to have more context related to the alert. \\nReference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 , \\nhttps://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"name\":\"4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet parentprocess = (iocs | where Type =~ \\\"parentprocess\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (IPList), \\\"RequestUrl\\\",\\\"NoMatch\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, IPMatch == \\\"RequestUrl\\\", RequestURL, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Dev-0322 IOC match\u0027, UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = DestinationHost\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = DestinationHost, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(\\nAZFWApplicationRule\\n| where Fqdn has_any (IPList)\\n| extend IPCustomEntity = SourceIp\\n),\\n(\\nAZFWNetworkRule\\n| where DestinationIp has_any (IPList)\\n| extend IPCustomEntity = SourceIp\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ParentImage = EventDetail.[20].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceProcessEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Dev-0322 IOC match\u0027, IPCustomEntity = CommandLineIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"[Deprecated] - DEV-0322 Serv-U related IOCs - July 2021\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWNetworkRule\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f819c592-c5f9-4d5c-a79f-1e6819863533\",\"name\":\"f819c592-c5f9-4d5c-a79f-1e6819863533\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.6\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Microsoft Online\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n (\\nWindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend Name = tostring(split(Account, \\\"\\\\\\\\\\\")[1]), NTDomain = tostring(split(Account, \\\"\\\\\\\\\\\")[0])\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Microsoft Entra ID Health Monitoring Agent Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key of Microsoft Entra ID Health monitoring agent.\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent.\\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\"name\":\"7249500f-3038-4b83-8549-9cd8dfa2d498\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames))\\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames))\\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = DestinationIP\\n),\\n(DnsEvents\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ \u0027OATP\u0027\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn,\\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (DomainNames) \\n| extend timestamp = TimeGenerated),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"[Deprecated] - Known Mint Sandstorm group domains/IP - October 2020\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics (Azure Firewall)\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\"name\":\"2790795b-7dba-483e-853f-44aa0bc9c985\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors \u003e 400\\n| sort by NumberOfErrors desc\\n| extend timestamp = StartTime\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Wazuh - Large Number of Web errors from an IP\",\"description\":\"Identifies instances where Wazuh logged over 400 \u0027403\u0027 Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2020-04-21T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\"name\":\"11b4c19d-2a79-4da3-af38-b067e1273dee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID in (17,18)\\n| where EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\")\\n| extend Account = User\\n| extend AccountName = tostring(split(User, @\\\"\\\\\\\")[1]), AccountNTDomain = tostring(split(User, @\\\"\\\\\\\")[0])\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00275145\u0027\\n// %%4418 looks for presence of CreatePipeInstance value\\n| where AccessList has \u0027%%4418\u0027\\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend AccountName = SubjectUserName, AccountNTDomain = SubjectDomainName\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00275145\u0027 and EventData has \u0027%%4418\u0027 and EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n// %%4418 looks for presence of CreatePipeInstance value\\n| extend AccessList= tostring(EventData.AccessList)\\n| where AccessList has \u0027%%4418\u0027\\n| extend RelativeTargetName= tostring(EventData.RelativeTargetName)\\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountName = tostring(EventData.SubjectUserName), AccountNTDomain = tostring(EventData.SubjectDomainName)\\n)\\n)\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\"],\"displayName\":\"Solorigate Named Pipe\",\"description\":\"Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2020-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"name\":\"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet disallowed_ext = dynamic([\u0027ps1\u0027, \u0027exe\u0027, \u0027vbs\u0027, \u0027js\u0027, \u0027scr\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedExt = todynamic(MsgParts)[0][\u0027detectedExt\u0027]\\n| where tolower(attachedExt) in (disallowed_ext)\\n| project SrcUserUpn, AccountCustomEntity = parse_json(DstUserUpn)[0], attachedExt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Suspicious attachment\",\"description\":\"Detects when email contains suspicious attachment (file type).\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\"name\":\"ef88eb96-861c-43a0-ab16-f3835a97c928\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let regexEmpire = tostring(toscalar(externaldata(cmdlets:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/EmpireCommandString.txt\\\"] with (format=\\\"txt\\\")));\\n(union isfuzzy=true\\n (SecurityEvent\\n| where EventID == 4688\\n//consider filtering on filename if perf issues occur\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| project timestamp = TimeGenerated, Computer, SubjectUserName, SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend HostName = split(Computer, \u0027.\u0027, 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027)\\n),\\n(WindowsEvent\\n| where EventID == 4688\\n| where EventData has_any (\\\"-encodedCommand\\\", \\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(EventData has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n//consider filtering on filename if perf issues occur\\n//extend NewProcessName = tostring(EventData.NewProcessName)\\n//extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n//FileName = Process\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project timestamp = TimeGenerated, Computer, SubjectUserName, SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend HostName = split(Computer, \u0027.\u0027, 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027)\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Powershell Empire Cmdlets Executed in Command Line\",\"description\":\"This query identifies use of PowerShell Empire\u0027s cmdlets within the command line data of the PowerShell process, indicating potential use of the post-exploitation tool.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/61988db3-0565-49b5-b8e3-747195baac6e\",\"name\":\"61988db3-0565-49b5-b8e3-747195baac6e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]); \\nimProcessCreate\\n| where CommandLine has \\\"recycler\\\"\\n| where Process has_any (procList)\\n| extend FileName = tostring(split(Process, \u0027\\\\\\\\\u0027)[-1])\\n| where FileName in~ (procList)\\n| project TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend AccountName = tostring(split(User, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(User, @\u0027\\\\\u0027)[0])\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin (Normalized Process Events)\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-06-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"name\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(_Im_Dns (domain_has_any=domains)\\n | extend DNSName = DnsQuery\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallNetworkRule\\\"\\n | where msg_s has_any (domains)\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" to \\\" TargetIP \\\":\\\" TargetPortInt:int *\\n | parse kind=regex flags=U msg_s with * \\\". Action\\\\\\\\: \\\" Action1a \\\"\\\\\\\\.\\\"\\n | parse msg_s with * \\\". Policy: \\\" Policy \\\". Rule Collection Group: \\\" RuleCollectionGroup \\\".\\\" *\\n | parse msg_s with * \\\" Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule \\n | extend DNSName = TargetIP \\n | extend IPCustomEntity = SourceIP\\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | where msg_s has_any (domains)\\n | parse msg_s with \\\"DNS Request: \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" - \\\" QueryID:int \\\" \\\" RequestType \\\" \\\" RequestClass \\\" \\\" hostname \\\". \\\" protocol \\\" \\\" details\\n | extend\\n ResponseDuration = extract(\\\"[0-9]*.?[0-9]+s$\\\", 0, msg_s),\\n SourcePort = tostring(SourcePortInt),\\n QueryID = tostring(QueryID)\\n | extend DNSName = hostname\\n | extend IPCustomEntity = SourceIP\\n | project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\\n | order by TimeGenerated\\n ),\\n(AZFWApplicationRule\\n | where Fqdn has_any (domains)\\n | extend DNSName = Fqdn\\n | extend IPCustomEntity = SourceIp\\n ),\\n(AZFWDnsQuery\\n | where isnotempty(QueryName)\\n | where QueryName has_any (domains)\\n | extend DNSName = QueryName\\n | extend IPCustomEntity = SourceIp\\n )\\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Solorigate Network Beacon\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\"name\":\"4a3073ac-7383-48a9-90a8-eb6716183a54\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n InitiatingProcessAccountUPNSuffix = tostring(split(InitiatingProcessAccountUpn, \\\"@\\\")[1]),\\n Algorithm = \\\"MD5\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"InitiatingProcessAccountDomain\"},{\"identifier\":\"Sid\",\"columnName\":\"InitiatingProcessAccountSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"Algorithm\"},{\"identifier\":\"Value\",\"columnName\":\"MD5\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"name\":\"4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"// Enter a reference list of decoy users (usernames) \\\"Case Sensitive\\\"\\nlet MaliciousServiceArtifacts = dynamic ([\\\"fgexec\\\",\\\"cachedump\\\",\\\"mimikatz\\\",\\\"mimidrv\\\",\\\"wceservice\\\",\\\"pwdump\\\"]);\\nEvent\\n| where Source == \\\"Service Control Manager\\\" and EventID == 7045\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" * \u0027ImagePath\\\"\u003e\u0027 ImagePath \\\"\u003c\\\" *\\n| where ServiceName has_any (MaliciousServiceArtifacts) or ImagePath has_any (MaliciousServiceArtifacts)\\n| parse EventData with * \u0027AccountName\\\"\u003e\u0027 AccountName \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ServiceName, ImagePath, AccountName\\n| extend HostName = split(Computer, \u0027.\u0027, 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ImagePath\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - Service Installation\",\"description\":\"This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\"name\":\"2b328487-162d-4034-b472-59f1d53684a1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal == \u0027\u0027\\n| extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlOriginal\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Empty User Agent Detected\",\"description\":\"Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\"name\":\"8d537f3c-094f-430c-a588-8a87da36ee3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nlet user_agents=dynamic([\\n \u0027(hydra)\u0027,\\n \u0027 arachni/\u0027,\\n \u0027 BFAC \u0027,\\n \u0027 brutus \u0027,\\n \u0027 cgichk \u0027,\\n \u0027core-project/1.0\u0027,\\n \u0027 crimscanner/\u0027,\\n \u0027datacha0s\u0027,\\n \u0027dirbuster\u0027,\\n \u0027domino hunter\u0027,\\n \u0027dotdotpwn\u0027,\\n \u0027FHScan Core\u0027,\\n \u0027floodgate\u0027,\\n \u0027get-minimal\u0027,\\n \u0027gootkit auto-rooter scanner\u0027,\\n \u0027grendel-scan\u0027,\\n \u0027 inspath \u0027,\\n \u0027internet ninja\u0027,\\n \u0027jaascois\u0027,\\n \u0027 zmeu \u0027,\\n \u0027masscan\u0027,\\n \u0027 metis \u0027,\\n \u0027morfeus fucking scanner\u0027,\\n \u0027n-stealth\u0027,\\n \u0027nsauditor\u0027,\\n \u0027pmafind\u0027,\\n \u0027security scan\u0027,\\n \u0027springenwerk\u0027,\\n \u0027teh forest lobster\u0027,\\n \u0027toata dragostea\u0027,\\n \u0027 vega/\u0027,\\n \u0027voideye\u0027,\\n \u0027webshag\u0027,\\n \u0027webvulnscan\u0027,\\n \u0027 whcc/\u0027,\\n \u0027 Havij\u0027,\\n \u0027absinthe\u0027,\\n \u0027bsqlbf\u0027,\\n \u0027mysqloit\u0027,\\n \u0027pangolin\u0027,\\n \u0027sql power injector\u0027,\\n \u0027sqlmap\u0027,\\n \u0027sqlninja\u0027,\\n \u0027uil2pn\u0027,\\n \u0027ruler\u0027,\\n \u0027Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)\u0027\\n ]);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlOriginal\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Hack Tool User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by known hack tools\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"name\":\"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents\\n// ResultCode 3 =\u003e \u0027NXDOMAIN\u0027\\n| where ResultCode == 3\\n| where QueryType in~ (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !has \\\"/\\\"\\n| where Name has \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated \u003e ago(endtime)\\n// sld = Second Level Domain\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld), sampleNXDomainList=make_set(Name, 100) by ClientIP\\n| where dcount_sld \u003e threshold\\n// Filter out previously seen IPs\\n// Returns all the records from the left side that don\u0027t have matches from the right\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP, bin(TimeGenerated,1d)\\n | where dcount_sld \u003e threshold\\n ) on ClientIP\\n | order by dcount_sld desc\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected\",\"description\":\"Identifies clients with a high NXDomain count, which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live).\\nAlerts are generated when a new IP address is seen (based on not being associated with NXDomain records in the prior 10-day baseline period).\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/492fbe35-cbac-4a8c-9059-826782e6915a\",\"name\":\"492fbe35-cbac-4a8c-9059-826782e6915a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend TargetAppName = tostring(TargetResources[0].displayName)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | mv-expand mod_props\\n | extend Action = tostring(mod_props.displayName)\\n | where Action contains \\\"Url\\\"\\n | extend UpdatedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)\\n | extend OldURL = tostring(mod_props.oldValue)\\n | extend NewURL = tostring(mod_props.newValue)\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingAadUserId, InitiatingUserPrincipalName, InitiatingIPAddress, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"OldURL\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURL\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Logout URL\",\"description\":\"Detects changes to an applications sign out URL.\\n Look for any modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#logout-url-modified-or-removed\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/122fbc6a-57ab-4aa7-b9a9-51ac4970cac1\",\"name\":\"122fbc6a-57ab-4aa7-b9a9-51ac4970cac1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Define variable \u0027AwsAlert\u0027 to collect AWS GuardDuty CredentialAccess alerts related to Amazon Relational Database Service (RDS) activity\\nlet AwsAlert = materialize (\\n AWSGuardDuty\\n | where ActivityType has_any (\\n \\\"CredentialAccess:RDS/TorIPCaller.SuccessfulLogin\\\",\\n \\\"CredentialAccess:RDS/TorIPCaller.FailedLogin\\\",\\n \\\"CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteForce\\\",\\n \\\"CredentialAccess:RDS/AnomalousBehavior.SuccessfulLogin\\\",\\n \\\"CredentialAccess:RDS/MaliciousIPCaller.SuccessfulLogin\\\",\\n \\\"CredentialAccess:RDS/MaliciousIPCaller.FailedLogin\\\"\\n )\\n | extend\\n AWSAlertId = Id, \\n AWSAlertTitle = Title,\\n AWSAlertDescription = Description,\\n AWSresourceType = tostring(parse_json(ResourceDetails).resourceType),\\n AWSNetworkEntity = tostring(parse_json(ServiceDetails).action.rdsLoginAttemptAction.remoteIpDetails.ipAddressV4),\\n RDSInstanceId = tostring(parse_json(ResourceDetails).rdsDbInstanceDetails.dbInstanceIdentifier),\\n RDSUser = tostring(parse_json(ResourceDetails).rdsDbUserDetails.user),\\n RDSApplication = tostring(parse_json(ResourceDetails).rdsDbUserDetails.application),\\n RDSactionType = tostring(parse_json(ServiceDetails).action.actionType),\\n AWSAlertTime = TimeCreated,\\n AWSAlertLink= tostring(strcat(\u0027https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current\u0026fId=\u0027,Id)),\\n Severity = \\n case (\\n Severity \u003e= 7.0, \\\"High\\\",\\n Severity between (4.0 .. 6.9), \\\"Medium\\\",\\n Severity between (1.0 .. 3.9), \\\"Low\\\",\\n \\\"Unknown\\\")\\n | distinct\\n AWSAlertTime,\\n ActivityType,\\n AWSAlertId,\\n AWSAlertLink,\\n AWSAlertTitle,\\n AWSAlertDescription,\\n AWSresourceType,\\n Arn,\\n Severity,\\n RDSactionType,\\n RDSApplication,\\n RDSInstanceId,\\n RDSUser,\\n AWSNetworkEntity\\n );\\n // Define variable \u0027Azure_sigin\u0027 to collect Azure portal sign-in activities\\n let Azure_sigin = materialize (\\n SigninLogs\\n | where AppDisplayName == \\\"Azure Portal\\\"\\n | where isnotempty(OriginalRequestId)\\n | summarize \\n AzureSuccessfulEvent = countif(ResultType == 0), \\n AzureFailedEvent = countif(ResultType != 0), \\n totalAzureLoginEventId = dcount(OriginalRequestId), \\n AzureFailedEventsCount = dcountif(OriginalRequestId, ResultType != 0), \\n AzureSuccessfuleventsCount = dcountif(OriginalRequestId, ResultType == 0),\\n AzureSetOfFailedevents = makeset(iff(ResultType != 0, OriginalRequestId, \\\"\\\"), 5), \\n AzureSetOfSuccessfulEvents = makeset(iff(ResultType == 0, OriginalRequestId, \\\"\\\"), 5) \\n by \\n IPAddress, \\n UserPrincipalName, \\n bin(TimeGenerated, 1min), \\n UserAgent,\\n ConditionalAccessStatus,\\n OperationName,\\n RiskDetail,\\n AuthenticationRequirement,\\n ClientAppUsed\\n // Extracting the name and UPN suffix from UserPrincipalName\\n | extend\\n Name = tostring(split(UserPrincipalName, \u0027@\u0027)[0]),\\n UPNSuffix = tostring(split(UserPrincipalName, \u0027@\u0027)[1])\\n );\\n // Join \u0027AwsAlert\u0027 and \u0027Azure_sigin\u0027 on the AWS Network Entity and Azure IP Address\\n AwsAlert\\n | join kind=inner Azure_sigin on $left.AWSNetworkEntity == $right.IPAddress\",\"customDetails\":{\"AWSAlertUserName\":\"RDSUser\",\"AWSArn\":\"Arn\",\"AWSresourceType\":\"AWSresourceType\",\"AWSInstanceType\":\"RDSactionType\",\"AWSAplicationName\":\"RDSApplication\",\"AWSInstanceId\":\"RDSInstanceId\",\"AzureUserAgent\":\"UserAgent\",\"AzureUser\":\"UserPrincipalName\",\"AzureClientAppUsed\":\"ClientAppUsed\",\"AzConditionalAccess\":\"ConditionalAccessStatus\",\"AzureOperationName\":\"OperationName\",\"AzureRiskDetail\":\"RiskDetail\",\"AzAuthRequirement\":\"AuthenticationRequirement\",\"alertSeverity\":\"Severity\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"IP address {{IPAddress}} in {{AWSAlertTitle}} seen in Azure Signin Logs with {{UserPrincipalName}}\",\"alertDescriptionFormat\":\"This detection correlates AWS GuardDuty Credential Access alert described \u0027{{AWSAlertDescription}}\u0027 related to Amazon Relational Database Service (RDS) activity with Azure portal sign-in activities. It identifies successful and failed logins, anomalous behavior, and malicious IP access. By joining these datasets on network entities and IP addresses, it detects unauthorized credential access attempts across AWS and Azure resources, enhancing cross-cloud security monitoring. \\n\\n AWS ALert Link : \u0027{{AWSAlertLink}}\u0027 \\n\\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":\"Severity\"},\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login\",\"description\":\"\\nThis detection correlates AWS GuardDuty Credential Access alerts related to Amazon Relational Database Service (RDS) activity with Azure portal sign-in activities. It identifies successful and failed logins, anomalous behavior, and malicious IP access. By joining these datasets on network entities and IP addresses, it detects unauthorized credential access attempts across AWS and Azure resources, enhancing cross-cloud security monitoring.\\n\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2023-09-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"name\":\"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\n// Configure the list with sensitive process names \\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll32.exe\\\"]);\\nlet TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in~ (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total \u003e TotalEventsThreshold);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, NTDomain = split(Account, \u0027\\\\\\\\\u0027, 0)[0], Name = split(Account, \u0027\\\\\\\\\u0027, 1)[0], HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Process Execution Frequency Anomaly\",\"description\":\"This detection identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\\nThe query leverages KQL\u0027s built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/961b6a81-5c53-40b6-9800-4f661a8faea7\",\"name\":\"961b6a81-5c53-40b6-9800-4f661a8faea7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet Command_Line = (iocs | where Type =~ \\\"CommandLine\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and InitiatingProcessCommandLine has_any (Command_Line))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\"), AlgorithmCustomEntity = \\\"SHA256\\\"\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (@\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, Account = SourceUserID, AlgorithmCustomEntity = \\\"SHA256\\\"\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and ActingProcessCommandLine has_any (Command_Line))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash, AlgorithmCustomEntity = \\\"SHA256\\\"\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\\n| where (Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes)) or ( CommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = tostring(Hashes[1]), AlgorithmCustomEntity = \\\"SHA256\\\"\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"[Deprecated] - Cadet Blizzard Actor IOC - January 2022\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ab1f7b2-61b8-442f-bc81-96afe7ad8c53\",\"name\":\"6ab1f7b2-61b8-442f-bc81-96afe7ad8c53\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"// OBJECT ID of AAD Groups can be found by navigating to Azure Active Directory then from menu on the left, select Groups and from the list shown of AAD Groups, the Second Column shows the ObjectID of each\\nlet GroupIDs = dynamic([\\\"List with Custom AAD GROUP OBJECT ID 1\\\",\\\"Custom AAD GROUP OBJECT ID 2\\\"]);\\nAuditLogs\\n| where OperationName in (\u0027Add member to group\u0027, \u0027Add owner to group\u0027)\\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress \\n// Uncomment the following line to filter events where the inviting user was a guest user\\n//| where InitiatedBy has_any (\\\"CUSTOM DOMAIN NAME#\\\", \\\"#EXT#\\\")\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend InvitedUser = trim(@\u0027\\\"\u0027,tostring(TargetResource.userPrincipalName)),\\n Properties = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = Properties on \\n (\\n where Property.displayName =~ \\\"Group.DisplayName\\\"\\n | extend AADGroup = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where InvitedUser has_any (\\\"CUSTOM DOMAIN NAME#\\\", \\\"#EXT#\\\")\\n| mv-apply Property = Properties on\\n (\\n where Property.displayName =~ \\\"Group.ObjectID\\\"\\n | extend AADGroupId = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where AADGroupId !in (GroupIDs)\\n| extend Name = tostring(split(InitiatedByActionUserInformation,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InvitedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatedByIPAdress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Guest accounts added in AAD Groups other than the ones specified\",\"description\":\"Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Azure AD Groups other than the ones specified and poses a risk to gain access to sensitive apps or data.\",\"lastUpdatedDateUTC\":\"2023-10-27T00:00:00Z\",\"createdDateUTC\":\"2022-10-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"name\":\"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nSyslog\\n| where Facility =~ \\\"authpriv\\\"\\n| where SyslogMessage has \\\"authentication failure\\\" and SyslogMessage has \\\" uid=0\\\"\\n| extend RemoteIP = extract(@\\\".*?rhost=([\\\\d.]+).*?\\\", 1,SyslogMessage)\\n| project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID\\n| join kind=innerunique (\\n // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\n Syslog \\n | where Facility =~ \\\"authpriv\\\"\\n | where SyslogMessage has \\\"user unknown\\\"\\n | project Computer, HostIP, ProcessID\\n ) on Computer, HostIP, ProcessID\\n// Count the number of failed logon attempts by External IP and internal machine\\n| summarize FirstLogonAttempt = min(TimeGenerated), LatestLogonAttempt = max(TimeGenerated), TotalLogonAttempts = count() by Computer, HostIP, RemoteIP\\n// Calculate the time between first and last logon attempt (AttemptPeriodLength)\\n| extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt\\n| where TotalLogonAttempts \u003e= threshold\\n| project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, Computer, HostIP\\n| sort by Computer asc nulls last\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"HostIP\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts in authpriv\",\"description\":\"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in isn\u0027t provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren\u0027t authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"SyslogAma\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57c7e832-64eb-411f-8928-4133f01f4a25\",\"name\":\"57c7e832-64eb-411f-8928-4133f01f4a25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.4\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and AzureDiagnostics logs for Key Vault events\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n AzureDiagnostics\\n | where ResourceType =~ \\\"VAULTS\\\"\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\\n )\\n on $left.TI_ipEntity == $right.ClientIP\\n // Filter out logs that occurred after the expiration of the corresponding indicator\\n | where KeyVaultEvents_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and ClientIP, and keep the log entry with the latest timestamp\\n | summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n // Select the desired output fields\\n | project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d,\\n identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, Type\\n // Rename the timestamp field\\n | extend timestamp = KeyVaultEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to Azure Key Vault logs\",\"description\":\"Identifies a match in Azure Key Vault logs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"name\":\"050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"High\",\"query\":\"// Define the start and end times based on input values\\nlet starttime = now()-1h;\\nlet endtime = now();\\n// Set a lookback period of 14 days\\nlet lookback = starttime - 14d;\\n// Define a reusable function to query audit logs\\nlet awsFunc = (start:datetime, end:datetime) {\\n AuditLogs\\n | where TimeGenerated between (start..end)\\n | where Category =~ \\\"RoleManagement\\\"\\n | where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n | where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n | mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type in~ (\\\"User\\\", \\\"ServicePrincipal\\\")\\n | extend Target = iff(TargetResource.type =~ \\\"ServicePrincipal\\\", tostring(TargetResource.displayName), tostring(TargetResource.userPrincipalName)),\\n props = TargetResource.modifiedProperties\\n )\\n | mv-apply Property = props on\\n (\\n where Property.displayName =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = trim(\u0027\\\"\u0027, tostring(Property.newValue))\\n )\\n | where RoleName contains \\\"Admin\\\" and Result == \\\"success\\\"\\n};\\n// Query for audit events in the current day\\nlet EventInfo_CurrentDay = awsFunc(starttime, endtime);\\n// Query for audit events in the historical period (lookback)\\nlet EventInfo_historical = awsFunc(lookback, starttime);\\n// Find unseen events by performing a left anti-join\\nlet EventInfo_Unseen = (EventInfo_CurrentDay\\n | join kind=leftanti(EventInfo_historical) on Target, RoleName, OperationName\\n);\\n// Extend and clean up the results\\nEventInfo_Unseen\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend Initiator = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)\\n// You can uncomment the lines below to filter out PIM activations\\n// | where Initiator != \\\"MS-PIM\\\"\\n// | summarize StartTime=min(TimeGenerated), EndTime=min(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result\\n// Project specific columns and split them for further analysis\\n| project TimeGenerated, OperationName, RoleName, Target, Initiator, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, Result\\n| extend TargetName = tostring(split(Target,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(Target,\u0027@\u0027,1)[0]), InitiatorName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatorUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Target\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatorName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatorUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"New User Assigned to Privileged Role\",\"description\":\"Identifies when a privileged role is assigned to a new user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn\u0027t the responsibility of the account holder, investigate.\",\"lastUpdatedDateUTC\":\"2024-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/968358d6-6af8-49bb-aaa4-187b3067fb95\",\"name\":\"968358d6-6af8-49bb-aaa4-187b3067fb95\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let successCodes = dynamic([200, 302, 401]);\\nW3CIISLog\\n| where scStatus has_any (successCodes)\\n| where ipv4_is_private(cIP) == False\\n| where csUriStem hasprefix \\\"/autodiscover/autodiscover.json\\\"\\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\\n| where (csUriQuery !has \\\"Protocol\\\" and isnotempty(csUriQuery))\\nor (csUriQuery has_any(\\\"/mapi/\\\", \\\"powershell\\\"))\\nor (csUriQuery contains \\\"@\\\" and csUriQuery matches regex @\\\"\\\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\\\/)\\\")\\nor (csUriQuery contains \\\":\\\" and csUriQuery matches regex @\\\"\\\\:[0-9]{2,4}\\\\/\\\")\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(csUserName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(csUserName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"csUserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"cIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange SSRF Autodiscover ProxyShell - Detection\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit patterns recently blogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange which eventually allows the attacker to execute arbitrary Powershell on the server.\\nIn the example powershell can be used to write an email to disk with an encoded attachment containing a shell.\\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"name\":\"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for W3CIISLog events\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and W3CIISLog events\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n W3CIISLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n | where ipv4_is_private(cIP) == false and cIP !startswith \\\"fe80\\\" and cIP !startswith \\\"::\\\" and cIP !startswith \\\"127.\\\"\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n )\\n on $left.TI_ipEntity == $right.cIP\\n // Filter out W3CIISLog events that occurred after the expiration of the corresponding indicator\\n | where W3CIISLog_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and keep the W3CIISLog event with the latest timestamp\\n | summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId, cIP\\n // Select the desired output fields\\n | project timestamp = W3CIISLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\n NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"csUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"cIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to W3CIISLog\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in W3CIISLog.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"name\":\"cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nEvent\\n| where EventLog =~ \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where OriginalFileName has_any (procList) and not (Image has_any (procList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"User\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Lolbins Renamed\",\"description\":\"This query detects the execution of renamed Windows binaries (Lolbins). This is a common technique used by adversaries to evade detection. \\nRef: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/execution-of-renamed-lolbin.html\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"name\":\"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.8\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend Alert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.EntityEmail\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend Name = tostring(split(EntityEmail, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(EntityEmail, \u0027@\u0027, 1)[0])\\n| extend timestamp = Alert_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"EntityEmail\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"TI map Email entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\"lastUpdatedDateUTC\":\"2024-07-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"name\":\"fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let account_threshold = 5;\\nAADNonInteractiveUserSignInLogs\\n//| where ResultType == \\\"81016\\\"\\n| where ResultType startswith \\\"81\\\"\\n| summarize DistinctAccounts = dcount(UserPrincipalName), DistinctAddresses = make_set(IPAddress,100) by ResultType\\n| where DistinctAccounts \u003e account_threshold\\n| mv-expand IPAddress = DistinctAddresses\\n| extend IPAddress = tostring(IPAddress)\\n| join kind=leftouter (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs) on IPAddress\\n| summarize\\n StartTime = min(TimeGenerated),\\n EndTime = max(TimeGenerated),\\n UserPrincipalName = make_set(UserPrincipalName,100),\\n UserAgent = make_set(UserAgent,100),\\n ResultDescription = take_any(ResultDescription),\\n ResultSignature = take_any(ResultSignature)\\n by IPAddress, Type, ResultType\\n| project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent)\\n| extend Name = tostring(split(UserPrincipalName[0],\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName[0],\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Microsoft Entra ID Seamless SSO\",\"description\":\"This query detects when there is a spike in Microsoft Entra ID Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\\nMicrosoft Entra ID only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.\",\"lastUpdatedDateUTC\":\"2024-01-04T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"name\":\"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Medium\",\"query\":\"let szOperationNames = dynamic([\\\"microsoft.compute/virtualMachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nlet timeframe = 1d;\\nlet TimeSeriesData =\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(now()))\\n| where OperationNameValue in~ (szOperationNames)\\n| project TimeGenerated, Caller \\n| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Caller; \\nTimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long) \\n| where TimeGenerated \u003e= startofday(ago(endtime))\\n| where anomalies \u003e 0 and baseline \u003e 0\\n| project Caller, TimeGenerated, Total, baseline, anomalies, score\\n| join (AzureActivity\\n| where TimeGenerated \u003e startofday(ago(endtime)) \\n| where OperationNameValue in~ (szOperationNames)\\n| summarize make_set(OperationNameValue,100), make_set(_ResourceId,100), make_set(CallerIpAddress,100) by bin(TimeGenerated, timeframe), Caller\\n) on TimeGenerated, Caller\\n| mv-expand CallerIpAddress=set_CallerIpAddress\\n| project-away Caller1\\n| extend Name = iif(Caller has \u0027@\u0027,tostring(split(Caller,\u0027@\u0027,0)[0]),\\\"\\\")\\n| extend UPNSuffix = iif(Caller has \u0027@\u0027,tostring(split(Caller,\u0027@\u0027,1)[0]),\\\"\\\")\\n| extend AadUserId = iif(Caller !has \u0027@\u0027,Caller,\\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious number of resource creation or deployment activities\",\"description\":\"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log. This query generates the baseline pattern of cloud resource creation by an individual and generates an anomaly when any unusual spike is detected. These anomalies from unusual or privileged users could be an indication of a cloud infrastructure takedown by an adversary.\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/baedfdf4-7cc8-45a1-81a9-065821628b83\",\"name\":\"baedfdf4-7cc8-45a1-81a9-065821628b83\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let runningRAT_parameters = dynamic([\u0027/ui/chk\u0027, \u0027mactok=\u0027, \u0027UsRnMe=\u0027, \u0027IlocalP=\u0027, \u0027kMnD=\u0027]);\\nCommonSecurityLog\\n| where RequestMethod == \\\"GET\\\"\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\\n| where RequestURL has_any (runningRAT_parameters)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"RunningRAT request parameters\",\"description\":\"This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request.\\nId the device blocked this communication presence of this alert means the RunningRAT implant is likely still executing on the source host.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/42436753-9944-4d70-801c-daaa4d19ddd2\",\"name\":\"42436753-9944-4d70-801c-daaa4d19ddd2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.4\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Powershell\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"]\\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername\\n| extend AccountName = tostring(split(SrcUsername, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(SrcUsername, \\\"@\\\")[1])\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running PowerShell\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by PoerShell and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\",\"Execution\"],\"displayName\":\"A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong PowerShell. \u003cbr\u003eYou can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/631d02df-ab51-46c1-8d72-32d0cfec0720\",\"name\":\"631d02df-ab51-46c1-8d72-32d0cfec0720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.6\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nimProcessCreate\\n| where Process hassuffix \u0027solarwinds.businesslayerhost.exe\u0027\\n| where not(Process has_any (excludeProcs))\\n| extend AccountName = tostring(split(ActorUsername, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(ActorUsername, @\u0027\\\\\u0027)[0])\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmType\"},{\"identifier\":\"Value\",\"columnName\":\"TargetFileMD5\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes (Normalized Process Events)\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48602a24-67cf-4362-b258-3f4249e55def\",\"name\":\"48602a24-67cf-4362-b258-3f4249e55def\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let query_frequency = 1h;\\nlet query_period = 14d;\\nIdentityInfo\\n| where TimeGenerated \u003e ago(query_period)\\n| where set_has_element(AssignedRoles, \\\"Global Administrator\\\")\\n| distinct AccountUPN, AccountObjectId\\n| join kind=inner (\\n AuditLogs\\n | where TimeGenerated \u003e ago(query_frequency)\\n | where OperationName=~ \\\"Update user\\\" and Result =~ \\\"success\\\"\\n // | where isnotempty(InitiatedBy[\\\"user\\\"])\\n | mv-expand TargetResource = TargetResources\\n | where TargetResource[\\\"type\\\"] == \\\"User\\\"\\n | extend AccountObjectId = tostring(TargetResource[\\\"id\\\"])\\n | where tostring(TargetResource[\\\"modifiedProperties\\\"]) != \\\"[]\\\"\\n | mv-apply modifiedProperty = TargetResource[\\\"modifiedProperties\\\"] on (\\n summarize modifiedProperties = make_bag(\\n bag_pack(tostring(modifiedProperty[\\\"displayName\\\"]),\\n bag_pack(\\\"oldValue\\\", trim(@\u0027[\\\\\\\"\\\\s]+\u0027, tostring(modifiedProperty[\\\"oldValue\\\"])),\\n \\\"newValue\\\", trim(@\u0027[\\\\\\\"\\\\s]+\u0027, tostring(modifiedProperty[\\\"newValue\\\"])))))\\n )\\n | where not(tostring(modifiedProperties[\\\"Included Updated Properties\\\"][\\\"newValue\\\"]) in (\\\"LastDirSyncTime\\\", \\\"\\\"))\\n | where not(tostring(modifiedProperties[\\\"Included Updated Properties\\\"][\\\"newValue\\\"]) == \\\"StrongAuthenticationPhoneAppDetail\\\" and isnotempty(modifiedProperties[\\\"StrongAuthenticationPhoneAppDetail\\\"]) and tostring(array_sort_asc(extract_all(@\u0027\\\\\\\"Id\\\\\\\"\\\\:\\\\\\\"([^\\\\\\\"]+)\\\\\\\"\u0027, tostring(modifiedProperties[\\\"StrongAuthenticationPhoneAppDetail\\\"][\\\"newValue\\\"])))) == tostring(array_sort_asc(extract_all(@\u0027\\\\\\\"Id\\\\\\\"\\\\:\\\\\\\"([^\\\\\\\"]+)\\\\\\\"\u0027, tostring(modifiedProperties[\\\"StrongAuthenticationPhoneAppDetail\\\"][\\\"oldValue\\\"])))))\\n | extend\\n Initiator = iif(isnotempty(InitiatedBy[\\\"app\\\"]), tostring(InitiatedBy[\\\"app\\\"][\\\"displayName\\\"]), tostring(InitiatedBy[\\\"user\\\"][\\\"userPrincipalName\\\"])),\\n InitiatorId = iif(isnotempty(InitiatedBy[\\\"app\\\"]), tostring(InitiatedBy[\\\"app\\\"][\\\"servicePrincipalId\\\"]), tostring(InitiatedBy[\\\"user\\\"][\\\"id\\\"])),\\n IPAddress = tostring(InitiatedBy[tostring(bag_keys(InitiatedBy)[0])][\\\"ipAddress\\\"])\\n) on AccountObjectId\\n| project TimeGenerated, Category, Identity, Initiator, IPAddress, OperationName, Result, AccountUPN, InitiatedBy, AdditionalDetails, TargetResources, AccountObjectId, InitiatorId, CorrelationId\\n| extend\\n InitiatorName = tostring(split(Initiator, \\\"@\\\")[0]),\\n InitiatorUPNSuffix = tostring(split(Initiator, \\\"@\\\")[1]),\\n AccountName = tostring(split(AccountUPN, \\\"@\\\")[0]),\\n AccountUPNSuffix = tostring(split(AccountUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatorName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatorUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Suspicious modification of Global Administrator user properties\",\"description\":\"This query will detect if user properties of Global Administrator are updated by an existing user. Usually only user administrator or other global administrator can update such properties.\\nInvestigate if such user change is an attempt to elevate an existing low privileged identity or rogue administrator activity\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"name\":\"30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"imProcess\\n| where EventType =~ \\\"ProcessCreated\\\"\\n| where Process endswith \\\"svchost.exe\\\"\\n| where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n| extend timekey = bin(TimeGenerated, 1m)\\n| project timekey, ActingProcessId, Dvc\\n| join kind=inner (\\n imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ActingProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) \\n on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc\\n| extend AccountName = tostring(split(ActorUsername, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(ActorUsername, @\u0027\\\\\u0027)[0])\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively (ASIM Version)\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\\n This query uses the Advanced Security Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"name\":\"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe+spanoftime)\\n // A user account was enabled\\n | where EventID == 4722\\n | where AccountType =~ \\\"User\\\"\\n | where TargetAccount !endswith \\\"$\\\"\\n | project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToEnable = SubjectAccount, EnabledBySubjectUserName = SubjectUserName, EnabledBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToEnable = SubjectUserSid, UserPrincipalName\\n ),\\n (\\n WindowsEvent\\n | where TimeGenerated \u003e ago(timeframe+spanoftime)\\n // A user account was enabled\\n | where EventID == 4722\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | where AccountType =~ \\\"User\\\"\\n | extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n | extend SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName)\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | where TargetAccount !endswith \\\"$\\\"\\n | extend Activity=\\\"4722 - A user account was enabled.\\\"\\n | extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName) \\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n | project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToEnable = SubjectAccount, EnabledBySubjectUserName = SubjectUserName, EnabledBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToEnable = SubjectUserSid, UserPrincipalName\\n )\\n )\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n | where AccountType =~ \\\"User\\\"\\n | project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToDisable = SubjectAccount, DisabledBySubjectUserName = SubjectUserName, DisabledBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToDisable = SubjectUserSid, UserPrincipalName\\n ),\\n (WindowsEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | where AccountType =~ \\\"User\\\"\\n | extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n | extend SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName)\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName) \\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n | extend Activity = \\\"4725 - A user account was disabled.\\\"\\n | project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToDisable = SubjectAccount, DisabledBySubjectUserName = SubjectUserName, DisabledBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToDisable = SubjectUserSid, UserPrincipalName\\n )\\n )\\n) on Computer, TargetAccount\\n| where DisableTime - EnableTime \u003c spanoftime\\n| extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, TargetUserName, TargetDomainName, UserPrincipalName, \\nAccountUsedToEnable, SIDofAccountUsedToEnable, DisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable, \\nEnabledBySubjectUserName, EnabledBySubjectDomainName, DisabledBySubjectUserName, DisabledBySubjectDomainName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountUsedToEnable\"},{\"identifier\":\"Name\",\"columnName\":\"EnabledBySubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"EnabledBySubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountUsedToDisable\"},{\"identifier\":\"Name\",\"columnName\":\"DisabledBySubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"DisabledBySubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"TargetDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account enabled and disabled within 10 mins\",\"description\":\"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/779731f7-8ba0-4198-8524-5701b7defddc\",\"name\":\"779731f7-8ba0-4198-8524-5701b7defddc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let Alert_List= dynamic([\\n\\\"Phishing link click observed in Network Traffic\\\",\\n\\\"Phish delivered due to an IP allow policy\\\",\\n\\\"A potentially malicious URL click was detected\\\",\\n\\\"High Risk Sign-in Observed in Network Traffic\\\",\\n\\\"A user clicked through to a potentially malicious URL\\\",\\n\\\"Suspicious network connection to AitM phishing site\\\",\\n\\\"Messages containing malicious entity not removed after delivery\\\",\\n\\\"Email messages containing malicious URL removed after delivery\\\",\\n\\\"Email reported by user as malware or phish\\\",\\n\\\"Phish delivered due to an ETR override\\\",\\n\\\"Phish not zapped because ZAP is disabled\\\"]);\\nSecurityAlert\\n| where AlertName in~ (Alert_List)\\n//Findling Alerts which has the URL\\n| where Entities has \\\"url\\\"\\n//extracting Entities\\n| extend Entities = parse_json(Entities)\\n| mv-apply Entity = Entities on\\n (\\n where Entity.Type == \u0027url\u0027\\n | extend EntityUrl = tostring(Entity.Url)\\n )\\n| summarize\\n Url=tostring(tolower(take_any(EntityUrl))),\\n AlertTime= min(TimeGenerated),\\n make_set(SystemAlertId, 100)\\n by ProductName, AlertName\\n// matching with 3rd party network logs and 3p Alerts\\n| join kind= inner (CommonSecurityLog\\n | where DeviceVendor has_any (\\\"Palo Alto Networks\\\", \\\"Fortinet\\\", \\\"Check Point\\\", \\\"Zscaler\\\")\\n | where DeviceProduct startswith \\\"FortiGate\\\" or DeviceProduct startswith \\\"PAN\\\" or DeviceProduct startswith \\\"VPN\\\" or DeviceProduct startswith \\\"FireWall\\\" or DeviceProduct startswith \\\"NSSWeblog\\\" or DeviceProduct startswith \\\"URL\\\"\\n | where DeviceAction != \\\"Block\\\"\\n | where isnotempty(RequestURL)\\n | project\\n 3plogTime=TimeGenerated,\\n DeviceVendor,\\n DeviceProduct,\\n Activity,\\n DestinationHostName,\\n DestinationIP,\\n RequestURL=tostring(tolower(RequestURL)),\\n MaliciousIP,\\n SourceUserName=tostring(tolower(SourceUserName)),\\n IndicatorThreatType,\\n ThreatSeverity,\\n ThreatConfidence,\\n SourceUserID,\\n SourceHostName)\\n on $left.Url == $right.RequestURL\\n// matching successful Login from suspicious IP\\n| join kind=inner (SigninLogs\\n //filtering the Successful Login\\n | where ResultType == 0\\n | project\\n IPAddress,\\n SourceSystem,\\n SigniningTime= TimeGenerated,\\n OperationName,\\n ResultType,\\n ResultDescription,\\n AlternateSignInName,\\n AppDisplayName,\\n AuthenticationRequirement,\\n ClientAppUsed,\\n RiskState,\\n RiskLevelDuringSignIn,\\n UserPrincipalName=tostring(tolower(UserPrincipalName)),\\n Name = tostring(split(UserPrincipalName, \\\"@\\\")[0]),\\n UPNSuffix =tostring(split(UserPrincipalName, \\\"@\\\")[1]))\\n on $left.DestinationIP == $right.IPAddress and $left.SourceUserName == $right.UserPrincipalName\\n| where SigniningTime between ((AlertTime - 6h) .. (AlertTime + 6h)) and 3plogTime between ((AlertTime - 6h) .. (AlertTime + 6h))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DestinationHostName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceSystem\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"M365D Alerts Correlation to non-Microsoft Network device network activity involved in successful sign-in Activity\",\"description\":\"This content is employed to correlate with Microsoft Defender XDR phishing-related alerts. It focuses on instances where a user successfully connects to a phishing URL from a non-Microsoft network device and subsequently makes successful sign-in attempts from the phishing IP address.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2023-05-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"name\":\"2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where OperationName in (\\\"Add eligible member (permanent)\\\", \\\"Add eligible member (eligible)\\\", \\\"Add member to role\\\")\\n | mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend Target = tostring(TargetResource.userPrincipalName),\\n props = TargetResource.modifiedProperties\\n )\\n | mv-apply Property = props on \\n (\\n where Property.displayName =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n | where RoleName contains \\\"admin\\\"\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend InitiatedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)\\n | extend TargetUserPrincipalName = iff(OperationName==\\\"Add member to role\\\",tostring(TargetResources[0].userPrincipalName),tostring(TargetResources[2].userPrincipalName))\\n | extend TargetAadUserId = iff(OperationName==\\\"Add member to role\\\", tostring(TargetResources[0].id), tostring(TargetResources[2].id))\\n | extend AddedUser = TargetUserPrincipalName\\n | extend TargetAccountName = tostring(split(TargetUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \\\"@\\\")[1])\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, AddedUser, RoleName, InitiatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"TargetAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"User Added to Admin Role\",\"description\":\"Detects a user being added to a new privileged role. Monitor these additions to ensure the users are made eligible for these roles are intended to have these levels of access.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2024-03-27T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"name\":\"979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027ProcessId\\\"\u003e\u0027 ProcessId \\\"\u003c\\\"* \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \\n| where TargetObject has (\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\DsrmAdminLogonBehavior\\\") and Details == \\\"DWORD (0x00000002)\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ProcessId, Image, TargetObject, Details, _ResourceId\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(User, \\\"\\\\\\\\\\\")[1]), AccountNTDomain = tostring(split(User, \\\"\\\\\\\\\\\")[0])\\n| extend ImageFileName = tostring(split(Image, \\\"\\\\\\\\\\\")[-1])\\n| extend ImageDirectory = replace_string(Image, ImageFileName, \\\"\\\")\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessId\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ImageFileName\"},{\"identifier\":\"Directory\",\"columnName\":\"ImageDirectory\"}]},{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"DSRM Account Abuse\",\"description\":\"This query detects an abuse of the DSRM account in order to maintain persistence and access to the organization\u0027s Active Directory.\\nRef: https://adsecurity.org/?p=1785\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"name\":\"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Low\",\"query\":\"union isfuzzy=true\\n(\\n SecurityEvent\\n | where EventID == 4738\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | where UserAccountControl has \\\"%%2089\\\"\\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event.\\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event.\\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, \\n AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount, SubjectUserName, SubjectDomainName, SubjectUserSid\\n ),\\n (\\n WindowsEvent\\n | where EventID == 4738 and EventData has \u00272089\u0027\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | extend UserAccountControl = tostring(EventData.UserAccountControl)\\n | where UserAccountControl has \\\"%%2089\\\"\\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event.\\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event.\\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | extend Activity=\\\"4738 - A user account was changed.\\\"\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName), TargetSid, \\n AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount, SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName), SubjectUserSid = tostring(EventData.SubjectUserSid)\\n )\\n | extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n | project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"TargetDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"SubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD account with Don\u0027t Expire Password\",\"description\":\"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 resolves to \\\"Don\u0027t Expire Password - Enabled\\\".\",\"lastUpdatedDateUTC\":\"2024-01-22T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"name\":\"6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let Alerts = SecurityAlert\\n| where AlertName =~ \\\"mass download by a single user\\\"\\n| where Status != \u0027Resolved\u0027\\n| extend ipEnt = parse_json(Entities), accountEnt = parse_json(Entities)\\n| mv-apply tempParams = ipEnt on (\\nmv-expand ipEnt\\n| where ipEnt.Type == \\\"ip\\\" \\n| extend IpAddress = tostring(ipEnt.Address)\\n)\\n| mv-apply tempParams = accountEnt on (\\nmv-expand accountEnt\\n| where accountEnt.Type == \\\"account\\\"\\n| extend AADUserId = tostring(accountEnt.AadUserId)\\n)\\n| extend Alert_TimeGenerated = TimeGenerated\\n| distinct Alert_TimeGenerated, IpAddress, AADUserId, DisplayName, Description, ProductName, ExtendedProperties, Entities, Status, CompromisedEntity\\n;\\nlet CA_Events = CloudAppEvents\\n| where ActionType == \\\"FileDownloaded\\\"\\n| extend parsed = parse_json(RawEventData)\\n| extend UserId = tostring(parsed.UserId)\\n| extend FileName = tostring(parsed.SourceFileName)\\n| extend FileExtension = tostring(parsed.SourceFileExtension)\\n| summarize CloudAppEvent_StartTime = min(TimeGenerated), CloudAppEvent_EndTime = max(TimeGenerated), CloudAppEvent_Files = make_set(FileName), FileCount = dcount(FileName) by Application, AccountObjectId, UserId, IPAddress, City, CountryCode\\n| extend CloudAppEvents_Details = pack_all();\\nlet CA_Alerts_Events = Alerts | join kind=inner (CA_Events)\\non $left.AADUserId == $right.AccountObjectId and $left.IpAddress == $right.IPAddress\\n// Cloud app event comes before Alert\\n| where CloudAppEvent_EndTime \u003c= Alert_TimeGenerated\\n| project Alert_TimeGenerated, UserId, AADUserId, IPAddress, CloudAppEvents_Details, CloudAppEvent_Files\\n;\\n// setup list to filter DeviceFileEvents for only files downloaded as indicated by CloudAppEvents\\nlet CA_FileList = CA_Alerts_Events | project CloudAppEvent_Files;\\nCA_Alerts_Events\\n| join kind=inner ( DeviceFileEvents\\n| where ActionType in (\\\"FileCreated\\\", \\\"FileRenamed\\\")\\n| where FileName in~ (CA_FileList)\\n| summarize DeviceFileEvent_StartTime = min(TimeGenerated), DeviceFileEvent_EndTime = max(TimeGenerated), DeviceFileEvent_Files = make_set(FolderPath), DeviceFileEvent_FileCount = dcount(FolderPath) by InitiatingProcessAccountUpn, DeviceId, DeviceName, InitiatingProcessFolderPath, InitiatingProcessParentFileName//, InitiatingProcessCommandLine\\n| extend DeviceFileEvents_Details = pack_all()\\n) on $left.UserId == $right.InitiatingProcessAccountUpn\\n| where DeviceFileEvent_StartTime \u003e= Alert_TimeGenerated\\n| join kind=inner (\\n// get device events where a USB drive was mounted\\nDeviceEvents\\n| where ActionType == \\\"UsbDriveMounted\\\"\\n| extend parsed = parse_json(AdditionalFields)\\n| extend USB_DriveLetter = tostring(AdditionalFields.DriveLetter), USB_ProductName = tostring(AdditionalFields.ProductName), USB_Volume = tostring(AdditionalFields.Volume)\\n| where isnotempty(USB_DriveLetter)\\n| project USB_TimeGenerated = TimeGenerated, DeviceId, USB_DriveLetter, USB_ProductName, USB_Volume\\n| extend USB_Details = pack_all()\\n) \\non DeviceId\\n// USB event occurs after the Alert\\n| where USB_TimeGenerated \u003e= Alert_TimeGenerated\\n| mv-expand DeviceFileEvent_Files\\n| extend DeviceFileEvent_Files = tostring(DeviceFileEvent_Files)\\n// make sure that we only pickup the files that have the USB drive letter\\n| where DeviceFileEvent_Files startswith USB_DriveLetter\\n| summarize USB_Drive_MatchedFiles = make_set_if(DeviceFileEvent_Files, DeviceFileEvent_Files startswith USB_DriveLetter) by Alert_TimeGenerated, USB_TimeGenerated, UserId, AADUserId, DeviceId, DeviceName, IPAddress, CloudAppEvents_Details = tostring(CloudAppEvents_Details), DeviceFileEvents_Details = tostring(DeviceFileEvents_Details), USB_Details = tostring(USB_Details)\\n| extend InitiatingProcessFileName = tostring(split(todynamic(DeviceFileEvents_Details).InitiatingProcessFolderPath, \\\"\\\\\\\\\\\")[-1]), InitiatingProcessFolderPath = tostring(todynamic(DeviceFileEvents_Details).InitiatingProcessFolderPath)\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DeviceName != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AADUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessFileName\"},{\"identifier\":\"Directory\",\"columnName\":\"InitiatingProcessFolderPath\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Mass Download \u0026 copy to USB device by single user\",\"description\":\"This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. \\nThis query could also reveal unintentional insider that had no intention of malicious activity but their actions may impact an organizations security posture.\\nReference:https://docs.microsoft.com/defender-cloud-apps/policy-template-reference\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-04-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"CloudAppEvents\",\"DeviceEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce74dc9a-cb3c-4081-8c2f-7d39f6b7bae1\",\"name\":\"ce74dc9a-cb3c-4081-8c2f-7d39f6b7bae1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688\\n| where Process has_any (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\") and CommandLine has_cs \\\"-exec bypass -w 1 -enc\\\"\\n| where CommandLine contains_cs \\\"UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA\\\"\\n| extend DvcHostname = Computer, ProcessId = tostring(ProcessId), ActorUsername = Account\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" and ProcessCommandLine has_cs \\\"-exec bypass -w 1 -enc\\\"\\n| where ProcessCommandLine contains_cs \\\"UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA\\\"\\n| extend DvcHostname = DeviceName, ProcessId = tostring(InitiatingProcessId), ActorUsername = strcat(AccountDomain, @\\\"\\\\\\\", AccountName)\\n),\\n(imProcessCreate\\n| where Process has_any (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\") and CommandLine has_cs \\\"-exec bypass -w 1 -enc\\\"\\n| where CommandLine contains_cs \\\"UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA\\\"\\n| extend ProcessId = tostring(TargetProcessId)\\n)\\n)\\n| extend AccountName = tostring(split(ActorUsername, \\\"\\\\\\\\\\\")[0]), AccountNTDomain = tostring(split(ActorUsername, \\\"\\\\\\\\\\\")[1])\\n| extend HostName = tostring(split(DvcHostname, \\\".\\\")[0]), DomainIndex = toint(indexof(DvcHostname, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DvcHostname, DomainIndex + 1), DvcHostname)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessId\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Identify Mango Sandstorm powershell commands\",\"description\":\"The query below identifies powershell commands used by the threat actor Mango Sandstorm.\\nReference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/\",\"lastUpdatedDateUTC\":\"2024-11-25T00:00:00Z\",\"createdDateUTC\":\"2022-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"name\":\"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let schedule_lookback = 14d;\\nlet join_lookback = 1d;\\n// If you want to whitelist specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet meetings = (\\nZoomLogs\\n| where TimeGenerated \u003e= ago(schedule_lookback)\\n| where Event =~ \\\"meeting.created\\\"\\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId)\\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone));\\nZoomLogs\\n| where TimeGenerated \u003e= ago(join_lookback)\\n| where Event =~ \\\"meeting.participant_joined\\\"\\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone)\\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName)\\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId)\\n| where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId\\n| where SchedTimezone != JoinedTimeZone\\n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1\\n| extend AccountName = tostring(split(JoiningUser, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(JoiningUser, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"JoiningUser\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"User joining Zoom meeting from suspicious timezone\",\"description\":\"The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"name\":\"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserID\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient,\\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort,\\nDestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"DestinationUserID\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"TI map Email entity to PaloAlto CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"name\":\"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.2\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\u0027127.0.0.1\u0027, \u0027::1\u0027, \u0027\u0027)\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons = (union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, TargetUserName, TargetDomainName, _ResourceId, Reason\\n),\\n(WindowsEvent\\n| where EventID == 4624 and has_any_ipv4(EventData, toscalar(suspicious_signins))\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend Activity = \\\"4624 - An account was successfully logged on.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend Account = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend AccountType =case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, TargetUserSid, TargetUserName, TargetDomainName, _ResourceId, Reason\\n)\\n);\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex+1), Computer)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"TargetDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"AzureID\",\"columnName\":\"_ResourceId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to host\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Microsoft Entra ID.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2024-10-17T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"name\":\"a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName =~ \\\"Update user\\\"\\n | where Result =~ \\\"success\\\"\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"TargetId.UserType\\\"\\n | extend UpdatingAppName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UpdatingServicePrincipalId = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend UpdatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatingUserAadUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend UpdatingUserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend UpdatingUser = iif(isnotempty(UpdatingServicePrincipalId), UpdatingServicePrincipalId, UpdatingUserPrincipalName)\\n | extend UpdatedUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n | project-reorder TimeGenerated, UpdatedUserPrincipalName, UpdatingUser\\n | where parse_json(tostring(TargetResources_modifiedProperties.newValue)) =~ \\\"\\\\\\\"Member\\\\\\\"\\\" and parse_json(tostring(TargetResources_modifiedProperties.oldValue)) =~ \\\"\\\\\\\"Guest\\\\\\\"\\\"\\n | extend InitiatingAccountName = tostring(split(UpdatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(UpdatingUserPrincipalName, \\\"@\\\")[1])\\n | extend TargetAccountName = tostring(split(UpdatedUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(UpdatedUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UpdatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"UpdatingServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UpdatingUserAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UpdatingUserIPAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User State changed from Guest to Member\",\"description\":\"Detects when a guest account in a tenant is converted to a member of the tenant.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts converted to members should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2023-12-30T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"name\":\"dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let threshold = 10;\\nlet default_ad_attributes = dynamic([\\\"LastDirSyncTime\\\", \\\"StsRefreshTokensValidFrom\\\", \\\"Included Updated Properties\\\", \\\"AccountEnabled\\\", \\\"Action Client Name\\\", \\\"SourceAnchor\\\"]);\\nlet addUsers = AuditLogs\\n| where OperationName =~ \\\"Add user\\\"\\n| where Result =~ \\\"success\\\"\\n| extend AccountProperties = TargetResources[0].modifiedProperties\\n| mv-expand AccountProperties\\n;\\naddUsers\\n| evaluate bag_unpack(AccountProperties) : (displayName:string, oldValue: string, newValue: string , TenantId : string, SourceSystem : string, TimeGenerated : datetime, ResourceId : string, OperationName : string, OperationVersion : string, Category : string, ResultType : string, ResultSignature : string, ResultDescription : string, DurationMs : long, CorrelationId : string, Resource : string, ResourceGroup : string, ResourceProvider : string, Identity : string, Level : string, Location : string, AdditionalDetails : dynamic, Id : string, InitiatedBy : dynamic, LoggedByService : string, Result : string, ResultReason : string, TargetResources : dynamic, AADTenantId : string, ActivityDisplayName : string, ActivityDateTime : datetime, AADOperationType : string, Type : string)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"Unknown Value\\\")\\n| summarize count() by displayName, TenantId\\n| where displayName !in (default_ad_attributes)\\n| top threshold by count_ desc\\n| summarize make_set(displayName) by TenantId\\n| join kind=inner (\\naddUsers\\n| extend CreatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend CreatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend CreatingUserIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n| extend PropName = tostring(AccountProperties.displayName)) \\non TenantId\\n| summarize makeset(PropName) by TimeGenerated, CorrelationId, CreatedUserPrincipalName, CreatingUserPrincipalName, CreatingAadUserId, CreatingUserIPAddress, tostring(set_displayName)\\n| extend missing_props = set_difference(todynamic(set_displayName), set_PropName)\\n| where array_length(missing_props) \u003e 0\\n| join kind=innerunique (\\nAuditLogs\\n| where Result =~ \\\"success\\\"\\n| where OperationName =~ \\\"Add user\\\"\\n| extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)) \\non CorrelationId, CreatedUserPrincipalName\\n| extend ExpectedProperties = set_displayName\\n| project-away set_displayName, set_PropName\\n| extend InitiatingAccountName = tostring(split(CreatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(CreatingUserPrincipalName, \\\"@\\\")[1])\\n| extend TargetAccountName = tostring(split(CreatedUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(CreatedUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"CreatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatedUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CreatingUserIPAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User account created without expected attributes defined\",\"description\":\"This query looks for accounts being created that do not have attributes populated that are commonly populated in the tenant.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2023-12-30T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"name\":\"d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"// Microsoft Entra ID Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\\n// Microsoft Entra ID Connect - cb1056e2-e479-49de-ae31-7812af012ed8\\nlet appList = dynamic([\u0027cf6d7e68-f018-4e0a-a7b3-126e053fb88d\u0027,\u0027cb1056e2-e479-49de-ae31-7812af012ed8\u0027]);\\nlet operationNamesList = dynamic([\u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027,\u0027Microsoft.ADHybridHealthService/services/delete\u0027]);\\nAzureActivity\\n| where CategoryValue =~ \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId has \u0027AdFederationService\u0027\\n| where OperationNameValue in~ (operationNamesList)\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid), AccountName = tostring(claimsJson.name), Name = tostring(split(Caller,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Caller,\u0027@\u0027,1)[0])\\n| where AppId !in (appList)\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Microsoft Entra ID Hybrid Health AD FS Suspicious Application\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify a suspicious application adding a server instance to an Microsoft Entra ID Hybrid Health AD FS service or deleting the AD FS service instance.\\nUsually the Microsoft Entra ID Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d and ID cb1056e2-e479-49de-ae31-7812af012ed8 is used to perform those operations.\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/218f60de-c269-457a-b882-9966632b9dc6\",\"name\":\"218f60de-c269-457a-b882-9966632b9dc6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"High\",\"query\":\"let AdminRecords = AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),\\n props = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = props on \\n (\\n where Property.displayName =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where RoleName contains \\\"Admin\\\";\\nAdminRecords\\n| summarize dcount(TargetUserPrincipalName) by bin(TimeGenerated, 1h)\\n| where dcount_TargetUserPrincipalName \u003e 9\\n| join kind=rightsemi (\\n AdminRecords\\n | extend TimeWindow = bin(TimeGenerated, 1h)\\n) on $left.TimeGenerated == $right.TimeWindow\\n| extend InitiatedByUser = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), \\\"\\\")\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend TargetName = tostring(split(TargetUserPrincipalName,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,\u0027@\u0027,1)[0])\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"customDetails\":{\"InitiatedByUser\":\"InitiatedByUser\",\"TargetUser\":\"TargetUserPrincipalName\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Bulk Changes to Privileged Account Permissions\",\"description\":\"Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"name\":\"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\")\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated)\\nby EventSource, EventName, UserIdentityType, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Elastic Load Balancer security groups\",\"description\":\"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications.\\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/. \",\"lastUpdatedDateUTC\":\"2024-03-27T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.3\",\"severity\":\"Low\",\"query\":\"let TeamsAddDel = (Op:string){\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation == Op\\n| where Members has (\\\"#EXT#\\\")\\n| mv-expand Members\\n| extend UPN = tostring(Members.UPN)\\n| where UPN has (\\\"#EXT#\\\")\\n| project TimeGenerated, Operation, UPN, UserId, TeamName, ClientIP\\n};\\nlet TeamsAdd = TeamsAddDel(\\\"MemberAdded\\\")\\n| project TimeAdded=TimeGenerated, Operation, MemberAdded = UPN, UserWhoAdded = UserId, TeamName, ClientIP;\\nlet TeamsDel = TeamsAddDel(\\\"MemberRemoved\\\")\\n| project TimeDeleted=TimeGenerated, Operation, MemberRemoved = UPN, UserWhoDeleted = UserId, TeamName, ClientIP;\\nTeamsAdd\\n| join kind=inner (TeamsDel) on $left.MemberAdded == $right.MemberRemoved\\n| where TimeDeleted \u003e TimeAdded\\n| project TimeAdded, TimeDeleted, MemberAdded_Removed = MemberAdded, UserWhoAdded, UserWhoDeleted, TeamName, ClientIP\\n| extend MemberAdded_RemovedAccountName = tostring(split(MemberAdded_Removed, \\\"@\\\")[0]), MemberAdded_RemovedAccountUPNSuffix = tostring(split(MemberAdded_Removed, \\\"@\\\")[1])\\n| extend UserWhoAddedAccountName = tostring(split(UserWhoAdded, \\\"@\\\")[0]), UserWhoAddedAccountUPNSuffix = tostring(split(UserWhoAdded, \\\"@\\\")[1])\\n| extend UserWhoDeletedAccountName = tostring(split(UserWhoDeleted, \\\"@\\\")[0]), UserWhoDeletedAccountUPNSuffix = tostring(split(UserWhoDeleted, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"MemberAdded_Removed\"},{\"identifier\":\"Name\",\"columnName\":\"MemberAdded_RemovedAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"MemberAdded_RemovedAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserWhoAdded\"},{\"identifier\":\"Name\",\"columnName\":\"UserWhoAddedAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UserWhoAddedAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserWhoDeleted\"},{\"identifier\":\"Name\",\"columnName\":\"UserWhoDeletedAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UserWhoDeletedAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"External user added and removed in short timeframe\",\"description\":\"This detection flags the occurrences of external user accounts that are added to a Team and then removed within one hour.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"name\":\"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url\\n| project timestamp = Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"HostIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map URL Entity to Syslog Data\",\"description\":\"This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in Syslog data.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"name\":\"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 6d;\\n// Adjust this to adjust the key export detection timeframe\\n//let timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer);\\n// Look for ADFS servers where Named Pipes event are present\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"),\\n TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\\n TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\"),\\n Image = column_ifexists(\\\"Image\\\", \\\"\\\"),\\n PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\"),\\n EventType = column_ifexists(\\\"EventType\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n// Look for Pipe related to querying the WID\\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Exclude expected processes\\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(UserName, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(UserName, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS Database Named Pipe Connection\",\"description\":\"This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\"name\":\"f110287e-1358-490d-8147-ed804b328514\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for AWSCloudTrail logs\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n // Filter out indicators without relevant IP address fields\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n // Select the IP entity based on availability of different IP fields\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and AWSCloudTrail logs to identify potential malicious activity\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n AWSCloudTrail\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated // Rename time column for clarity\\n )\\n on $left.TI_ipEntity == $right.SourceIpAddress\\n // Filter out logs that occurred after the expiration of the corresponding indicator\\n | where AWSCloudTrail_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and SourceIpAddress, and keep the log entry with the latest timestamp\\n | summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress\\n // Select the desired output fields\\n | project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\n NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n // Rename the timestamp field\\n | extend timestamp = AWSCloudTrail_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"ObjectGuid\",\"columnName\":\"UserIdentityUserName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to AWSCloudTrail\",\"description\":\"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"name\":\"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\")\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated)\\nby EventSource, EventName, UserIdentityType, RecipientAccountId, AccountName, AccountUPNSuffix, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Security Group ingress and egress settings\",\"description\":\"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic.\\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255. \",\"lastUpdatedDateUTC\":\"2024-03-27T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d71fc38-f249-454e-8479-0a358382ef9a\",\"name\":\"3d71fc38-f249-454e-8479-0a358382ef9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-44228\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMachine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMachine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"VirtualMachine\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to log4j CVE-2021-44228\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228.\\nLog4j is an open-source Apache logging library that is used in many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\\n Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bca9c877-2afc-4246-a26d-087ab1cdcd5f\",\"name\":\"bca9c877-2afc-4246-a26d-087ab1cdcd5f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let sha256Hashes = dynamic([\\\"5dd1ca0d471dee41eb3ea0b6ea117810f228354fc3b7b47400a812573d40d91d\\\", \\\"5fc44c7342b84f50f24758e39c8848b2f0991e8817ef5465844f5f2ff6085a57\\\", \\\"6cff0bbd62efe99f381e5cc0c4182b0fb7a9a34e4be9ce68ee6b0d0ea3eee39c\\\"]);\\nlet signames = dynamic([\\\"Ransom:Win32/Prestige\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, Algorithm = \\\"SHA256\\\", AccountNTName = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend AccountNT = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, AccountNT, IPAddress, CommandLine, FileHash, Algorithm = \\\"SHA256\\\"\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ProcessId = tolong(EventDetail.[3].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"]), CommandLine = tostring(EventDetail.[10].[\\\"#text\\\"]), Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", dynamic([\\\"\\\", \\\"\\\"])), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| mv-expand Hashes\\n| where Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, ProcessId, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend AccountNT = UserName, InitiatingProcessId = ProcessId\\n| extend Process = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), Algorithm = \\\"SHA256\\\", FileHash = tostring(Hashes[1]) \\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend AccountNT = InitiatingProcessAccountName, Computer = DeviceName\\n| extend Algorithm = \\\"SHA256\\\", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine, Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend AccountNT = InitiatingProcessAccountName, Computer = DeviceName\\n| extend Algorithm = \\\"SHA256\\\", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine, Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend AccountNT = InitiatingProcessAccountName, Computer = DeviceName\\n| extend Algorithm = \\\"SHA256\\\", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine, Image = InitiatingProcessFolderPath\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (signames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n)\\n)\\n| extend AccountNTName = tostring(split(AccountNT, \\\"\\\\\\\\\\\")[0]), AccountNTDomain = tostring(split(AccountNT, \\\"\\\\\\\\\\\")[1])\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"Algorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHash\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"InitiatingProcessId\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountNT\"},{\"identifier\":\"Name\",\"columnName\":\"AccountNTName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Prestige ransomware IOCs Oct 2022\",\"description\":\"This query looks for file hashes and AV signatures associated with Prestige ransomware payload.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"name\":\"f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.4\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| where isnotempty(Process)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend AccountName = tostring(split(ActorUsername, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(ActorUsername, @\u0027\\\\\u0027)[0])\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines (Normalized Process Events)\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\"name\":\"d564ff12-8f53-41b8-8649-44f76b37b99f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"// How many greater than Service Connections you want to view per build/release\\nlet ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\"\\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)\\n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName, ActorUPN, IpAddress\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iif(\\n Type == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\n strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| extend timestamp = StartTime\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Abuse\",\"description\":\"Flags builds/releases that use a large number of service connections if they aren\u0027t manually in the allow list.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cd8d946d-10a4-40a9-bac1-6d0a6c847d65\",\"name\":\"cd8d946d-10a4-40a9-bac1-6d0a6c847d65\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let BEC_Keywords = dynamic([ \u0027invoice\u0027,\u0027payment\u0027,\u0027paycheck\u0027,\u0027transfer\u0027,\u0027bank statement\u0027,\u0027bank details\u0027,\u0027closing\u0027,\u0027funds\u0027,\u0027bank account\u0027,\u0027account details\u0027,\u0027remittance\u0027,\u0027purchase\u0027,\u0027deposit\u0027,\\\"PO#\\\",\\\"Zahlung\\\",\\\"Rechnung\\\",\\\"Paiement\\\", \\\"virement bancaire\\\",\\\"Bankuberweisung\\\",\u0027hacked\u0027,\u0027phishing\u0027]);\\n// Adjust this threshold based on your environment\\nlet sensitivity = 2.5;\\nlet Events = materialize(imFileEvent\\n| where TimeGenerated between(startofday(ago(14d))..endofday(ago(0d)))\\n| where User !~ \\\"app@sharepoint\\\"\\n| where EventType =~ \\\"FileAccessed\\\"\\n| extend OriginalEvent = column_ifexists(\\\"EventOriginalType\\\",\\\"Unknown\\\")\\n| where OriginalEvent !~ \\\"FileSyncDownloadedFull\\\"\\n| where EventProduct in (\\\"SharePoint 365\\\", \\\"Azure File Storage\\\", \\\"OneDrive\\\" , \\\"SharePoint\\\")\\n| where FilePath has_any(BEC_Keywords)\\n| extend _AuthDetails = column_ifexists(\\\"AuthorizationDetails\\\", \\\"None\\\")\\n| extend SPuser = case(gettype(_AuthDetails) == \\\"array\\\", tostring(todynamic(_AuthDetails)[0].principals[0].id), \\\"Unknown\\\")\\n| extend User = case(isnotempty(User), User, SPuser)\\n| where isnotempty(User));\\nEvents\\n| summarize dcount(FileName) by User, bin(startofday(TimeGenerated), 1d)\\n| summarize CountOfDocs = make_list(dcount_FileName, 10000), TimeStamp = make_list(TimeGenerated, 10000) by User\\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(CountOfDocs, sensitivity, -1, \u0027linefit\u0027)\\n| mv-expand CountOfDocs to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)\\n| where Anomalies \u003e 0\\n| project TimeStamp, CountOfDocs, Baseline, Score, Anomalies, User\\n| join kind=inner(Events | extend TimeStamp = startofday(TimeGenerated)) on TimeStamp, User\\n| extend IpAddr = column_ifexists(\\\"IpAddr\\\", SrcIpAddr)\\n| extend Name = iif(User contains \\\"@\\\", split(User, \\\"@\\\")[0], split(User, \\\"\\\\\\\\\\\")[1])\\n| extend UPNSuffix = iif(User contains \\\"@\\\", split(User, \\\"@\\\")[1], \\\"\\\")\\n| extend NTDomain = iif(User contains \\\"@\\\", split(User, \\\"\\\\\\\\\\\")[0], \\\"\\\")\\n| project-reorder TimeGenerated, User, EventType, EventResult, EventProduct, FilePath, HttpUserAgent, IpAddr, CountOfDocs, Baseline, Score\",\"customDetails\":{\"Type\":\"EventType\",\"Result\":\"EventResult\",\"Product\":\"EventProduct\",\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddr\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FilePath\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Suspicious access of {{number_of_files_accessed}} BEC related documents by {{User}}\",\"alertDescriptionFormat\":\"This query looks for users (in this case {{User}}) with suspicious spikes in the number of files accessed (in this case {{number_of_files_accessed}} events) that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks. The query looks for access to files in storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. \\nThis query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities. This query uses the imFileEvent schema from ASIM, you will first need to ensure you have ASIM deployed in your environment. Ref https://learn.microsoft.com/azure/sentinel/normalization-about-parsers\\n\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Collection\"],\"displayName\":\"Suspicious access of BEC related documents\",\"description\":\"This query looks for users with suspicious spikes in the number of files accessed that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks.\\nThe query looks for access to files in storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. \\nThis query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities. This query uses the imFileEvent schema from ASIM, you will first need to ensure you have ASIM deployed in your environment. Ref https://learn.microsoft.com/azure/sentinel/normalization-about-parsers\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2023-02-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"name\":\"87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\\n// On the downloads page, click the \u0027details\u0027 button, and then replace just the filename in the URL below\\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n[\\\"https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/MSFTIPRanges/ServiceTags_Public.json\\\"] with(format=\u0027multijson\u0027)\\n| mv-expand values\\n| mv-expand values.properties.addressPrefixes\\n| mv-expand values_properties_addressPrefixes\\n| summarize by tostring(values_properties_addressPrefixes)\\n| extend isipv4 = parse_ipv4(values_properties_addressPrefixes)\\n| extend isipv6 = parse_ipv6(values_properties_addressPrefixes)\\n| extend ip_type = case(isnotnull(isipv4), \\\"v4\\\", \\\"v6\\\")\\n| summarize make_list(values_properties_addressPrefixes) by ip_type\\n;\\nSigninLogs\\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\\n| where ResultType == 0\\n| where AppDisplayName =~ \\\"Azure Portal\\\"\\n| extend isipv4 = parse_ipv4(IPAddress)\\n| extend ip_type = case(isnotnull(isipv4), \\\"v4\\\", \\\"v6\\\")\\n // Only get logons where the IP address is in an Azure range\\n| join kind=fullouter (azure_ranges) on ip_type\\n| extend ipv6_match = ipv6_is_in_any_range(IPAddress, list_values_properties_addressPrefixes)\\n| extend ipv4_match = ipv4_is_in_any_range(IPAddress, list_values_properties_addressPrefixes)\\n| where ipv4_match or ipv6_match \\n// Limit to where the user is external to the tenant\\n| where HomeTenantId != ResourceTenantId\\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\\n| where ResourceTenantId == AADTenantId\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId, UserId\\n| extend AccountName = split(UserPrincipalName, \\\"@\\\")[0]\\n| extend UPNSuffix = split(UserPrincipalName, \\\"@\\\")[1]\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Azure Portal sign in by {{UserPrincipalName}} from another Azure Tenant with IP Address {{IPAddress}}\",\"alertDescriptionFormat\":\"This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\\nand the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\\nto pivot to other tenants leveraging cross-tenant delegated access in this manner.\\nIn this instance {{UserPrincipalName}} logged in at {{FirstSeen}} from IP Address {{IPAddress}}.\\n\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Portal sign in from another Azure Tenant\",\"description\":\"This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant, and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look to pivot to other tenants leveraging cross-tenant delegated access in this manner.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"name\":\"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAZFWApplicationRule\\n| where Fqdn has_any (IPList)\\n| extend IPCustomEntity = SourceIp\\n),\\n(\\nAZFWNetworkRule\\n| where DestinationIp has_any (IPList)\\n| extend IPCustomEntity = SourceIp\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] -Known Barium IP\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWNetworkRule\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"name\":\"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA265 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"[Deprecated] - Known Diamond Sleet related maldoc hash\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"name\":\"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for OfficeActivity events\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\nlet OfficeActivity_ = materialize(OfficeActivity\\n | where isnotempty(ClientIP)\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]%]+)(%\\\\d+)?\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n | extend IPAddress = iff(array_length(ClientIPValues) \u003e 0, tostring(ClientIPValues[0]), \u0027\u0027)\\n | project-rename OfficeActivity_TimeGenerated = TimeGenerated);\\nlet ActivityIPs = OfficeActivity_ | summarize IPs = make_list(IPAddress);\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = materialize(ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = coalesce(NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress)\\n | where TI_ipEntity in (ActivityIPs)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now()\\n | where Description !contains_cs \\\"State: inactive;\\\" and Description !contains_cs \\\"State: falsepos;\\\");\\nIP_Indicators\\n// Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n| join kind=innerunique (OfficeActivity_)\\n on $left.TI_ipEntity == $right.IPAddress\\n// Filter out OfficeActivity events that occurred after the expiration of the corresponding indicator\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n// Group the results by IndicatorId and keep the OfficeActivity event with the latest timestamp\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId\\n// Select the desired output fields\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(UserId, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(UserId, \u0027@\u0027, 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"TI_ipEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to OfficeActivity\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\"name\":\"32555639-b639-4c2b-afda-c0ae0abefa55\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\"\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid,\\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTime\\n| sort by EndTime desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Monitor AWS Credential abuse or hijacking\",\"description\":\"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole\\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws \\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\"lastUpdatedDateUTC\":\"2024-03-27T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/229f71ba-d83b-42a5-b83b-11a641049ed1\",\"name\":\"229f71ba-d83b-42a5-b83b-11a641049ed1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P2D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// In User \u0026 Groups and in Applications, the following \\\"AccessType\\\" values in columns PremodifiedOutboundSettings and ModifiedOutboundSettings are interpreted accordingly\\n// When Access Type in premodified outbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified outbound settings value was 2 that means that the initial access was blocked.\\n// When Access Type in modified outbound settings value is 1 that means that now access is allowed. When Access Type in modified outbound settings value is 2 that means that now access is blocked.\\nAuditLogs\\n| where OperationName has \\\"Update a partner cross-tenant access setting\\\"\\n| mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type =~ \\\"Policy\\\"\\n | extend Properties = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = Properties on\\n (\\n where Property.displayName =~ \\\"b2bCollaborationOutbound\\\"\\n | extend PremodifiedOutboundSettings = trim(\u0027\\\"\u0027,tostring(Property.oldValue)),\\n ModifiedOutboundSettings = trim(@\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where PremodifiedOutboundSettings != ModifiedOutboundSettings\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed\",\"description\":\"Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Collaboration Settings are changed for \\\"Users \u0026 Groups\\\" and for \\\"Applications\\\".\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"name\":\"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.6\",\"severity\":\"Medium\",\"query\":\"let endpointData = \\n(union isfuzzy=true\\n(SecurityEvent\\n | where EventID == 4688\\n | extend shortFileName = tolower(tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1]))\\n ),\\n (WindowsEvent\\n | where EventID == 4688\\n | extend NewProcessName = tostring(EventData.NewProcessName)\\n | extend shortFileName = tolower(tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1]))\\n | extend TargetUserName = tostring(EventData.TargetUserName)\\n ));\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, \u0027/\u0027)[-1]))\\n| join kind=innerunique (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Network endpoint to host executable correlation\",\"description\":\"Correlates blocked URLs hosting [malicious] executables with host endpoint data to identify potential instances of executables of the same name having been recently run.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicro\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"name\":\"95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\\n),\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| mv-apply Property = modifiedProperties on\\n (\\n where Property.displayName =~ \\\"LiveType\\\"\\n | extend targetDisplayName = tostring(Property.displayName),\\n NewDomainValue = tostring(Property.newValue)\\n )\\n| where NewDomainValue has \\\"Federated\\\"\\n)\\n)\\n| mv-apply AdditionalDetail = AdditionalDetails on\\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend UserAgent = tostring(AdditionalDetail.value)\\n )\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2566e99f-ad0f-472a-b9ac-d3899c9283e6\",\"name\":\"2566e99f-ad0f-472a-b9ac-d3899c9283e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688\\n| where (CommandLine has_all (\u0027reg\u0027, \u0027add\u0027, \u0027HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\\u0027, \u0027/v\u0027,\u0027/t\u0027, \u0027REG_DWORD\u0027, \u0027/d\u0027, \u0027/f\u0027) and CommandLine has_any(\u0027DisableRealtimeMonitoring\u0027, \u0027UseTPMKey\u0027, \u0027UseTPMKeyPIN\u0027, \u0027UseAdvancedStartup\u0027, \u0027EnableBDEWithNoTPM\u0027, \u0027RecoveryKeyMessageSource\u0027))\\n or CommandLine has_all (\u0027reg\u0027, \u0027add\u0027, \u0027HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\\u0027, \u0027/v\u0027,\u0027/t\u0027, \u0027REG_DWORD\u0027, \u0027/d\u0027, \u0027/f\u0027, \u0027RecoveryKeyMessage\u0027, \u0027Your drives are Encrypted!\u0027, \u0027@\u0027)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(DeviceProcessEvents \\n| where (InitiatingProcessCommandLine has_all(@\u0027\\\"reg\\\"\u0027, \u0027add\u0027, @\u0027\\\"HKLM\\\\SOFTWARE\\\\Policies\\\\\u0027, \u0027/v\u0027,\u0027/t\u0027, \u0027REG_DWORD\u0027, \u0027/d\u0027, \u0027/f\u0027) \\n and InitiatingProcessCommandLine has_any(\u0027DisableRealtimeMonitoring\u0027, \u0027UseTPMKey\u0027, \u0027UseTPMKeyPIN\u0027, \u0027UseAdvancedStartup\u0027, \u0027EnableBDEWithNoTPM\u0027, \u0027RecoveryKeyMessageSource\u0027) ) \\n or InitiatingProcessCommandLine has_all(\u0027\\\"reg\\\"\u0027, \u0027add\u0027, @\u0027\\\"HKLM\\\\SOFTWARE\\\\Policies\\\\\u0027, \u0027/v\u0027,\u0027/t\u0027, \u0027REG_DWORD\u0027, \u0027/d\u0027, \u0027/f\u0027, \u0027RecoveryKeyMessage\u0027, \u0027Your drives are Encrypted!\u0027, \u0027@\u0027)\\n| extend Account = strcat(InitiatingProcessAccountDomain, @\u0027\\\\\u0027, InitiatingProcessAccountName), Computer = DeviceName\\n )\\n )\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(Account, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0270 Registry IOC - September 2022\",\"description\":\"The query below identifies modification of registry by Dev-0270 actor to disable security feature as well as to add ransom notes\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-09-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2bc08fa-030a-4eea-931a-762d27c6a042\",\"name\":\"d2bc08fa-030a-4eea-931a-762d27c6a042\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Threshold = 1; \\n AzureDiagnostics\\n | where Category == \\\"ApplicationGatewayFirewallLog\\\"\\n | where action_s == \\\"Matched\\\"\\n | project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s\\n | join kind = inner(\\n AzureDiagnostics\\n | where Category == \\\"ApplicationGatewayFirewallLog\\\"\\n | where action_s == \\\"Blocked\\\"\\n | parse Message with MessageText \u0027Total Inbound Score: \u0027 TotalInboundScore \u0027 - SQLI=\u0027 SQLI_Score \u0027,XSS=\u0027 XSS_Score \u0027,RFI=\u0027 RFI_Score \u0027,LFI=\u0027 LFI_Score \u0027,RCE=\u0027 RCE_Score \u0027,PHPI=\u0027 PHPI_Score \u0027,HTTP=\u0027 HTTP_Score \u0027,SESS=\u0027 SESS_Score \u0027): \u0027 Blocked_Reason \u0027; individual paranoia level scores:\u0027 Paranoia_Score\\n | where Blocked_Reason contains \\\"XSS\\\" and toint(TotalInboundScore) \u003e=15 and toint(XSS_Score) \u003e= 10 and toint(SQLI_Score) \u003c= 5) on transactionId_g\\n | extend Uri = strcat(hostname_s,requestUri_s)\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g), Message = make_set(Message), Detail_Message = make_set(details_message_s), Detail_Data = make_set(details_data_s), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s, SQLI_Score, XSS_Score, TotalInboundScore\\n | where Total_TransactionId \u003e= Threshold\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Uri\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"clientIp_s\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Application Gateway WAF - XSS Detection\",\"description\":\"Identifies a match for XSS attack in the Application gateway WAF logs. The Threshold value in the query can be changed as per your infrastructure\u0027s requirement.\\n References: https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"name\":\"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Low\",\"query\":\"(union isfuzzy=true\\n (SecurityEvent\\n | where EventID == 4720\\n | where AccountType == \\\"User\\\"\\n | project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\n CreatedUser = tolower(TargetAccount), CreatedUserAccountName = TargetUserName, CreatedUserDomainName = TargetDomainName, CreatedUserSid = TargetSid, \\n AccountUsedToCreateUser = SubjectAccount, CreatedByAccountName = SubjectUserName, CreatedByDomainName = SubjectDomainName, SidofAccountUsedToCreateUser = SubjectUserSid\\n ),\\n (WindowsEvent\\n | where EventID == 4720\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | where AccountType == \\\"User\\\"\\n | extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n | extend SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName)\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName) \\n | extend Activity=\\\"4720 - A user account was created.\\\"\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\n CreatedUser = tolower(TargetAccount), CreatedUserAccountName = TargetUserName, CreatedUserDomainName = TargetDomainName, CreatedUserSid = TargetSid, \\n AccountUsedToCreateUser = SubjectAccount, CreatedByAccountName = SubjectUserName, CreatedByDomainName = SubjectDomainName, SidofAccountUsedToCreateUser = SubjectUserSid\\n )\\n )\\n| join kind=inner\\n(\\n (union isfuzzy=true\\n (SecurityEvent \\n | where AccountType == \\\"User\\\"\\n // 4732 - A member was added to a security-enabled local group\\n | where EventID == 4732\\n // TargetSid is the builin Admins group: S-1-5-32-544\\n | where TargetSid == \\\"S-1-5-32-544\\\"\\n | project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\n GroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, AddedByAccountName = SubjectUserName, AddedByDomainName = SubjectDomainName,\\n CreatedUserSid = MemberSid\\n ),\\n ( WindowsEvent \\n // 4732 - A member was added to a security-enabled local group\\n | where EventID == 4732 and EventData has \\\"S-1-5-32-544\\\"\\n //TargetSid is the builin Admins group: S-1-5-32-544\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | where AccountType == \\\"User\\\"\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | where TargetSid == \\\"S-1-5-32-544\\\"\\n | extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n | extend SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName)\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend Activity=\\\"4732 - A member was added to a security-enabled local group.\\\"\\n | extend MemberSid = tostring(EventData.MemberSid)\\n | project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\n GroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, AddedByAccountName = SubjectUserName, AddedByDomainName = SubjectDomainName,\\n CreatedUserSid = MemberSid\\n )\\n )\\n)\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, CreatedUserAccountName, CreatedUserDomainName,\\nGroupAddTime, GroupAddEventID, GroupAddActivity, GroupName, GroupSid,\\nAccountUsedToCreateUser, SidofAccountUsedToCreateUser, CreatedByAccountName, CreatedByDomainName, \\nAccountThatAddedUser, SIDofAccountThatAddedUser, AddedByAccountName, AddedByDomainName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountUsedToCreateUser\"},{\"identifier\":\"Name\",\"columnName\":\"CreatedByAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"CreatedByDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountThatAddedUser\"},{\"identifier\":\"Name\",\"columnName\":\"AddedByAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AddedByDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatedUser\"},{\"identifier\":\"Name\",\"columnName\":\"CreatedUserAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"CreatedUserDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"CreatedUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"New user created and added to the built-in administrators group\",\"description\":\"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56fe0db0-6779-46fa-b3c5-006082a53064\",\"name\":\"56fe0db0-6779-46fa-b3c5-006082a53064\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"192\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv24\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where OperationNameValue in~ (operationList)\\n| where ActivityStatusValue startswith \\\"Accept\\\"\\n| where Properties has \u0027vmSize\u0027\\n| extend parsed_property= parse_json(tostring((parse_json(Properties).responseBody))).properties\\n| extend vmSize = tostring((parsed_property.hardwareProfile).vmSize)\\n| mv-apply token=tokens to typeof(string) on (where vmSize contains token)\\n| extend ComputerName = tostring((parsed_property.osProfile).computerName)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend Name = tostring(split(Caller,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Caller,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"ComputerName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size or expensive VMs (with GPUs or with a large number of virtual CPUs) in Azure.\\nAn adversary may create new or update existing virtual machines to evade defenses or use them for cryptomining purposes.\\nFor Windows/Linux Vm Sizes, see https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions, see https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b79f6190-d104-4691-b7db-823e05980895\",\"name\":\"b79f6190-d104-4691-b7db-823e05980895\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"OriginatingServer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"NRT Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.\\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/639aa695-9de9-4921-aa6b-6fdc35cb1eee\",\"name\":\"639aa695-9de9-4921-aa6b-6fdc35cb1eee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs \\n| where OperationName contains \\\"Update user\\\"\\n| where TargetResources[0].modifiedProperties[0].oldValue contains \\\"Guest\\\"\\n| extend InvitedUser = TargetResources[0].userPrincipalName\\n// Uncomment the below line if you want to get alerts for changed usertype from specific domains or users\\n//| where InvitedUser has_any (\\\"CUSTOM DOMAIN NAME#\\\", \\\"#EXT#\\\")\\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress \\n| extend OldUserType = TargetResources[0].modifiedProperties[0].oldValue contains \\\"Guest\\\"\\n| extend NewUserType = TargetResources[0].modifiedProperties[0].newValue contains \\\"Member\\\"\\n| mv-expand OldUserType = TargetResources[0].modifiedProperties[0].oldValue to typeof(string)\\n| mv-expand NewUserType = TargetResources[0].modifiedProperties[0].newValue to typeof(string)\\n| where OldUserType != NewUserType\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InvitedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatedByActionUserInformation\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatedByIPAdress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Guest accounts changed user type from guest to members in AzureAD\",\"description\":\"Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are changed from user type as should be in AzureAD to member and gain other rights in the tenant.\",\"lastUpdatedDateUTC\":\"2022-10-23T00:00:00Z\",\"createdDateUTC\":\"2022-10-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"name\":\"29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.8\",\"severity\":\"High\",\"query\":\"let UserAgentString = dynamic ([\\\"${jndi:ldap:/\\\", \\\"${jndi:rmi:/\\\", \\\"${jndi:ldaps:/\\\", \\\"${jndi:dns:/\\\", \\\"${jndi:iiop:/\\\",\\\"${jndi:\\\",\\\"${jndi:nds:/\\\",\\\"${jndi:corba/\\\"]);\\nlet UARegexMinimalString=dynamic([\u0027{\u0027,\u0027%7b\u0027, \u0027%7B\u0027]);\\nlet UARegex = @\u0027(\\\\\\\\$|%24)(\\\\\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\\\\\$|%24|}|%7D)\u0027;\\n(union isfuzzy=true\\n(OfficeActivity\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, Operation\\n),\\n(AzureDiagnostics\\n| where Category in (\\\"FrontdoorWebApplicationFirewallLog\\\", \\\"FrontdoorAccessLog\\\", \\\"ApplicationGatewayFirewallLog\\\", \\\"ApplicationGatewayAccessLog\\\")\\n| where userAgent_s has_any (UserAgentString) or userAgent_s matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = userAgent_s, SourceIP = column_ifexists(\\\"clientIp_s\\\",clientIP_s), Type, column_ifexists(\\\"originalHost_s\\\",host_s), Url = requestUri_s, HttpStatus = column_ifexists(\\\"httpStatusDetails_s\\\",httpStatus_d), column_ifexists(\\\"transactionId_g\\\",trackingReference_s), ruleName_s, ResourceType, ResourceId\\n),\\n(\\nW3CIISLog\\n| where csUserAgent has_any (UserAgentString) or csUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, Url = csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventName\\n),\\n(SigninLogs\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(_Im_WebSession (httpuseragent_has_any=array_concat(UserAgentString,UARegexMinimalString))\\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, Url, Type\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Account\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User agent search for log4j exploitation attempt\",\"description\":\"This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern.\\nLog4j is an open-source Apache logging library that is used in many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation.\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"name\":\"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT4H\",\"queryPeriod\":\"PT4H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"// Change to true to monitor for Project Administrator adds to *any* project\\nlet MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\\nlet ProjectsToMonitor = dynamic([\u0027\u003cproject_X\u003e\u0027,\u0027\u003cproject_Y\u003e\u0027]);\\nAzureDevOpsAuditing\\n| where Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has \u0027Administrators\u0027\\n| where Details has \\\"was added as a member of group\\\" and (Details endswith \u0027\\\\\\\\Project Administrators\u0027 or Details endswith \u0027\\\\\\\\Project Collection Administrators\u0027)\\n| parse Details with AddedIdentity \u0027 was added as a member of group [\u0027 EntityName \u0027]\\\\\\\\\u0027 GroupName\\n| extend Level = iif(GroupName == \u0027Project Collection Administrators\u0027, \u0027Organization\u0027, \u0027Project\u0027), AddedIdentityId = Data.MemberId\\n| extend Severity = iif(Level == \u0027Organization\u0027, \u0027High\u0027, \u0027Medium\u0027), AlertDetails = strcat(\u0027At \u0027, TimeGenerated, \u0027 UTC \u0027, ActorUPN, \u0027/\u0027, ActorDisplayName, \u0027 added \u0027, AddedIdentity, \u0027 to the \u0027, EntityName, \u0027 \u0027, Level)\\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == \u0027Organization\u0027\\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism,\\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(Adder, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(Adder, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Adder\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ActorIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Administrator Group Monitoring\",\"description\":\"This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"name\":\"875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| where AttributeLDAPDisplayName == \\\"servicePrincipalName\\\" and ObjectClass == \\\"user\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeValue\\\"\u003e\u0027 AttributeValue \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue, SubjectUserName, SubjectDomainName, SubjectUserSid\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"SubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Name (SPN) Assigned to User Account\",\"description\":\"This query identifies whether an Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. \\nThis query checks for event id 5136, that the Object Class field is \\\"user\\\" and the LDAP Display Name is \\\"servicePrincipalName\\\".\\nRef: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"name\":\"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let DomainNames = dynamic([\u0027onetechcompany.com\u0027, \u0027reyweb.com\u0027, \u0027srfnetwork.org\u0027, \u0027sense4baby.fr\u0027, \u0027nikeoutletinc.org\u0027, \u0027megatoolkit.com\u0027]);\\nlet IPList = dynamic([\u0027185.225.69.69\u0027]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (DomainNames)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = Fqdn\\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (DomainNames)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = QueryName\\n| extend IPCustomEntity = SourceIp\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Midnight Blizzard - Domain and IP IOCs - March 2021\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"name\":\"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(lookBack) and TimeGenerated \u003c ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlOriginal\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Rare User Agent Detected\",\"description\":\"Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"name\":\"bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.6\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where Process hassuffix \u0027rundll32.exe\u0027\\n| where CommandLine has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend AccountName = tostring(split(User, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(User, @\u0027\\\\\u0027)[0])\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events)\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"name\":\"7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.8\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role request denied (PIM activation)\u0027\\n| mv-apply ResourceItem = TargetResources on \\n (\\n where ResourceItem.type =~ \\\"Role\\\"\\n | extend Role = trim(@\u0027\\\"\u0027,tostring(ResourceItem.displayName))\\n )\\n| mv-apply ResourceItem = TargetResources on \\n (\\n where ResourceItem.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = trim(@\u0027\\\"\u0027,tostring(ResourceItem.userPrincipalName))\\n )\\n| where isnotempty(InitiatedBy.user)\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend TargetName = tostring(split(TargetUserPrincipalName,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,\u0027@\u0027,1)[0])\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\\n| project-reorder TimeGenerated, TargetUserPrincipalName, Role, OperationName, Result, ResultDescription\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c895c5b9-0fc6-40ce-9830-e8818862f2d5\",\"name\":\"c895c5b9-0fc6-40ce-9830-e8818862f2d5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P2D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// In User \u0026 Groups and in Applications, the following \\\"AccessType\\\" values in columns PremodifiedInboundSettings and ModifiedInboundSettings are interpreted accordingly\\n// When Access Type in premodified inbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified inbound settings value was 2 that means that the initial access was blocked.\\n// When Access Type in modified inbound settings value is 1 that means that now access is allowed. When Access Type in modified inbound settings value is 2 that means that now access is blocked.\\nAuditLogs\\n| where OperationName has \\\"Update a partner cross-tenant access setting\\\"\\n| mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type =~ \\\"Policy\\\"\\n | extend Properties = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = Properties on\\n (\\n where Property.displayName =~ \\\"b2bCollaborationInbound\\\"\\n | extend PremodifiedInboundSettings = trim(\u0027\\\"\u0027,tostring(Property.oldValue)),\\n ModifiedInboundSettings = trim(@\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where PremodifiedInboundSettings != ModifiedInboundSettings\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed\",\"description\":\"Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Collaboration Settings are changed for \\\"Users \u0026 Groups\\\" and for \\\"Applications\\\".\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0433c8a3-9aa6-4577-beef-2ea23be41137\",\"name\":\"0433c8a3-9aa6-4577-beef-2ea23be41137\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | where TimeGenerated \u003e ago(2d)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\" or GroupMembership has \\\"Admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName has \\\"Add eligible member\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(TargetUserPrincipalName) in (admin_users)\\n | extend TargetAadUserId = tostring(TargetResources[0].id)\\n | extend Group = tostring(TargetResources[0].displayName)\\n | extend RoleAddedTo = iif(isnotempty(TargetUserPrincipalName), TargetUserPrincipalName, Group)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend RoleAddedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)\\n | mv-expand mod_props\\n | where mod_props.displayName == \\\"Role.DisplayName\\\"\\n | extend UserAgent = tostring(AdditionalDetails[0].value)\\n | extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))\\n | extend TargetAccountName = tostring(split(TargetUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \\\"@\\\")[1])\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, OperationName, TargetUserPrincipalName, RoleAddedTo, RoleAdded, RoleAddedBy, InitiatingUserPrincipalName, InitiatingAppName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"TargetAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Account Permissions Changed\",\"description\":\"Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.\\nReview any modifications to ensure they were made legitimately.\\nRef: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2024-04-05T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\"name\":\"884c4957-70ea-4f57-80b9-1bca3890315b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"\u0026\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"\u0026\\\")[0]),tostring(split(csUriQuery, \\\"\u0026\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus)\\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status))\\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\",\\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\",\\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\",\\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\",\\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\",\\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\",\\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\",\\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\",\\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\",\\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(csUserName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(csUserName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"csUserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed logons by a user\",\"description\":\"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2023-12-28T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"name\":\"3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.1\",\"severity\":\"Medium\",\"query\":\"let authenticationWindow = 20m;\\nlet sensitivity = 2.5;\\nSigninLogs\\n| where AppDisplayName =~ \\\"Windows Sign In\\\"\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\"), IPAddresses = make_set(IPAddress,1000)\\n by bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName\\n| extend FailureSuccessDiff = FailureCount - SuccessCount\\n| where FailureSuccessDiff \u003e 0\\n| summarize Diff = make_list(FailureSuccessDiff, 10000), TimeStamp = make_list(TimeGenerated, 10000) by UserDisplayName, UserPrincipalName//, tostring(IPAddresses)\\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(Diff, sensitivity, -1, \u0027linefit\u0027) \\n| mv-expand Diff to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)\\n| where Anomalies \u003e 0\\n| summarize by UserDisplayName, UserPrincipalName, Anomalies, Score, Baseline, FailureToSuccessDiff = Diff\\n| join kind=leftouter (\\n SigninLogs\\n | where AppDisplayName =~ \\\"Windows Sign In\\\"\\n | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n | summarize StartTime = min(TimeGenerated), \\n EndTime = max(TimeGenerated), \\n IPAddresses = make_set(IPAddress,100), \\n OS = make_set(OS,20), \\n Browser = make_set(Browser,20), \\n City = make_set(City,100), \\n ResultType = make_set(ResultType,100)\\n by UserDisplayName, UserPrincipalName, UserId, AppDisplayName\\n ) on UserDisplayName, UserPrincipalName\\n| project-away UserDisplayName1, UserPrincipalName1\\n| extend IPAddressFirst = tostring(IPAddresses[0])\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddressFirst\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against a Cloud PC\",\"description\":\"Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.\",\"lastUpdatedDateUTC\":\"2024-04-05T00:00:00Z\",\"createdDateUTC\":\"2021-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"name\":\"66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet dt_lookBack = 1h; // Look back 1 hour for CommonSecurityLog events\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and CommonSecurityLog events\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n CommonSecurityLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MessageIP = extract(IPRegex, 0, Message)\\n | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)\\n | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\n on $left.TI_ipEntity == $right.CS_ipEntity\\n // Filter out logs that occurred after the expiration of the corresponding indicator\\n | where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and CS_ipEntity, and keep the log entry with the latest timestamp\\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity\\n // Select the desired output fields\\n | project timestamp = CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction, Type\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CS_ipEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to CommonSecurityLog\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in CommonSecurityLog.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"name\":\"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"version\":\"2.0.4\",\"severity\":\"Medium\",\"query\":\"// Adjust this figure to adjust how sensitive this detection is\\nlet sensitivity = 2.5;\\nlet AuthEvents = materialize(\\nunion isfuzzy=True SigninLogs, AADNonInteractiveUserSignInLogs\\n| where TimeGenerated \u003e ago(7d)\\n| where ResultType == 0\\n| extend LocationDetails = LocationDetails_dynamic\\n| extend Location = strcat(LocationDetails.countryOrRegion, \\\"-\\\", LocationDetails.state,\\\"-\\\", LocationDetails.city)\\n| where Location != \\\"--\\\");\\nAuthEvents\\n| summarize dcount(Location) by AppDisplayName, AppId, UserPrincipalName, UserId, bin(startofday(TimeGenerated), 1d)\\n| where dcount_Location \u003e 2\\n| make-series CountOfLocations = sum(dcount_Location) on TimeGenerated step 1d by AppId, UserId\\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(CountOfLocations, sensitivity, -1, \u0027linefit\u0027)\\n| mv-expand CountOfLocations to typeof(double), TimeGenerated to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)\\n| where Anomalies \u003e 0 and Baseline \u003e 0\\n| join kind=inner( AuthEvents | extend TimeStamp = startofday(TimeGenerated)) on UserId, AppId\\n| extend SignInDetails = bag_pack(\\\"TimeGenerated\\\", TimeGenerated1, \\\"Location\\\", Location, \\\"Source\\\", IPAddress, \\\"Device\\\", DeviceDetail_dynamic)\\n| summarize SignInDetailsSet=make_set(SignInDetails, 1000) by UserId, UserPrincipalName, CountOfLocations, TimeGenerated, AppId, AppDisplayName\\n| extend Name = split(UserPrincipalName, \\\"@\\\")[0], UPNSuffix = split(UserPrincipalName, \\\"@\\\")[1]\",\"customDetails\":{\"Application\":\"AppDisplayName\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Anomalous sign-in location by {{UserPrincipalName}} to {{AppDisplayName}}\",\"alertDescriptionFormat\":\"This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an\\nindividual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} \\ndifferent locations.\\n\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous sign-in location by user account and authenticating application\",\"description\":\"This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an individual application.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\"name\":\"44a555d8-ecee-4a25-95ce-055879b4b14b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus)\\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status))\\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\",\\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\",\\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\",\\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\",\\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\",\\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\",\\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\",\\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\",\\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\",\\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount \u003e= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"cIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High count of connections by client IP on many ports\",\"description\":\"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications.\\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"name\":\"14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService =~ \\\"Core Directory\\\" and OperationName =~ \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName)\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend TargetName = tostring(split(TargetUserPrincipalName,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,\u0027@\u0027,1)[0])\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"NRT Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"name\":\"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory has_any (\u0027Dynamic and Residential\u0027, \u0027Personal VPN\u0027)\\n| project TimeGenerated, SrcIpAddr, Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Identities\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Cisco Umbrella - Connection to non-corporate private network\",\"description\":\"IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7feb859-f03e-4e8d-8b21-617be0213b13\",\"name\":\"d7feb859-f03e-4e8d-8b21-617be0213b13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where OperationName =~ \\\"Admin registered security info\\\"\\n | where ResultReason =~ \\\"Admin registered temporary access pass method for user\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(TargetUserPrincipalName) in (admin_users)\\n | extend TargetAadUserId = tostring(TargetResources[0].id)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend TargetAccountName = tostring(split(TargetUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \\\"@\\\")[1])\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"TargetAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Addition of a Temporary Access Pass to a Privileged Account\",\"description\":\"Detects when a Temporary Access Pass (TAP) is created for a Privileged Account.\\n A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.\\n A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.\\n Review any TAP creations to ensure they were used legitimately.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b6ae038-f66e-4f74-9315-df52fd492be4\",\"name\":\"5b6ae038-f66e-4f74-9315-df52fd492be4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Low\",\"query\":\"imProcess\\n| where CommandLine has_all (\\\"accepteula\\\", \\\"-s\\\", \\\"-r\\\", \\\"-q\\\")\\n| where Process !endswith \\\"sdelete.exe\\\"\\n| where CommandLine !has \\\"sdelete\\\"\\n| extend AccountName = tostring(split(ActorUsername, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(ActorUsername, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"DvcHostname\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DvcDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage (ASIM Version)\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\\nThis detection uses the ASIM imProcess parser, this will need to be deployed before use - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"name\":\"9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category == \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | where TargetResources has \\\"AppIdentifierUri\\\"\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend TargetAppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | where mod_props.displayName has \\\"AppIdentifierUri\\\"\\n | extend OldURI = tostring(mod_props.oldValue)\\n | extend NewURI = tostring(mod_props.newValue)\\n | extend UpdatedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingAadUserId, InitiatingUserPrincipalName, InitiatingIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"OldURI\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURI\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application ID URI Changed\",\"description\":\"Detects changes to an Application ID URI.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c701f94-783c-4cd4-bc9b-3b3334976090\",\"name\":\"2c701f94-783c-4cd4-bc9b-3b3334976090\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let suspiciousCmdLineKeywords = dynamic([\\\"http://\\\", \\\"https://\\\"]);\\n// Identify exchange servers based on known paths\\n// Summarize these to get a list of exchange server hostnames\\nlet exchangeServers = W3CIISLog\\n| where csUriStem has_any(\\\"/owa/\\\",\\\"/ews/\\\",\\\"/ecp/\\\",\\\"/autodiscover/\\\")\\n// Only where successful, rule out failed scanning\\n| where scStatus startswith \\\"2\\\"\\n| summarize by Computer;\\nDeviceProcessEvents\\n| where DeviceName in~ (exchangeServers)\\n// Where the IIS worker process initiated CMD or PowerShell\\n| where InitiatingProcessParentFileName == \\\"w3wp.exe\\\"\\n| where InitiatingProcessFileName has_any(\\\"cmd.exe\\\", \\\"powershell.exe\\\")\\n// Where CMD or PowerShell command line included parameters associated with CVE-2022-41040/CVE-2022-41082 exploitation\\n| where ProcessCommandLine has_any(suspiciousCmdLineKeywords)\\n| project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName\\n| extend Account = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Exchange Worker Process Making Remote Call\",\"description\":\"This query dynamically identifies Exchange servers and then looks for instances where the IIS worker process initiates a call out to a remote URL using either cmd.exe or powershell.exe.\\nThis behaviour was described as post-compromise behaviour following exploitation of CVE-2022-41040 and CVE-2022-41082, this pattern of activity was use to download additional tools to the server. This suspicious activity is generic.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f40ed57-f54b-462f-906a-ac3a89cc90d4\",\"name\":\"1f40ed57-f54b-462f-906a-ac3a89cc90d4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Materialize a table named \\\"Azure_Bruforce\\\" containing Azure Portal sign-in logs within the last 1 day\\nlet Azure_Bruforce = materialize (\\n SigninLogs\\n// Filter sign-in logs related to the Azure Portal\\n | where AppDisplayName == \\\"Azure Portal\\\"\\n// Exclude entries with empty OriginalRequestId\\n | where isnotempty(OriginalRequestId)\\n// Summarize various counts and sets based on brute force criteria\\n | summarize \\n AzureSuccessfulEvent = countif(ResultType == 0), \\n AzureFailedEvent = countif(ResultType != 0), \\n totalAzureLoginEventId = dcount(OriginalRequestId), \\n AzureFailedEventsCount = dcountif(OriginalRequestId, ResultType != 0), \\n AzureSuccessfuleventsCount = dcountif(OriginalRequestId, ResultType == 0),\\n AzureSetOfFailedevents = makeset(iff(ResultType != 0, OriginalRequestId, \\\"\\\"), 5), \\n AzureSetOfSuccessfulEvents = makeset(iff(ResultType == 0, OriginalRequestId, \\\"\\\"), 5) \\n by \\n IPAddress, \\n UserPrincipalName, \\n bin(TimeGenerated, 1min), \\n UserAgent,\\n ConditionalAccessStatus,\\n OperationName,\\n RiskDetail,\\n AuthenticationRequirement,\\n ClientAppUsed\\n// Extracting the name and UPN suffix from UserPrincipalName\\n | extend\\n Name = tostring(split(UserPrincipalName, \u0027@\u0027)[0]),\\n UPNSuffix = tostring(split(UserPrincipalName, \u0027@\u0027)[1]));\\n// Materialize a table named \\\"AWS_Bruforce\\\" containing AWS CloudTrail events related to ConsoleLogins within the last 1 day\\nlet AWS_Bruforce = materialize (\\n AWSCloudTrail \\n// Filter CloudTrail events related to ConsoleLogin\\n | where EventName == \\\"ConsoleLogin\\\" \\n// Extract ActionType from ResponseElements JSON\\n | extend ActionType = tostring(parse_json(ResponseElements).ConsoleLogin) \\n// Summarize various counts and sets based on brute force criteria \\n | summarize \\n AWSSuccessful=countif(ActionType == \\\"Success\\\"), \\n AWSFailed = countif(ActionType == \\\"Failure\\\"), \\n totalAwsEventId= dcount(AwsEventId), \\n AWSFailedEventsCount = dcountif(AwsEventId, ActionType == \\\"Failure\\\"), \\n AWSSuccessfuleventsCount = dcountif(AwsEventId, ActionType == \\\"Success\\\"), \\n AWSFailedevents = makeset(iff(ActionType == \\\"Failure\\\", AwsEventId, \\\"\\\"), 5), \\n AWSSuccessfulEvents = makeset(iff(ActionType == \\\"Success\\\", AwsEventId, \\\"\\\"), 5) \\n// Grouping by various attributes\\n by \\n SourceIpAddress, \\n UserIdentityUserName,\\n bin(TimeGenerated, 1min), \\n UserAgent );\\n// Joining the Azure_Bruforce and AWS_Bruforce tables on matching IP addresses and UserAgents\\nAzure_Bruforce\\n| join kind=inner AWS_Bruforce on $left.IPAddress == $right.SourceIpAddress and $left.UserAgent == $right.UserAgent\\n// Filtering based on conditions for failed and successful events\\n| where (AWSFailedEventsCount \u003e= 4 and AzureFailedEventsCount \u003e= 5) and ((AzureSuccessfuleventsCount \u003e= 1 and AzureFailedEvent \u003e AzureSuccessfulEvent) or (AWSSuccessfuleventsCount \u003e= 1 and AWSFailedEventsCount \u003e AWSSuccessfuleventsCount))\",\"customDetails\":{\"AwsUser\":\"UserIdentityUserName\",\"UserAgent\":\"UserAgent\",\"AzureUser\":\"UserPrincipalName\",\"AzureClientAppUsed\":\"ClientAppUsed\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Cross-Cloud Password Spray detection\",\"description\":\"This detection focuses on identifying potential cross-cloud brute force / Password Spray attempts involving Azure and AWS platforms. It monitors sign-in activities within the Azure Portal and AWS ConsoleLogins where brute force attempts are successful on both platforms in a synchronized manner.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2023-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"name\":\"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\",\\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\",\\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\",\\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend HostName = iff(Computer has \u0027.\u0027, substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer)\\n| extend DnsDomain = iff(Computer has \u0027.\u0027, substring(Computer,indexof(Computer,\u0027.\u0027)+1),\\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"name\":\"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory contains \u0027Adult Themes\u0027 or\\n UrlCategory contains \u0027Adware\u0027 or\\n UrlCategory contains \u0027Alcohol\u0027 or\\n UrlCategory contains \u0027Illegal Downloads\u0027 or\\n UrlCategory contains \u0027Drugs\u0027 or\\n UrlCategory contains \u0027Child Abuse Content\u0027 or\\n UrlCategory contains \u0027Hate/Discrimination\u0027 or\\n UrlCategory contains \u0027Nudity\u0027 or\\n UrlCategory contains \u0027Pornography\u0027 or\\n UrlCategory contains \u0027Proxy/Anonymizer\u0027 or\\n UrlCategory contains \u0027Sexuality\u0027 or\\n UrlCategory contains \u0027Tasteless\u0027 or\\n UrlCategory contains \u0027Terrorism\u0027 or\\n UrlCategory contains \u0027Web Spam\u0027 or\\n UrlCategory contains \u0027German Youth Protection\u0027 or\\n UrlCategory contains \u0027Illegal Activities\u0027 or\\n UrlCategory contains \u0027Lingerie/Bikini\u0027 or\\n UrlCategory contains \u0027Weapons\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Identities\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request Allowed to harmful/malicious URI category\",\"description\":\"It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\"name\":\"35a0792a-1269-431e-ac93-7ae2980d4dde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n| where isnotempty(EmailSenderAddress)\\n| extend TI_emailEntity = EmailSenderAddress\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcUserUpn)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientEmail = SrcUserUpn\\n)\\non $left.TI_emailEntity == $right.ClientEmail\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail\\n| project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ClientEmail\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender in TI list\",\"description\":\"Email sender in TI list.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e715730-82c0-496c-983b-7a20c4590bd9\",\"name\":\"6e715730-82c0-496c-983b-7a20c4590bd9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let accountLookback = 3d;\\nlet requestLookback = 3d;\\nlet extraction_regex = @\\\"(?:\\\\?|\u0026)[a-zA-Z0-9\\\\%]*=([a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Collect account names and base64 encode them\\nDeviceEvents\\n| where TimeGenerated \u003e ago(accountLookback)\\n| summarize make_set(DeviceId), make_set(DeviceName) by InitiatingProcessAccountName\\n| where isnotempty(InitiatingProcessAccountName)\\n| extend base64_user = base64_encode_tostring(InitiatingProcessAccountName)\\n| join (\\n // Collect requests and extract base64 parameters\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(requestLookback)\\n | where isnotempty(RequestURL)\\n // Summarize early on the RequestURL\\n | summarize FirstRequest=min(TimeGenerated), LastRequest=max(TimeGenerated), NumberOfRequests=count() by RequestURL\\n | extend base64_candidate = extract_all(extraction_regex, RequestURL)\\n | mv-expand base64_candidate to typeof(string)\\n) on $left.base64_user == $right.base64_candidate\\n| project FirstRequest, LastRequest, NumberOfRequests, RequestURL, DeviceIds=set_DeviceId, DeviceNames=set_DeviceName, UserName=InitiatingProcessAccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Windows host username encoded in base64 web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table.\\nThis technique was seen usee by POLONIUM in their RunningRAT tool.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\"name\":\"871ba14c-88ef-48aa-ad38-810f26760ca3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1d;\\nlet queryperiod = 7d;\\nOfficeActivity\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n//| where Operation in (\\\"Set-Mailbox\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\")\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(bag_pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1 and EndTime \u003e ago(queryfrequency)\\n| mv-expand UserId to typeof(string)\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cd8b3d5-c9e0-4be3-80f7-0469d511c3f6\",\"name\":\"2cd8b3d5-c9e0-4be3-80f7-0469d511c3f6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"BehaviorAnalytics\\n// User modification is expected from this account so focus on logons\\n| where ActivityType =~ \\\"LogOn\\\"\\n| where UserName startswith \\\"Sync_\\\" and UsersInsights.AccountDisplayName =~ \\\"On-Premises Directory Synchronization Service Account\\\"\\n// Filter out this expected activity\\n| where ActivityInsights.App !~ \\\"Microsoft Azure Active Directory Connect\\\"\\n| where InvestigationPriority \u003e 0\\n| extend Name = split(UserPrincipalName, \\\"@\\\")[0], UPNSuffix = split(UserPrincipalName, \\\"@\\\")[1]\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIPAddress\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DestinationDevice\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Suspicious Sign In by AAD Connect Sync Account {{UserPrincipalName}} from {{SourceIPAddress}}\",\"alertDescriptionFormat\":\"This query looks for sign ins by the Azure AD Connect Sync account to Azure where properties about the logon are anomalous.\\nThis query uses Microsoft Sentinel\u0027s UEBA features to detect these suspicious properties.\\nA threat actor may attempt to steal the Sync account credentials and use them to access Azure resources. This alert should be \\nreviewed to ensure that the log in came was from a legitimate source.\\nIn this case {{UserPrincipalName}} logged in from {{SourceIPAddress}}.\\n\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"Suspicious Sign In by Entra ID Connect Sync Account\",\"description\":\"This query looks for sign ins by the Microsoft Entra ID Connect Sync account to Azure where properties about the logon are anomalous.\\nThis query uses Microsoft Sentinel\u0027s UEBA features to detect these suspicious properties.\\nA threat actor may attempt to steal the Sync account credentials and use them to access Azure resources. This alert should be \\nreviewed to ensure that the log in came was from a legitimate source.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2023-03-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\"name\":\"106813db-679e-4382-a51b-1bfc463befc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = column_ifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url\\n| project timestamp = CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"PA_Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map URL Entity to PaloAlto Data\",\"description\":\"This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in PaloAlto Data.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"name\":\"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\",\\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\",\\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\",\\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\",\\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\",\\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\",\\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\",\\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\",\\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend HostName = iff(Computer has \u0027.\u0027, substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer)\\n| extend DnsDomain = iff(Computer has \u0027.\u0027, substring(Computer,indexof(Computer,\u0027.\u0027)+1),\\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"name\":\"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.7\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nlet Signins = materialize(union isfuzzy=true\\n( SigninLogs | where TimeGenerated \u003e= ago(dt_lookBack)),\\n( AADNonInteractiveUserSignInLogs | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails))\\n| where isnotempty(UserPrincipalName) and UserPrincipalName matches regex emailregex\\n| extend UserPrincipalName = tolower(UserPrincipalName)\\n| extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend SigninLogs_TimeGenerated = TimeGenerated);\\nlet SigninUPNs = Signins | distinct UserPrincipalName | summarize make_list(UserPrincipalName);\\nThreatIntelligenceIndicator\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| where EmailSenderAddress in (SigninUPNs)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n| where Description !contains_cs \\\"State: inactive;\\\" and Description !contains_cs \\\"State: falsepos;\\\"\\n| join kind=innerunique (Signins) on $left.EmailSenderAddress == $right.UserPrincipalName\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, UserPrincipalName\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\\n| extend Name = tostring(split(UserPrincipalName, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(UserPrincipalName, \u0027@\u0027, 1)[0])\\n| extend timestamp = SigninLogs_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"TI map Email entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"name\":\"3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"let OMIVulnerabilityPatchVersion = \\\"OMIVulnerabilityPatchVersion:1.13.40-0\\\";\\nHeartbeat\\n| where Category == \\\"Direct Agent\\\"\\n| summarize arg_max(TimeGenerated,*) by Computer\\n| parse strcat(\\\"Version:\\\" , Version) with * \\\"Version:\\\" Major:long \\\".\\\"\\nMinor:long \\\".\\\" Patch:long \\\"-\\\" *\\n| parse OMIVulnerabilityPatchVersion with * \\\"OMIVulnerabilityPatchVersion:\\\"\\nOMIVersionMajor:long \\\".\\\" OMIVersionMinor:long \\\".\\\" OMIVersionPatch:long \\\"-\\\" *\\n| where Major \u003cOMIVersionMajor or (Major==OMIVersionMajor and Minor\\n\u003cOMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and\\nPatch\u003cOMIVersionPatch) \\n| project Version, Major,Minor,Patch,\\nComputer,ComputerIP,OSType,OSName,ResourceId\",\"customDetails\":{\"HostIp\":\"ComputerIP\",\"OSType\":\"OSType\",\"OSName\":\"OSName\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"OMI Vulnerability Exploitation\",\"description\":\"Following the September 14th, 2021 release of three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in the Open Management Infrastructure (OMI) Framework.\\nThis detection validates that any OMS-agent that is reporting to the Microsoft Sentinel workspace is updated with the patch. The detection will go over the heartbeats received from all agents over the last day and will create alert for those agents who are not updated.\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2021-09-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d173248-439b-4741-8b37-f63ad0c896ae\",\"name\":\"4d173248-439b-4741-8b37-f63ad0c896ae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\nWindowsEvent\\n| where EventID == \u00274688\u0027 and EventData has_any (process)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName has_any (process)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n , Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n , NewProcessId = tostring(EventData.NewProcessId)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n| project TimeGenerated, timestamp, File, AlertDetail, FilePath,Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend AccountCustomEntity = Account, HostCustomEntity = Computer, FileCustomEntity = File, FilePathCustomEntity = FilePath\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining IOC - June 2021\",\"description\":\"Identifies a match across IOC\u0027s related to Chia cryptocurrency farming/plotting activity\",\"lastUpdatedDateUTC\":\"2022-12-13T00:00:00Z\",\"createdDateUTC\":\"2022-02-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"name\":\"ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let SunburstURL=dynamic([\\\"panhardware.com\\\",\\\"databasegalore.com\\\",\\\"avsvmcloud.com\\\",\\\"freescanonline.com\\\",\\\"thedoccloud.com\\\",\\\"deftsecurity.com\\\"]);\\nDeviceNetworkEvents\\n| where ActionType == \\\"ConnectionSuccess\\\"\\n| where RemoteUrl in(SunburstURL)\\n| extend HashAlgorithm = \u0027MD5\u0027\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingProcessAccountDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"RemoteIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RemoteUrl\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"InitiatingProcessMD5\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST network beacons\",\"description\":\"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"name\":\"999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.8\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet DomainTIs= ThreatIntelligenceIndicator\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \\n | project DomainList = iff(NDomains \u003e HAS_ANY_MAX, dynamic([]), DomainsList) ;\\nDomainTIs\\n | join (\\n _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.DnsQuery\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, Domain, DnsQuery, DnsQueryType\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"DnsQuery\":\"DnsQuery\",\"QueryType\":\"DnsQueryType\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Domain\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map Domain entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any Domain IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2024-10-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"name\":\"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| where msg_s has_any (DomainNames)\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" to \\\" TargetIP \\\":\\\" TargetPortInt:int *\\n| parse kind=regex flags=U msg_s with * \\\". Action\\\\\\\\: \\\" Action1a \\\"\\\\\\\\.\\\"\\n| parse msg_s with * \\\". Policy: \\\" Policy \\\". Rule Collection Group: \\\" RuleCollectionGroup \\\".\\\" *\\n| parse msg_s with * \\\" Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\n| extend IPCustomEntity = SourceIP\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| where msg_s has_any (DomainNames)\\n| parse msg_s with \\\"DNS Request: \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" - \\\" QueryID:int \\\" \\\" RequestType \\\" \\\" RequestClass \\\" \\\" hostname \\\". \\\" protocol \\\" \\\" details\\n| extend\\n ResponseDuration = extract(\\\"[0-9]*.?[0-9]+s$\\\", 0, msg_s),\\n SourcePort = tostring(SourcePortInt),\\n QueryID = tostring(QueryID)\\n| extend IPCustomEntity = SourceIP\\n| project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\\n| order by TimeGenerated\\n),\\n(AZFWApplicationRule\\n| where Fqdn has_any (DomainNames)\\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (DomainNames)\\n| extend DNSName = QueryName\\n| extend IPCustomEntity = SourceIp\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"[Deprecated] - Emerald Sleet domains included in DCU takedown\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-01-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\"name\":\"9713e3c0-1410-468d-b79e-383448434b2d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for VMConnection events\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and VMConnection events\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n VMConnection\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n )\\n on $left.TI_ipEntity == $right.RemoteIp\\n // Filter out VMConnection events that occurred after the expiration of the corresponding indicator\\n | where VMConnection_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and keep the VMConnection event with the latest timestamp\\n | summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId, RemoteIp\\n // Select the desired output fields\\n | project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n | extend timestamp = VMConnection_TimeGenerated, HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"RemoteIp\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to VMConnection\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in VMConnection.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"name\":\"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Changes made to AWS CloudTrail logs\",\"description\":\"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity.\\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html \\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html \\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \u0027 \",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac9e233e-44d4-45eb-b522-6e47445f6582\",\"name\":\"ac9e233e-44d4-45eb-b522-6e47445f6582\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"imRegistry\\n | where EventType in (\\\"RegistryValueSet\\\", \\\"RegistryKeyCreated\\\")\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (imProcess\\n | where Process endswith \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass (ASIM Version)\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\"name\":\"84cf1d59-f620-4fee-b569-68daf7008b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"name\":\"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\nlet wef_fails =\\nWindowsEvent\\n| where EventID == 4625\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains \u0027auth\u0027 and ProcessName != \u0027sudo\u0027 and SyslogMessage has \u0027from\u0027 and not(SyslogMessage has_any (\u0027Disconnecting\u0027, \u0027Disconnected\u0027, \u0027Accepted\u0027, \u0027disconnect\u0027, @\u0027[preauth]\u0027))\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails) or IPAddress in (wef_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timestamp = TimeGenerated, Type = Type\\n| extend AccountName = tostring(split(UserPrincipalName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed host logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Microsoft Entra ID from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"name\":\"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to internet facing AWS RDS Database instances\",\"description\":\"Amazon Relational Database Service (RDS) is scalable relational database in the cloud.\\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service)\\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2024-03-27T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"name\":\"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Build Variable Modified by New User\",\"description\":\"Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify or add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build.\\nAs variables are often changed by users, just detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed modifying them before.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/572f3951-5fa3-4e42-9640-fe194d859419\",\"name\":\"572f3951-5fa3-4e42-9640-fe194d859419\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet lookback = 7d;\\nlet known_useragents = dynamic([]);\\nDynamics365Activity\\n| where TimeGenerated \u003e ago(timeframe)\\n| extend Message = tostring(split(OriginalObjectId, \u0027 \u0027)[0])\\n| where Message =~ \\\"UserSignIn\\\"\\n| extend IPAddress = tostring(split(ClientIP, \\\":\\\")[0])\\n| where isnotempty(UserAgent)\\n// Exclude user agents with a render agent to reduce noise\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| join kind=leftanti(\\nOfficeActivity\\n| where TimeGenerated \u003e ago(lookback)\\n| where UserAgent !in~ (known_useragents))\\non UserAgent\\n| summarize MostRecentActivity=max(TimeGenerated), IPs=make_set(IPAddress), Users=make_set(UserId), Actions=make_set(OriginalObjectId) by UserAgent\\n| extend timestamp = MostRecentActivity\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New Office User Agent in Dynamics 365\",\"description\":\"Detects users accessing Dynamics from a User Agent that has not been seen in any Office 365 workloads in the last 7 days. Has configurable filter for known good user agents such as PowerApps.\",\"lastUpdatedDateUTC\":\"2022-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Dynamics365\",\"dataTypes\":[\"Dynamics365Activity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/269435e3-1db8-4423-9dfc-9bf59997da1c\",\"name\":\"269435e3-1db8-4423-9dfc-9bf59997da1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService =~ \\\"Core Directory\\\" and OperationName =~ \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\" and Identity != \\\"MS-PIM-Fairfax\\\")\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName)\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend TargetName = tostring(split(TargetUserPrincipalName,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,\u0027@\u0027,1)[0])\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2024-10-18T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"Low\",\"query\":\"let fileAccessThrehold = 10;\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| extend MemberAdded = tostring(parse_json(Members)[0].UPN)\\n| where MemberAdded contains (\\\"#EXT#\\\")\\n| project TimeAdded=TimeGenerated, Operation, MemberAdded, UserWhoAdded = UserId, TeamName\\n| join kind = inner (\\n OfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberRemoved\\\"\\n | extend MemberAdded = tostring(parse_json(Members)[0].UPN)\\n | where MemberAdded contains (\\\"#EXT#\\\")\\n | project TimeDeleted=TimeGenerated, Operation, MemberAdded, UserWhoDeleted = UserId, TeamName\\n ) on MemberAdded\\n| where TimeDeleted \u003e TimeAdded\\n| join kind=inner (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | where Operation == \\\"FileUploaded\\\"\\n | extend MemberAdded = UserId\\n | join kind = inner (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where Operation == \\\"FileAccessed\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | summarize FileAccessCount = count() by OfficeObjectId\\n | where FileAccessCount \u003e fileAccessThrehold\\n ) on $left.OfficeObjectId == $right.OfficeObjectId\\n )on MemberAdded\\n| project-away MemberAdded1, MemberAdded2, OfficeObjectId1, Operation1, Operation2, TeamName1, TeamName2\\n| extend MemberAddedAccountName = tostring(split(MemberAdded, \\\"@\\\")[0]), MemberAddedAccountUPNSuffix = tostring(split(MemberAdded, \\\"@\\\")[1])\\n| extend UserWhoAddedAccountName = tostring(split(UserWhoAdded, \\\"@\\\")[0]), UserWhoAddedAccountUPNSuffix = tostring(split(UserWhoAdded, \\\"@\\\")[1])\\n| extend UserWhoDeletedAccountName = tostring(split(UserWhoDeleted, \\\"@\\\")[0]), UserWhoDeletedAccountUPNSuffix = tostring(split(UserWhoDeleted, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"MemberAdded\"},{\"identifier\":\"Name\",\"columnName\":\"MemberAddedAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"MemberAddedAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserWhoAdded\"},{\"identifier\":\"Name\",\"columnName\":\"UserWhoAddedAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UserWhoAddedAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserWhoDeleted\"},{\"identifier\":\"Name\",\"columnName\":\"UserWhoDeletedAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UserWhoDeletedAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Accessed files shared by temporary external user\",\"description\":\"This detection identifies when an external user is added to a Team or Teams chat and shares a file which is accessed by many users (\u003e10) and the users is removed within short period of time. This might be an indicator of suspicious activity.\",\"lastUpdatedDateUTC\":\"2024-10-28T00:00:00Z\",\"createdDateUTC\":\"2020-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (SharePoint)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1faf5e8-6958-11ec-90d6-0242ac120003\",\"name\":\"c1faf5e8-6958-11ec-90d6-0242ac120003\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4720 and TargetUserName endswith \\\"$\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectUserName, SubjectDomainName, SubjectAccount, SubjectUserSid, SubjectLogonId, \\nTargetUserName, TargetDomainName, TargetAccount, TargetSid, UserPrincipalName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"SubjectUserSid\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"TargetDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Fake computer account created\",\"description\":\"This query detects domain user accounts creation (event ID 4720) where the username ends with $. \\nAccounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights.html\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"name\":\"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlOriginal\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"Cisco Umbrella - Windows PowerShell User-Agent Detected\",\"description\":\"Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"name\":\"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Low\",\"query\":\"let User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"[Deprecated] - Possible Forest Blizzard attempted credential harvesting - Oct 2020\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\"name\":\"4ca74dc0-8352-4ac5-893c-73571cc78331\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let keywords = dynamic([\\\"secret\\\", \\\"secrets\\\", \\\"password\\\", \\\"PAT\\\", \\\"passwd\\\", \\\"pswd\\\", \\\"pwd\\\", \\\"cred\\\", \\\"creds\\\", \\\"credentials\\\", \\\"credential\\\", \\\"key\\\"]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend Type = tostring(Data.Type)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| mv-expand Data.Variables\\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\\n| where Type != \\\"AzureKeyVault\\\"\\n| where Data_Variables !has \\\"IsSecret\\\"\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps Variable Secret Not Secured\",\"description\":\"Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \\nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\"name\":\"3533f74c-9207-4047-96e2-0eb9383be587\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| mv-apply TargetResource=TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend ModifiedProperties = TargetResource.modifiedProperties,\\n AppDisplayName = tostring(TargetResource.displayName),\\n AppClientId = tolower(tostring(TargetResource.id))\\n )\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| mv-apply Properties=ModifiedProperties on \\n (\\n where Properties.displayName =~ \\\"ConsentAction.Permissions\\\"\\n | extend ConsentFull = tostring(Properties.newValue)\\n | extend ConsentFull = trim(@\u0027\\\"\u0027,tostring(ConsentFull))\\n )\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull has \\\"offline_access\\\" and ConsentFull has_any (\\\"Files.Read\\\", \\\"Mail.Read\\\", \\\"Notes.Read\\\", \\\"ChannelMessage.Read\\\", \\\"Chat.Read\\\", \\\"TeamsActivity.Read\\\", \\\"Group.Read\\\", \\\"EWS.AccessAsUser.All\\\", \\\"EAS.AccessAsUser.All\\\")\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantInitiatedByAppName = tostring(InitiatedBy.app.displayName)\\n| extend GrantInitiatedByAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend GrantInitiatedByUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend GrantInitiatedByAadUserId = tostring(InitiatedBy.user.id)\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(GrantInitiatedByUserPrincipalName), GrantInitiatedByUserPrincipalName, GrantInitiatedByAppName)\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantInitiatedByUserPrincipalName, GrantInitiatedByAadUserId, GrantInitiatedByAppName, GrantInitiatedByAppServicePrincipalId, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| mv-apply TargetResource=TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend ModifiedProperties = TargetResource.modifiedProperties,\\n AppClientId = tolower(TargetResource.id)\\n )\\n| mv-apply ModifiedProperties=TargetResource.modifiedProperties on \\n (\\n where ModifiedProperties.displayName =~ \\\"AppAddress\\\" and ModifiedProperties.newValue has \\\"AddressType\\\"\\n | extend AppReplyURLs = ModifiedProperties.newValue\\n )\\n | distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n | mv-apply TargetResource=TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\" and array_length(TargetResource.modifiedProperties) \u003e 0 and isnotnull(TargetResource.displayName)\\n | extend GrantAuthentication = tostring(TargetResource.displayName)\\n )\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantInitiatedByUserPrincipalName, GrantInitiatedByAadUserId, GrantInitiatedByAppName, GrantInitiatedByAppServicePrincipalId, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend Name = tostring(split(GrantInitiatedByUserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(GrantInitiatedByUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GrantInitiatedByUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"GrantInitiatedByAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"GrantInitiatedByAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"GrantIpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Suspicious application consent for offline access\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"name\":\"d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and AzureDiagnostics logs for SQL Security Audit events\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where ResourceProvider == \u0027MICROSOFT.SQL\u0027\\n | where Category == \u0027SQLSecurityAuditEvents\u0027\\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\\n | extend ClientIP = column_ifexists(\\\"client_ip_s\\\", \\\"Not Available\\\")\\n | extend Action = column_ifexists(\\\"action_name_s\\\", \\\"Not Available\\\")\\n | extend Application = column_ifexists(\\\"application_name_s\\\", \\\"Not Available\\\")\\n | extend HostName = column_ifexists(\\\"host_name_s\\\", \\\"Not Available\\\")\\n )\\n on $left.TI_ipEntity == $right.ClientIP\\n // Filter out logs that occurred after the expiration of the corresponding indicator\\n | where SQLSecurityAuditEvents_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and ClientIP, and keep the log entry with the latest timestamp\\n | summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n // Select the desired output fields\\n | project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n // Rename the timestamp field\\n | extend timestamp = SQLSecurityAuditEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to Azure SQL Security Audit Events\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SQL Security Audit Events.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureSql\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6dd2629c-534b-4275-8201-d7968b4fa77e\",\"name\":\"6dd2629c-534b-4275-8201-d7968b4fa77e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 4657\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\"), OperationType = column_ifexists(\u0027OperationType\u0027, \\\"\\\"), ObjectValueName = column_ifexists(\u0027ObjectValueName\u0027, \\\"\\\")\\n| where ObjectName has \u0027Schedule\\\\\\\\TaskCache\\\\\\\\Tree\u0027 and ObjectValueName == \\\"SD\\\" and OperationType == \\\"%%1906\\\" // %%1906 - Registry value deleted\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(TargetAccount, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(TargetAccount, @\u0027\\\\\u0027)[0])\\n| extend timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Scheduled Task Hide\",\"description\":\"This query detects attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task disappearing from schtasks /query and Task Scheduler.\\n The query requires auditing to be turned on for HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree registry hive as well as audit policy for registry auditing to be turned on.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\\n Reference: https://4sysops.com/archives/audit-changes-in-the-windows-registry/\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"name\":\"b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"let query_frequency = 15m;\\nlet missing_period = 1h;\\n//Enter a reference list of hostnames for your DC servers\\nlet DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\n//Alternatively, a Watchlist can be used\\n//let DCServersList = _GetWatchlist(\u0027HostName-DomainControllers\u0027) | project HostName;\\nHeartbeat\\n| summarize arg_max(TimeGenerated, *) by Computer\\n| where Computer in (DCServersList)\\n//You may specify the OS type of your Domain Controllers\\n//| where OSType == \u0027Windows\u0027\\n| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))\\n| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions\\n| sort by TimeGenerated asc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\",\"DefenseEvasion\"],\"displayName\":\"Missing Domain Controller Heartbeat\",\"description\":\"This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2021-11-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\"name\":\"074ce265-f684-41cd-af07-613c5f3e6d0d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n (CommonSecurityLog\\n | where Message has_any (DomainNames)\\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n | extend AccountName = SourceUserID, DeviceName, IPAddress = SourceIP\\n ),\\n (_Im_Dns(domain_has_any=DomainNames)\\n | where DnsQuery has_any (DomainNames)\\n | extend IPAddress = SrcIpAddr, DeviceName = Dvc\\n ),\\n (VMConnection\\n | where RemoteDnsCanonicalNames has_any (DomainNames)\\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | extend IPAddress = RemoteIp, DeviceName = Computer\\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where DestinationHost has_any (DomainNames)\\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ),\\n (AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | project TimeGenerated,Resource, msg_s, Type\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (DomainNames)\\n | extend DNSName = Request_Name\\n | extend IPAddress = ClientIP\\n ),\\n (AZFWApplicationRule\\n | where isnotempty(Fqdn)\\n | where Fqdn has_any (DomainNames) \\n | extend DNSName = Fqdn \\n | extend IPAddress = SourceIp\\n ),\\n (AZFWDnsQuery\\n | where isnotempty(QueryName)\\n | where QueryName has_any (DomainNames)\\n | extend DNSName = QueryName\\n | extend IPAddress = SourceIp\\n ),\\n (\\n _Im_WebSession(url_has_any=DomainNames)\\n | extend IPAddress=IpAddr, DeviceName=Hostname, AccountName = tostring(split(User, \\\"@\\\")[0]), AccountDomain = tostring(split(User, \\\"@\\\")[1])\\n )\\n)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Forest Blizzard group domains - July 2019\",\"description\":\"Matches domain name IOCs related to Forest Blizzard group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2019-07-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"name\":\"c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft 365 Insider Risk Management\",\"displayName\":\"(Private Preview) Create incidents based on Microsoft 365 Insider Risk Management\",\"description\":\"Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management\",\"lastUpdatedDateUTC\":\"2021-05-13T00:00:00Z\",\"createdDateUTC\":\"2021-05-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeIRM\",\"dataTypes\":[\"SecurityAlert (OfficeIRM)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"name\":\"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"DeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName has \\\"Solorigate\\\"\\n) on $left.DeviceName == $right.CompromisedEntity\\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Solorigate Defender Detections\",\"description\":\"Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as\\n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"name\":\"c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog =~ \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppCert DLL Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec.\\nRef: https://attack.mitre.org/techniques/T1546/009/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"name\":\"4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"let Hive_threats = dynamic([\\\"Ransom:Win64/Hive\\\", \\\"Ransom:Win32/Hive\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Hive_threats) or ThreatFamilyName in~ (Hive_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by bin(TimeGenerated, 1d), DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Hive Ransomware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Hive Ransomware.\\nIn Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9adbd1c3-a4be-44ef-ac2f-503fd25692ee\",\"name\":\"9adbd1c3-a4be-44ef-ac2f-503fd25692ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 100;\\nlet timeRange = ago(7d);\\nlet timeBuffer = 1;\\nSigninLogs \\n| where TimeGenerated \u003e timeRange\\n| where ResultType == \\\"50057\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \\napplicationSet = make_set(AppDisplayName) by IPAddress, AppId\\n| order by disabledAccountLoginAttempts desc\\n| join kind=inner (\\n // IPs are considered suspicious - and any related successful sign-ins are detected\\n SigninLogs\\n | where TimeGenerated \u003e timeRange\\n | where ResultType == 0\\n | summarize successSigninStart = min(TimeGenerated), successSigninEnd = max(TimeGenerated), successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c threshold\\n) on IPAddress \\n// IPs where attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where successfulAccountSigninCount != 0\\n// Successful Account Signins occur within the same lookback period as the failed \\n| extend SuccessBeforeFailure = iff(successSigninStart \u003e= StartTime and successSigninEnd \u003c= EndTime, true, false) \\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, successSigninStart, successSigninEnd, AppId\\n| order by disabledAccountLoginAttempts\\n// Break up the string of Succesfully signed into accounts into individual events\\n| mvexpand successfulAccountSigninSet\\n| extend JoinedOnIp = IPAddress\\n| join kind = inner (\\n OfficeActivity\\n | where TimeGenerated \u003e timeRange\\n | where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\", \\\"Set-TransportRule\\\") and not(UserId has_any (\u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\u0027, \u0027NT AUTHORITY\\\\\\\\SYSTEM (w3wp)\u0027, \u0027devilfish-applicationaccount\u0027))\\n // Remove port from the end of the IP and/or square brackets around IP, if they exist \\n | extend JoinedOnIp = case(\\n ClientIP matches regex @\u0027\\\\[((25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\.){3}(25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\]-\\\\d{1,5}\u0027, tostring(extract(\u0027\\\\\\\\[([0-9]+\\\\\\\\.[0-9]+\\\\\\\\.[0-9]+)\\\\\\\\]-[0-9]+\u0027, 1, ClientIP)),\\n ClientIP matches regex @\u0027\\\\[((25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\.){3}(25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\]\u0027, tostring(extract(\u0027\\\\\\\\[([0-9]+\\\\\\\\.[0-9]+\\\\\\\\.[0-9]+)\\\\\\\\]\u0027, 1, ClientIP)), \\n ClientIP matches regex @\u0027(((25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\.){3}(25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?))-\\\\d{1,5}\u0027, tostring(extract(\u0027([0-9]+\\\\\\\\.[0-9]+\\\\\\\\.[0-9]+)-[0-9]+\u0027, 1, ClientIP)),\\n ClientIP matches regex @\u0027((25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\.){3}(25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\u0027, ClientIP, \\n ClientIP matches regex @\u0027\\\\[((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\\\d{1,3}(?:\\\\.\\\\d{1,3}){3})\\\\]-\\\\d{1,5}\u0027, tostring(extract(\u0027\\\\\\\\[((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\\\\\\\d{1,3}(?:\\\\\\\\.\\\\\\\\d{1,3}){3})\\\\\\\\]-[0-9]+\u0027, 1, ClientIP)),\\n ClientIP matches regex @\u0027\\\\[((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\\\d{1,3}(?:\\\\.\\\\d{1,3}){3})\\\\]\u0027, tostring(extract(\u0027\\\\\\\\[((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\\\\\\\d{1,3}(?:\\\\\\\\.\\\\\\\\d{1,3}){3})\\\\\\\\]\u0027, 1, ClientIP)), \\n ClientIP matches regex @\u0027((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\\\d{1,3}(?:\\\\.\\\\d{1,3}){3})-\\\\d{1,5}\u0027, tostring(extract(\u0027((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\\\\\\\d{1,3}(?:\\\\\\\\.\\\\\\\\d{1,3}){3})-[0-9]+\u0027, 1, ClientIP)),\\n ClientIP matches regex @\u0027((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\\\d{1,3}(?:\\\\.\\\\d{1,3}){3})\u0027, ClientIP,\\n \\\"\\\")\\n | where isnotempty(JoinedOnIp)\\n | extend OfficeTimeStamp = ElevationTime, UserPrincipalName = UserId\\n) on JoinedOnIp\\n// Rare and risky operations only happen within a certain time range of the successful sign-in\\n| where OfficeTimeStamp \u003e= successSigninStart and datetime_diff(\u0027day\u0027, OfficeTimeStamp, successSigninEnd) \u003c= timeBuffer\\n| extend AccountName = tostring(split(UserPrincipalName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"JoinedOnIp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"AppId\",\"columnName\":\"ApplicationId\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Collection\"],\"displayName\":\"High risk Office operation conducted by IP Address that recently attempted to log into a disabled account\",\"description\":\"It is possible that a disabled user account is compromised and another account on the same IP is used to perform operations that are not typical for that user.\\n The query filters the SigninLogs for entries where ResultType is indicates a disabled account and the TimeGenerated is within a defined time range.\\n It then summarizes these entries by IPAddress and AppId, calculating various statistics such as number of login attempts, distinct UPNs, App IDs etc and joins these results with another set of results from SigninLogs, filtering for entries with less than normal number of successful sign-ins.\\n It then filters out entries where there were no successful sign-ins or where successful sign-ins did not occur within the same lookback period as the failed sign-ins, later projecting relevant fields by the count of login attempts, and expands the set of successful sign-ins into individual events.\\n Finally, it joins these results with entries from OfficeActivity where certain operations deemed rare and high risk have been performed, ensuring their occurrance within a certain time range of the successful sign-ins.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2023-10-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"name\":\"d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let IPList = dynamic([\\\"185.63.90.137\\\"]); \\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = \\ndynamic([\\\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\\\",\\n\\\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\\\",\\n\\\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\\\",\\n\\\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\\\",\\n\\\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\\\",\\n\\\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\\\",\\n\\\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\",\\n\\\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\"\\n]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost) \\n| where SourceHost in (IPList) or DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where SourceIp in (IPList) or Fqdn in (IPList)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = Fqdn\\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where SourceIp in (IPList) or QueryName in (IPList)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = QueryName\\n| extend IPCustomEntity = SourceIp\\n),\\n(DeviceFileEvents\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n| where FileHash in (sha256Hashes)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where CommandLine has_any (IPList) \\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n(WindowsEvent\\n| where EventID == \u00274688\u0027 and has_any_ipv4(EventData, toscalar(IPList)) \\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName in (IPList) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"[Deprecated] - Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-09-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18dbdc22-b69f-4109-9e39-723d9465f45f\",\"name\":\"18dbdc22-b69f-4109-9e39-723d9465f45f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet AVHits = (iocs | where Type =~ \\\"AVDetection\\\"| project IoC);\\nSecurityAlert\\n| where ProviderName == \u0027MDATP\u0027\\n| extend ThreatName_ = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName_ has_any (AVHits)\\n| extend Directory = tostring(parse_json(Entities)[0].Directory), SHA256 = tostring(parse_json(tostring(parse_json(Entities)[0].FileHashes))[2].Value), FileName = tostring(parse_json(Entities)[0].Name), Hostname = tostring(parse_json(Entities)[6].FQDN)| extend AccountName = tostring(parse_json(tostring(parse_json(Entities)[6].LoggedOnUsers))[0].AccountName)\\n| project TimeGenerated, AlertName, ThreatName_, ProviderName, AlertSeverity, Description, RemediationSteps, ExtendedProperties, Entities, FileName,SHA256, Directory, Hostname, AccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Hostname , AccountCustomEntity = AccountName, FileHashCustomEntity = SHA256, FileHashType = \\\"SHA256\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Aqua Blizzard AV hits - Feb 2022\",\"description\":\"Identifies a match in the Security Alert table for MDATP hits related to the Aqua Blizzard actor\",\"lastUpdatedDateUTC\":\"2023-07-18T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"name\":\"b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let oneDriveCalls = dynamic([\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content\u0027,\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/response.json:/content\u0027]);\\nlet oneDriveCallsRegex = dynamic([@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Uploaded\\\\/.*\\\\:\\\\/content\u0027,@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Downloaded\\\\/.*\\\\:\\\\/content\u0027]);\\nCommonSecurityLog\\n| where RequestURL has_any (oneDriveCalls) or RequestURL matches regex tostring(oneDriveCallsRegex[0]) or RequestURL matches regex tostring(oneDriveCallsRegex[1])\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive URLs\",\"description\":\"CreepyDrive uses OneDrive for command and control. This detection identifies URLs specific to CreepyDrive.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/186970ee-5001-41c1-8c73-3178f75ce96a\",\"name\":\"186970ee-5001-41c1-8c73-3178f75ce96a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let Europium_threats = dynamic([\\\"TrojanDropper:ASP/WebShell!MSR\\\", \\\"Trojan:Win32/BatRunGoXml\\\", \\\"DoS:Win64/WprJooblash\\\", \\\"Ransom:Win32/Eagle!MSR\\\", \\\"Trojan:Win32/Debitom.A\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Europium_threats) or ThreatFamilyName in~ (Europium_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId, bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(CompromisedEntity != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Europium actors\",\"description\":\"This query looks for Microsoft Defender AV detections related to Europium actor. \\nIn Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government \",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\",\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"name\":\"0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| where SessionIssuerUserName !contains \\\"AWSReservedSSO\\\"\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\n UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"NRT Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for administrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used and the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15049017-527f-4d3b-b011-b0e99e68ef45\",\"name\":\"15049017-527f-4d3b-b011-b0e99e68ef45\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityEvent\\n| where EventID == 4688 and Process has_any (procList) and not (NewProcessName has (\\\"C:\\\\\\\\Windows\\\\\\\\\\\"))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SubjectUserName, NewProcessName, Process, CommandLine\\n| extend Name=tostring(split(SubjectUserName, \\\"@\\\")[0]), UPNSuffix=tostring(split(SubjectUserName, \\\"@\\\")[1])\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Executed from Non-Default Directory\",\"description\":\"The query detects Windows binaries, that can be executed from a non-default directory (e.g. C:\\\\Windows\\\\, C:\\\\Windows\\\\System32 etc.). \\nRef: https://lolbas-project.github.io/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"name\":\"595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), Account = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), File = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, Account = UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, Account = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, Computer, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost\\n),\\n(AZFWApplicationRule\\n| where isnotempty (Fqdn)\\n| where Fqdn has_any (domains)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = Fqdn\\n| extend IPEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (domains) or SourceIp in (IPList)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = QueryName\\n| extend IPEntity = SourceIp\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) \\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessFolderPath has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashAlgo = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| project TimeGenerated, EventDetail, UserName, Computer, Type\\n| extend Image = tostring(EventDetail.[4].[\\\"#text\\\"]), CommandLine = tostring(EventDetail.[10].[\\\"#text\\\"]), Account = UserName, FileHash = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| where Image has_any (process)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath= replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceEvents\\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName has_any (process)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n)\\n)\\n| extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"[Deprecated] - Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/93a25f10-593d-4c57-a752-a8a75f031425\",\"name\":\"93a25f10-593d-4c57-a752-a8a75f031425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let baseline_time = 14d;\\nlet detection_time = 1d;\\nDynamics365Activity\\n| where TimeGenerated between(ago(baseline_time)..ago(detection_time-1d))\\n| extend Message = tostring(split(OriginalObjectId, \u0027 \u0027)[0])\\n| where Message =~ \\\"RetrieveMultiple\\\"\\n| extend numQueryCount = todouble(QueryResults)\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), \u0027,\u0027) + 1), numQueryCount)\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\n| summarize sum(QueryCount) by UserId\\n| extend HistoricalBaseline = sum_QueryCount\\n| join (Dynamics365Activity\\n| where TimeGenerated \u003e ago(detection_time)\\n| extend Message = tostring(split(OriginalObjectId, \u0027 \u0027)[0])\\n| where Message =~ \\\"RetrieveMultiple\\\"\\n| extend numQueryCount = todouble(QueryResults)\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), \u0027,\u0027) + 1), numQueryCount)\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\n| summarize sum(QueryCount) by UserId\\n| extend CurrentExportRate = sum_QueryCount) on UserId\\n| where CurrentExportRate \u003e HistoricalBaseline\\n| project UserId, HistoricalBaseline, CurrentExportRate\\n| join kind=inner(Dynamics365Activity\\n| where TimeGenerated \u003e ago(detection_time)\\n| extend Message = tostring(split(OriginalObjectId, \u0027 \u0027)[0])\\n| where Message =~ \\\"RetrieveMultiple\\\"\\n| extend numQueryCount = todouble(QueryResults)\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), \u0027,\u0027) + 1), numQueryCount)\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))) on UserId\\n| project TimeGenerated, UserId, QueryCount, UserAgent, Message, ClientIP, HistoricalBaseline, CurrentExportRate, CorrelationId, CrmOrganizationUniqueName, Query\\n| summarize QuerySizes = make_set(QueryCount), MostRecentQuery = max(TimeGenerated), IPs = make_set(ClientIP), UserAgents = make_set(UserAgent), make_set(Query) by UserId, CrmOrganizationUniqueName, HistoricalBaseline, CurrentExportRate\\n| extend timestamp = MostRecentQuery, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Dynamics 365 - User Bulk Retrieval Outside Normal Activity\",\"description\":\"This query detects users retrieving significantly more records from Dynamics 365 than they have in the past 2 weeks. This could indicate potentially unauthorized access to data within Dynamics 365.\",\"lastUpdatedDateUTC\":\"2022-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Dynamics365\",\"dataTypes\":[\"Dynamics365Activity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"name\":\"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlOriginal matches regex @\u0027\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Identities\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - URI contains IP address\",\"description\":\"Malware can use IP address to communicate with C2.\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3705158d-e008-49c9-92dd-e538e1549090\",\"name\":\"3705158d-e008-49c9-92dd-e538e1549090\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let Zinc_threats = dynamic([\\\"Trojan:Win32/ZetaNile.A\\\", \\\"Trojan:Win32/EventHorizon.A\\\", \\\"Trojan:Win32/FoggyBrass.A\\\", \\\"Trojan:Win32/FoggyBrass.B\\\", \\\"Trojan:Win32/PhantomStar.A\\\",\\\"Trojan:Win32/PhantomStar.C\\\",\\\"TrojanDropper:Win32/PhantomStar.A\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Zinc_threats) or ThreatFamilyName in~ (Zinc_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\\n| extend HostName = tostring(split(CompromisedEntity, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(CompromisedEntity, \u0027.\u0027), 1, -1), \u0027.\u0027))\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Zinc actors\",\"description\":\"This query looks for Microsoft Defender AV detections related to Zinc threat actor. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, etc. \\n This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\",\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"name\":\"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous RDP Login Detections\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2020-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"name\":\"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.7\",\"severity\":\"Low\",\"query\":\"let selfServicePasswordReset = dynamic([\\\"Self-service password reset flow activity progress\\\", \\\"Change password (self-service)\\\", \\\"Reset password (self-service)\\\"]); \\n//Self-service password reset flow activity progress is typically caused by a password policy which requires users to rotate passwords. This operation already implies the user has signed in successfully and therefore the password reset is non-malicious.\\nlet PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nWindowsEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \\\"success\\\"\\n| where OperationName !in (selfServicePasswordReset)\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend AccountType = tostring(TargetResource.type),\\n Account = tostring(InitiatedBy.user.userPrincipalName),\\n TargetUserName = tolower(tostring(TargetResource.userPrincipalName))\\n )\\n| project TimeGenerated, AccountType, Account, TargetUserName, Computer = \\\"\\\", Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\"\\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId\\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| where SyslogMessage matches regex \\\".*password changed for.*\\\"\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\\n(union isfuzzy=true\\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\\n| where Total \u003e PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"),\\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\\n| where Total \u003e TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027)), Name = tostring(split(Account, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(Account, \u0027@\u0027, 1)[0]), TargetName = tostring(split(TargetUserName,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(TargetUserName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Multiple Password Reset by user\",\"description\":\"This query will determine multiple password resets by user across multiple data sources.\\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\"name\":\"75bf9902-0789-47c1-a5d8-f57046aa72df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet recycle_bin_paths = dynamic([@\\\":\\\\RECYCLER\\\", @\\\":\\\\$RECYCLE.BIN\\\"]);\\nlet ProcessCreationEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688 and EventData has_any (procList) and EventData has_any (recycle_bin_paths)\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName) \\n| extend NewProcessName = tostring(EventData.NewProcessName) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n));\\nProcessCreationEvents \\n| where FileName in~ (procList)\\n| where CommandLine has_any (recycle_bin_paths)\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin\",\"description\":\"The query detects Windows binaries that can be used for executing malware and have been hidden in the recycle bin.\\nThe list of these binaries is sourced from https://lolbas-project.github.io/\\nReferences: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\"lastUpdatedDateUTC\":\"2024-07-16T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4902eddb-34f7-44a8-ac94-8486366e9494\",\"name\":\"4902eddb-34f7-44a8-ac94-8486366e9494\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.7\",\"severity\":\"Medium\",\"query\":\"let threshold = 5000;\\n_Im_NetworkSession(eventresult=\u0027Failure\u0027)\\n| summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m)\\n| where Count \u003e threshold\\n| extend timestamp = TimeGenerated, threshold\",\"customDetails\":{\"NumberOfDenies\":\"Count\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of failed connections from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} generated more than {{threshold}} failures over a 5 minutes time window, which may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"Excessive number of failed connections from a single source (ASIM Network Session schema)\",\"description\":\"This rule identifies a single source that generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"AzureNSG\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoAsaAma\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"AIVectraStream\",\"dataTypes\":[\"VectraStream\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoMeraki\",\"dataTypes\":[\"Syslog\",\"CiscoMerakiNativePoller\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"name\":\"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"2.0.3\",\"severity\":\"Low\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"192\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv24\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where OperationNameValue in~ (operationList)\\n| where ActivityStatusValue startswith \\\"Accept\\\"\\n| where Properties has \u0027vmSize\u0027\\n| extend parsed_property= parse_json(tostring((parse_json(Properties).responseBody))).properties\\n| extend vmSize = tostring((parsed_property.hardwareProfile).vmSize)\\n| mv-apply token=tokens to typeof(string) on (where vmSize contains token)\\n| extend ComputerName = tostring((parsed_property.osProfile).computerName)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend Name = tostring(split(Caller,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Caller,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"ComputerName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size or expensive VMs (with GPUs or with a large number of virtual CPUs) in Azure.\\nAn adversary may create new or update existing virtual machines to evade defenses or use them for cryptomining purposes.\\nFor Windows/Linux Vm Sizes, see https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions, see https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\"name\":\"f8127962-7739-4211-a4a9-390a7a00e91f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet lbperiod = 14d;\\nlet knownrecipients = ProofpointPOD\\n| where TimeGenerated \u003e ago(lbperiod)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where SrcUserUpn != \u0027\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated between (ago(lbtime) .. now())\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend isProtected = todynamic(MsgParts)[0][\u0027isProtected\u0027]\\n| extend mimePgp = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where isProtected == \u0027true\u0027 or mimePgp == \u0027application/pgp-encrypted\u0027\\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple protected emails to unknown recipient\",\"description\":\"Detects when multiple protected messages where sent to early not seen recipient.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\"name\":\"d3980830-dd9d-40a5-911f-76b44dfdce16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let locationThreshold = 1;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppDisplayName =~ \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location,100), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\\n| where CountOfLocations \u003e locationThreshold\\n| extend timestamp = BurstStartTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"GitHub Signin Burst from Multiple Locations\",\"description\":\"This detection triggers when there is a Signin burst from multiple locations in GitHub (Entra ID SSO).\\n This detection is based on configurable threshold which can be prone to false positives. To view the anomaly based equivalent of thie detection, please see here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml. \",\"lastUpdatedDateUTC\":\"2024-01-04T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"name\":\"bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nimFileEvent\\n| where TargetFileMD5 in (SunburstMD5) or TargetFileMD5 in (SupernovaMD5)\\n| extend AccountName = tostring(split(User, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(User, @\u0027\\\\\u0027)[0])\\n| extend AlgorithmType = \\\"MD5\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"DvcHostname\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DvcDomain\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmType\"},{\"identifier\":\"Value\",\"columnName\":\"TargetFileMD5\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimFileEvent)\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1baaaf00-655f-4de9-8ff8-312e902cda71\",\"name\":\"1baaaf00-655f-4de9-8ff8-312e902cda71\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let known_locations = (\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location);\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend City = tostring(parse_json(LocationDetails).city)\\n | extend State = tostring(parse_json(LocationDetails).state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(Place) by ServicePrincipalName, Location\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Service Principal Authentication Attempt from New Country\",\"description\":\"Detects when there is a Service Principal login attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"name\":\"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations above which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet AzureBuiltInRole = externaldata(Role:string,RoleDescription:string,ID:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/AzureBuiltInRole.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationNameValue =~ \\\"microsoft.authorization/roleassignments/write\\\";\\nlet RoleAssignedActivity = createRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, bin(TimeGenerated, 1d)\\n| where count_ \u003e= alertOperationThreshold\\n// Returns all the records from the right side that don\u0027t have matches from the left.\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| extend parsed_property = tostring(parse_json(Properties).requestbody)\\n| extend PrincipalId = case(parsed_property has_cs \u0027PrincipalId\u0027,parse_json(parsed_property).Properties.PrincipalId, parsed_property has_cs \u0027principalId\u0027,parse_json(parsed_property).properties.principalId,\\\"\\\")\\n| extend PrincipalType = case(parsed_property has_cs \u0027PrincipalType\u0027,parse_json(parsed_property).Properties.PrincipalType, parsed_property has_cs \u0027principalType\u0027,parse_json(parsed_property).properties.principalType, \\\"\\\")\\n| extend Scope = case(parsed_property has_cs \u0027Scope\u0027,parse_json(parsed_property).Properties.Scope, parsed_property has_cs \u0027scope\u0027,parse_json(parsed_property).properties.scope,\\\"\\\")\\n| extend RoleAddedDetails = case(parsed_property has_cs \u0027RoleDefinitionId\u0027,parse_json(parsed_property).Properties.RoleDefinitionId,parsed_property has_cs \u0027roleDefinitionId\u0027,parse_json(parsed_property).properties.roleDefinitionId,\\\"\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup, PrincipalId, PrincipalType, Scope, RoleAddedDetails\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress;\\nlet RoleAssignedActivitywithRoleDetails = RoleAssignedActivity\\n| extend RoleAssignedID = tostring(split(RoleAddedDetails, \\\"/\\\")[-1])\\n// Returns all matching records from left and right sides.\\n| join kind = inner (AzureBuiltInRole \\n) on $left.RoleAssignedID == $right.ID;\\nlet CallerIPCountSummary = RoleAssignedActivitywithRoleDetails | summarize AssignmentCountbyCaller = count() by Caller, CallerIpAddress;\\nlet RoleAssignedActivityWithCount = RoleAssignedActivitywithRoleDetails | join kind = inner (CallerIPCountSummary | project Caller, AssignmentCountbyCaller, CallerIpAddress) on Caller, CallerIpAddress;\\nRoleAssignedActivityWithCount\\n| summarize arg_max(StartTimeUtc, *) by PrincipalId, RoleAssignedID\\n// \\tReturns all the records from the left side and only matching records from the right side.\\n| join kind = leftouter( IdentityInfo\\n| summarize arg_max(TimeGenerated, *) by AccountObjectId\\n) on $left.PrincipalId == $right.AccountObjectId\\n// Check if assignment count is greater than the threshold.\\n| where AssignmentCountbyCaller \u003e= alertOperationThreshold\\n| project ActivityTimeStamp, OperationNameValue, Caller, CallerIpAddress, PrincipalId, RoleAssignedID, RoleAddedDetails, Role, RoleDescription, AccountUPN, AccountCreationTime, GroupMembership, UserType, ActivityStatusValue, ResourceGroup, PrincipalType, Scope, CorrelationId, timestamp, AccountCustomEntity, IPCustomEntity, AssignmentCountbyCaller\\n| extend Name = tostring(split(Caller,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Caller,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Suspicious granting of permissions to an account\",\"description\":\"Identifies IPs from which users grant access to other users on Azure resources and alerts when a previously unseen source IP address is used.\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fe3c520-04f1-44b8-8398-782ed21435f8\",\"name\":\"3fe3c520-04f1-44b8-8398-782ed21435f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.4\",\"severity\":\"Low\",\"query\":\"let torProxies=dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\n_Im_Dns(domain_has_any=torProxies)\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"name\":\"a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.8\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| where TimeGenerated \u003e ago(1d)\\n| where ProductName == \\\"Azure Active Directory Identity Protection\\\"\\n| where AlertName == \\\"Sign-in from an infected device\\\"\\n| mv-apply EntityAccount=todynamic(Entities) on\\n(\\nwhere EntityAccount.Type == \\\"account\\\"\\n| extend AadTenantId = tostring(EntityAccount.AadTenantId), AadUserId = tostring(EntityAccount.AadUserId)\\n)\\n| mv-apply EntityIp=todynamic(Entities) on\\n(\\nwhere EntityIp.Type == \\\"ip\\\"\\n| extend IpAddress = tostring(EntityIp.Address)\\n)\\n| join kind=inner (\\nIdentityInfo\\n| distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName\\n| extend UserAccount = AccountUPN\\n| extend UserName = AccountDisplayName\\n| where isnotempty(AccountDisplayName) and isnotempty(UserAccount)\\n| project AccountTenantId, AccountObjectId, UserAccount, UserName\\n)\\non\\n$left.AadTenantId == $right.AccountTenantId,\\n$left.AadUserId == $right.AccountObjectId\\n| extend CompromisedEntity = iff(CompromisedEntity == \\\"N/A\\\" or isempty(CompromisedEntity), UserAccount, CompromisedEntity)\\n| project AlertName, AlertSeverity, CompromisedEntity, UserAccount, IpAddress, TimeGenerated, UserName\\n| join kind=inner \\n(\\nAzureActivity\\n| where OperationNameValue has_any (\\\"/workspaces/computes/delete\\\", \\\"workspaces/delete\\\") \\n| where ActivityStatusValue has_any (\\\"Succeeded\\\", \\\"Success\\\")\\n| project TimeGenerated, ResourceProviderValue, _ResourceId, SubscriptionId, UserAccount=Caller, IpAddress=CallerIpAddress, CorrelationId, OperationId, ResourceGroup, TenantId\\n) on IpAddress, UserAccount\\n| extend AccountName = tostring(split(UserAccount, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserAccount, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"tactics\":[\"InitialAccess\",\"Impact\"],\"displayName\":\"Workspace deletion activity from an infected device\",\"description\":\"This query will alert on any sign-ins from devices infected with malware in correlation with workspace deletion activity. \\nAttackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-04-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45076281-35ae-45e0-b443-c32aa0baf965\",\"name\":\"45076281-35ae-45e0-b443-c32aa0baf965\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.6\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nimProcessCreate\\n//looks for execution from a shell\\n| where ActingProcessName has_any (parentProcesses)\\n| extend ActingProcessFileName = tostring(split(ActingProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ActingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where Process hassuffix \\\"AdFind.exe\\\" or TargetProcessSHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n// AdFind common Flags to check for from various threat actor TTPs\\nor CommandLine has_any (args)\\n| extend AlgorithmType = \\\"SHA256\\\"\\n| extend AccountName = tostring(split(User, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(User, @\u0027\\\\\u0027)[0])\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ActingProcessName\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmType\"},{\"identifier\":\"Value\",\"columnName\":\"TargetProcessSHA256\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage (Normalized Process Events)\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2021-06-09T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"name\":\"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center for IoT\",\"displayName\":\"Create incidents based on Microsoft Defender for IOT alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for IOT\",\"lastUpdatedDateUTC\":\"2019-12-24T00:00:00Z\",\"createdDateUTC\":\"2019-12-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"IoT\",\"dataTypes\":[\"SecurityAlert (ASC for IoT)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"name\":\"884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = column_ifexists(\\\"ResultType\\\", \\\"NoResultType\\\"), \\nrequestUri_s = column_ifexists(\\\"requestUri_s\\\", \\\"None\\\"), \\nidentity_claim_oid_g = column_ifexists(\\\"identity_claim_oid_g\\\", \\\"None\\\"), CallerIPAddress = column_ifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), \\nclientInfo_s = column_ifexists(\\\"clientInfo_s\\\", \\\"None\\\"), \\nidentity_claim_upn_s = column_ifexists(\\\"identity_claim_upn_s\\\", \\\"None\\\"),\\nidentity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = column_ifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in~ (SensitiveOperationList)\\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=make_list(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, identity_claim_upn_s, clientInfo_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = StartTimeUtc\\n| extend Name = tostring(split(identity_claim_upn_s,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(identity_claim_upn_s,\u0027@\u0027,1)[0]), AadUserId = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AadUserId\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPMax\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup.\\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"name\":\"ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue =~ \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId has \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid), AccountName = tostring(claimsJson.name), Name = tostring(split(Caller,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Caller,\u0027@\u0027,1)[0])\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Microsoft Entra ID Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Microsoft Entra ID Hybrid Health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-premises AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/60f31001-018a-42bf-8045-a92e1f361b7b\",\"name\":\"60f31001-018a-42bf-8045-a92e1f361b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Define a variable \u0027AwsAlert\u0027 to collect Unauthorized user access alerts from AWS GuardDuty table\\nlet AwsAlert = materialize (\\n AWSGuardDuty\\n | where ActivityType has_any (\\\"UnauthorizedAccess:IAMUser/TorIPCaller\\\", \\\"UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom\\\", \\n \\\"UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS\\\", \\\"UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS\\\",\\n \\\"UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B\\\",\\\"UnauthorizedAccess:IAMUser/MaliciousIPCaller\\\")\\n | extend\\n AWSAlertId = Id, \\n AWSAlertTitle = Title,\\n AWSAlertDescription = Description,\\n AWSresourceType = tostring(parse_json(ResourceDetails).resourceType),\\n AWSNetworkEntity = tostring(parse_json(ServiceDetails).action.awsApiCallAction.remoteIpDetails.ipAddressV4),\\n AWSAlertUserNameEntity = tostring(parse_json(ResourceDetails).accessKeyDetails.userName),\\n InstanceType = tostring(parse_json(ResourceDetails).instanceDetails.instanceType),\\n AWSTargetingService = parse_json(ServiceDetails).additionalInfo.apiCalls,\\n AWSAlertTime = TimeCreated,\\n AWSAlertLink= tostring(strcat(\u0027https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current\u0026fId=\u0027,Id)),\\n Severity = \\n case (\\n Severity \u003e= 7.0, \\\"High\\\",\\n Severity between (4.0 .. 6.9), \\\"Medium\\\",\\n Severity between (1.0 .. 3.9), \\\"Low\\\",\\n \\\"Unknown\\\")\\n | mv-apply AIPCall = AWSTargetingService on \\n ( \\n where AIPCall has \\\"name\\\" \\n | extend APICallName = tostring(AIPCall.name), APICallCount = tostring(AIPCall[\\\"count\\\"])\\n ) \\n | distinct\\n AWSAlertTime,\\n ActivityType,\\n Severity,\\n AWSAlertId,\\n AWSAlertTitle,\\n AWSAlertDescription,\\n AWSAlertLink,\\n Arn,\\n AWSresourceType,\\n AWSNetworkEntity,\\n AWSAlertUserNameEntity,\\n InstanceType,\\n APICallName,\\n APICallCount \\n );\\n // Define a variable \u0027Azure_sigin\u0027 to collect Azure portal Signing activity from SigninLogs Table\\n let Azure_sigin = materialize (SigninLogs\\n | where AppDisplayName == \\\"Azure Portal\\\"\\n | where isnotempty(OriginalRequestId)\\n | summarize \\n totalAzureLoginEventId = dcount(OriginalRequestId), \\n AzureFailedEventsCount = dcountif(OriginalRequestId, ResultType != 0), \\n AzureSuccessfulEventsCount = dcountif(OriginalRequestId, ResultType == 0),\\n AzureSetOfFailedEvents = makeset(iff(ResultType != 0, OriginalRequestId, \\\"\\\"), 5), \\n AzureSetOfSuccessfulEvents = makeset(iff(ResultType == 0, OriginalRequestId, \\\"\\\"), 5) \\n by \\n IPAddress, \\n UserPrincipalName, \\n bin(TimeGenerated, 1min), \\n UserAgent,\\n ConditionalAccessStatus,\\n OperationName,\\n RiskDetail,\\n AuthenticationRequirement,\\n ClientAppUsed \\n // Extracting the name and UPN suffix from UserPrincipalName\\n | extend\\n Name = tostring(split(UserPrincipalName, \\\"@\\\")[0]),\\n UPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n );\\n // Join \u0027AwsAlert\u0027 and \u0027Azure_sigin\u0027 on the AWS Network Entity and Azure IP Address\\n AwsAlert\\n | join kind=inner Azure_sigin on $left.AWSNetworkEntity == $right.IPAddress\",\"customDetails\":{\"AWSAlertUserName\":\"AWSAlertUserNameEntity\",\"AWSArn\":\"Arn\",\"AWSresourceType\":\"AWSresourceType\",\"AWSInstanceType\":\"InstanceType\",\"AWSAPICallName\":\"APICallName\",\"AWSAPICallCount\":\"APICallCount\",\"AzureUserAgent\":\"UserAgent\",\"AzureUser\":\"UserPrincipalName\",\"AzureClientAppUsed\":\"ClientAppUsed\",\"AzConditionalAccess\":\"ConditionalAccessStatus\",\"AzureOperationName\":\"OperationName\",\"AzureRiskDetail\":\"RiskDetail\",\"AzAuthRequirement\":\"AuthenticationRequirement\",\"alertSeverity\":\"Severity\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"{{AWSNetworkEntity}} from {{AWSAlertTitle}} observed in Azure Singins with {{UserPrincipalName}}\",\"alertDescriptionFormat\":\" This detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty With Alert Description \u0027{{AWSAlertDescription}}\u0027 with Azure portal sign-in activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources. \\n\\n AWS ALert Link : \u0027{{AWSAlertLink}}\u0027 \\n\\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":\"Severity\"},\"tactics\":[\"CredentialAccess\",\"Exfiltration\",\"Discovery\"],\"displayName\":\"Unauthorized user access across AWS and Azure\",\"description\":\"\\nThis detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty with Azure portal sign-in activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The ditection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources.\\n\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2023-09-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\"name\":\"78979d32-e63f-4740-b206-cfb300c735e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcIpAddr)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientIP = SrcIpAddr\\n )\\non $left.TI_ipEntity == $right.ClientIP\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientIP\\n| project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUserUpn\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender IP in TI list\",\"description\":\"Email sender IP in TI list.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5c847e47-0a07-4c01-ab99-5817ad6cb11e\",\"name\":\"5c847e47-0a07-4c01-ab99-5817ad6cb11e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// Materialize AWS GuardDuty findings\\nlet AwsAlert = materialize (\\n AWSGuardDuty\\n // Filter for specific activity types in AWS GuardDuty\\n | where ActivityType has_any (\\n \\\"Backdoor:EC2/DenialOfService.UnusualProtocol\\\",\\n \\\"CredentialAccess:Kubernetes/MaliciousIPCaller\\\",\\n \\\"CredentialAccess:Kubernetes/SuccessfulAnonymousAccess\\\",\\n \\\"CredentialAccess:Kubernetes/TorIPCaller\\\",\\n \\\"CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteForce\\\",\\n \\\"CredentialAccess:RDS/TorIPCaller.FailedLogin\\\",\\n \\\"CredentialAccess:RDS/TorIPCaller.SuccessfulLogin\\\",\\n \\\"Discovery:Kubernetes/MaliciousIPCaller\\\",\\n \\\"Recon:IAMUser/MaliciousIPCaller.Custom\\\",\\n \\\"UnauthorizedAccess:EC2/TorClient\\\",\\n \\\"UnauthorizedAccess:IAMUser/TorIPCaller\\\",\\n \\\"UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom\\\",\\n \\\"UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS\\\",\\n \\\"UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS\\\",\\n \\\"UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B\\\"\\n )\\n // Extract and transform AWS GuardDuty attributes\\n | extend\\n AWSAlertId = Id, \\n AWSAlertTitle = Title,\\n AWSAlertDescription = Description,\\n AWSresourceType = tostring(parse_json(ResourceDetails).resourceType),\\n AWSNetworkEntity = tostring(parse_json(ServiceDetails).action.awsApiCallAction.remoteIpDetails.ipAddressV4),\\n AWSAlertUserNameEntity = tostring(parse_json(ResourceDetails).accessKeyDetails.userName),\\n InstanceType = tostring(parse_json(ResourceDetails).instanceDetails.instanceType),\\n AWSTargetingService = parse_json(ServiceDetails).additionalInfo.apiCalls,\\n AWSAlertTime = TimeCreated,\\n AWSAlertLink= tostring(strcat(\u0027https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current\u0026fId=\u0027, Id)),\\n Severity = \\n case (\\n Severity \u003e= 7.0,\\n \\\"High\\\",\\n Severity between (4.0 .. 6.9),\\n \\\"Medium\\\",\\n Severity between (1.0 .. 3.9),\\n \\\"Low\\\",\\n \\\"Unknown\\\"\\n)\\n // Extract API call details and count\\n | mv-apply AIPCall = AWSTargetingService on \\n ( \\n where AIPCall has \\\"name\\\" \\n | extend APICallName = tostring(AIPCall.name), APICallCount = tostring(AIPCall[\\\"count\\\"])\\n ) \\n // Select distinct attributes for further analysis\\n | distinct\\n AWSAlertTime,\\n ActivityType,\\n Severity,\\n AWSAlertId,\\n AWSAlertTitle,\\n AWSAlertDescription,\\n AWSAlertLink,\\n Arn,\\n AWSresourceType,\\n AWSNetworkEntity,\\n AWSAlertUserNameEntity,\\n InstanceType,\\n APICallName,\\n APICallCount \\n );\\n// Materialize GCP Audit Logs related to VM instance creation\\nlet GCPVMActivity= materialize(\\n GCPAuditLogs \\n // Filter for Compute Engine instances insertions\\n | where ServiceName == \\\"compute.googleapis.com\\\" and MethodName endswith \\\"instances.insert\\\"\\n // Extract and transform relevant GCP Audit Log attributes\\n | extend\\n GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),\\n GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),\\n GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),\\n VMDetails= parse_json(AuthorizationInfo),\\n VMStatus = tostring(parse_json(Response).status),\\n VMOperation=tostring(parse_json(Response).operationType),\\n VMName= tostring(parse_json(Request).name),\\n VMDescription= tostring(parse_json(Request).description),\\n VMType = tostring(split(parse_json(Request).machineType, \\\"/\\\")[-1]),\\n Tags= tostring(parse_json(Request).tags),\\n RequestJS = parse_json(Request)\\n // Filter out service account-related activities and private IP addresses\\n | where GCPUserUPN !has \\\"gserviceaccount.com\\\"\\n | extend Name = tostring(split(GCPUserUPN, \\\"@\\\")[0]), UPNSuffix = tostring(split(GCPUserUPN, \\\"@\\\")[1])\\n | where VMOperation == \\\"insert\\\" and isnotempty(GCPUserIp) and GCPUserIp != \\\"private\\\"\\n // Select relevant attributes for further analysis\\n | project\\n GCPOperationTime=TimeGenerated,\\n VMName,\\n VMStatus,\\n MethodName,\\n GCPUserUPN,\\n ProjectId,\\n GCPUserIp,\\n GCPUserUA,\\n VMOperation,\\n VMType,\\n Name,\\n UPNSuffix\\n );\\n// Join AWS and GCP activities based on matching IP addresses\\nAwsAlert\\n| join kind= inner (GCPVMActivity)\\n on\\n $left.AWSNetworkEntity == $right.GCPUserIp\",\"customDetails\":{\"AWSAlertUserName\":\"AWSAlertUserNameEntity\",\"AWSArn\":\"Arn\",\"AWSresourceType\":\"AWSresourceType\",\"AWSInstanceType\":\"InstanceType\",\"AWSAPICallName\":\"APICallName\",\"AWSAPICallCount\":\"APICallCount\",\"GCPUserAgent\":\"GCPUserUA\",\"GCPVMName\":\"VMName\",\"GCPProjectId\":\"ProjectId\",\"GCPVMType\":\"VMType\",\"CorrelationWith\":\"GCPAuditLogs\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"GCPUserIp\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"{{AWSNetworkEntity}} from {{AWSAlertTitle}} observed in GCP compute activity with {{GCPUserUPN}}\",\"alertDescriptionFormat\":\" This detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty With Alert Description \u0027{{AWSAlertDescription}}\u0027 assocated with GCP compute activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources. \\n\\n AWS ALert Link : \u0027{{AWSAlertLink}}\u0027 \\n\\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":\"Severity\"},\"tactics\":[\"InitialAccess\",\"Execution\",\"Persistence\",\"PrivilegeEscalation\",\"CredentialAccess\",\"Discovery\",\"LateralMovement\"],\"displayName\":\"Cross-Cloud Suspicious Compute resource creation in GCP\",\"description\":\"\\nThis detection identifies potential suspicious activity across multi-cloud environments by combining AWS GuardDuty findings with GCP Audit Logs. It focuses on AWS activities related to unauthorized access, credential abuse, and unusual behaviors, as well as GCP instances creation with non-Google service account users. The query aims to provide a comprehensive view of cross-cloud security incidents for proactive threat detection and response.\\n\",\"lastUpdatedDateUTC\":\"2023-10-06T00:00:00Z\",\"createdDateUTC\":\"2023-10-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"GCPAuditLogsDefinition\",\"dataTypes\":[\"GCPAuditLogs\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"name\":\"50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog =~ \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" *\\n| where ParentCommandLine =~ \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k DcomLaunch\\\" and CommandLine =~ \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe -Embedding\\\"\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Lateral Movement via DCOM\",\"description\":\"This query detects a fairly uncommon attack technique using the Windows Distributed Component Object Model (DCOM) to make a remote execution call to another computer system and gain lateral movement throughout the network.\\nRef: http://thenegative.zone/incident%20response/2017/02/04/MMC20.Application-Lateral-Movement-Analysis.html\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\"name\":\"dd0a6029-ecef-4507-89c4-fc355ac52111\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour\\nlet ioc_lookBack = 14d; // Look back 14 days\\n// Create a list of top-level domains (TLDs) from the threat feed data for later validation\\nlet SecurityLog = materialize(\\n CommonSecurityLog\\n // Filter common security logs based on the specified time range\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceEventClassID =~ \u0027url\u0027\\n // Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n // Extract the domain from RequestURL, if not present, extract it from AdditionalExtensions\\n | extend PA_Url = column_ifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\\\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(\u0027\\\"\u0027, tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n);\\nlet LogDomains = SecurityLog | distinct Domain | summarize make_list(Domain);\\n// Retrieve threat intelligence indicators within the specified time range\\nlet Domain_Indicators = materialize(\\n ThreatIntelligenceIndicator\\n | where isnotempty(DomainName)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_DomainEntity = tolower(DomainName)\\n | where TI_DomainEntity in (LogDomains)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now());\\n// Join threat intelligence indicators with common security logs\\nDomain_Indicators | join kind=innerunique (SecurityLog) on $left.TI_DomainEntity == $right.Domain\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod, Type, TI_DomainEntity\\n| extend timestamp = CommonSecurityLog_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"PA_Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map Domain entity to PaloAlto CommonSecurityLog\",\"description\":\"Identifies a match in PaloAlto CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"name\":\"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| where FilterModulesSpamScoresOverall == \u0027100\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - High risk message not discarded\",\"description\":\"Detects when email with high risk score was not rejected or discarded by filters.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ec3a7f9-9f55-4be3-aeb6-9188f91b278e\",\"name\":\"8ec3a7f9-9f55-4be3-aeb6-9188f91b278e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet user_accounts = \\\"(([a-zA-Z]{1,})\\\\\\\\.([a-zA-Z]{1,}))@.*\\\";\\nlet known_useragents = dynamic([]);\\nDynamics365Activity\\n| where TimeGenerated between(ago(lookback)..ago(timeframe))\\n| where isnotempty(UserAgent)\\n| summarize by UserAgent, UserId\\n| join kind = rightanti (Dynamics365Activity\\n| where TimeGenerated \u003e ago(timeframe)\\n| where isnotempty(UserAgent)\\n| where UserAgent !in~ (known_useragents)\\n| where UserAgent !hasprefix \\\"azure-logic-apps\\\" and UserAgent !hasprefix \\\"PowerApps\\\"\\n| where UserId matches regex user_accounts)\\non UserAgent, UserId\\n// Uncomment this section to exclude user agents with a rendering engine, indicating browsers.\\n//| join kind = leftanti(\\n//Dynamics365Activity\\n//| where TimeGenerated between(ago(lookback)..ago(timeframe))\\n//| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")) on UserAgent\\n| summarize FirstSeen = min(TimeGenerated), IPs = make_set(ClientIP) by UserAgent, UserId\\n| extend timestamp = FirstSeen, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New Dynamics 365 User Agent\",\"description\":\"Detects users accessing Dynamics from a User Agent that has not been seen the 14 days. Has configurable filter for known good user agents such as PowerApps. Also includes optional section to exclude User Agents to indicate a browser being used.\",\"lastUpdatedDateUTC\":\"2022-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Dynamics365\",\"dataTypes\":[\"Dynamics365Activity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29e99017-e28d-47be-8b9a-c8c711f8a903\",\"name\":\"29e99017-e28d-47be-8b9a-c8c711f8a903\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let security_info_actions = dynamic([\\\"User registered security info\\\", \\\"User changed default security info\\\", \\\"User deleted security info\\\", \\\"Admin updated security info\\\", \\\"User reviewed security info\\\", \\\"Admin deleted security info\\\", \\\"Admin registered security info\\\"]);\\nlet VIPUsers = (_GetWatchlist(\u0027VIPUsers\u0027) | distinct \\\"User Principal Name\\\");\\nAuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName in (security_info_actions)\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend Target = trim(@\u0027\\\"\u0027,tolower(tostring(TargetResource.userPrincipalName)))\\n )\\n| where Target in~ (VIPUsers)\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason) by InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, Result, Target\\n| extend TargetName = tostring(split(Target,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(Target,\u0027@\u0027,1)[0])\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Target\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NRT Authentication Methods Changed for VIP Users\",\"description\":\"Identifies authentication methods being changed for a list of VIP users watchlist. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/67775878-7f8b-4380-ac54-115e1e828901\",\"name\":\"67775878-7f8b-4380-ac54-115e1e828901\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.4\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = \\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| extend IoC = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n| where IoC != \\\"NO_IP\\\"\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now();\\nIP_TI\\n| join kind=innerunique // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n(\\n_Im_Dns(starttime=ago(dt_lookBack))\\n| where isnotempty(DnsResponseName)\\n| summarize imDns_mintime=min(TimeGenerated), imDns_maxtime=max(TimeGenerated) by SrcIpAddr, DnsQuery, DnsResponseName, Dvc, EventProduct, EventVendor\\n| extend addresses = extract_all (@\u0027(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)\u0027, DnsResponseName)\\n| mv-expand IoC = addresses to typeof(string)\\n)\\non IoC\\n| where imDns_mintime \u003c ExpirationDateTime\\n| project imDns_mintime, imDns_maxtime, Description, ActivityGroupNames, IndicatorId, ThreatType, LatestIndicatorTime, ExpirationDateTime, ConfidenceScore, SrcIpAddr, IoC, Dvc, EventVendor, EventProduct, DnsQuery, DnsResponseName\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"imDns_mintime\",\"SourceIPAddress\":\"SrcIpAddr\",\"DnsQuery\":\"DnsQuery\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IoC\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The response {{IoC}} to DNS query matched an IoC\",\"alertDescriptionFormat\":\"The response address {{IoC}} to a DNS query matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to DNS Events (ASIM DNS schema)\",\"description\":\"This rule identifies DNS requests for which response IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\"name\":\"48607a29-a26a-4abf-8078-a06dbdd174a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Medium\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet aadFunc = (tableName:string){\\nlet identityLookup = table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\\n// collect window threshold breaches\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\\n| where FailedPrincipalCount \u003e= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend LocationDetails = todynamic(LocationDetails)\\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed,20), make_set(FullLocation,20), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup\\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName,20), make_set(UserDisplayName,20), make_set(set_ClientAppUsed,20), make_set(set_FullLocation,20), make_list(FailureCount,20) by IPAddress, AppDisplayName, Type\\n| extend FailedPrincipalCount = array_length(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\\n| join kind= inner (\\ntable(tableName) // get data on success vs. failure history for each IP\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in (successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in (successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in (failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in (failureCodes))) by IPAddress, Type\\n| where GlobalFailPrincipalCount \u003e GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Microsoft Entra ID application\",\"description\":\"Identifies evidence of password spray activity against Microsoft Entra ID applications by looking for failures from multiple accounts from the same IP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range are bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 1 day\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"name\":\"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.7\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nlet OfficeEvents = materialize(\\n OfficeActivity\\n | where isnotempty(UserId)\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where UserId matches regex emailregex\\n | project-rename OfficeActivity_TimeGenerated = TimeGenerated);\\nlet OfficeActivityUPNs = OfficeEvents | distinct UserId = tolower(UserId) | summarize make_list(UserId);\\nThreatIntelligenceIndicator\\n| where isnotempty(EmailSenderAddress)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| where tolower(EmailSenderAddress) in (OfficeActivityUPNs)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n| where Description !contains_cs \\\"State: inactive;\\\" and Description !contains_cs \\\"State: falsepos;\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (OfficeEvents) on $left.EmailSenderAddress == $right.UserId\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, UserId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend Name = tostring(split(UserId, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(UserId, \u0027@\u0027, 1)[0])\\n| extend timestamp = OfficeActivity_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"TI map Email entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\"name\":\"a04cf847-a832-4c60-b687-b0b6147da219\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Collection\"],\"displayName\":\"[Deprecated] - Known Manganese IP and UserAgent activity\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2019-10-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\"name\":\"78422ef2-62bf-48ca-9bab-72c69818a425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.6\",\"severity\":\"Low\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account = tolower(Account), IpAddress, AccountType, Activity, LogonTypeName),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account = tolower(Account), IpAddress, AccountType, Activity, LogonTypeName)\\n)\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress)\\n)\\n) on Account, IpAddress\\n| extend Ratio = iff(isempty(ComputerCountPrev7Days), toreal(ComputerCountToday), ComputerCountToday / (ComputerCountPrev7Days * 1.0))\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio \u003e threshold\\n| project StartTime, EndTime, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend AccountName = tostring(split(Account, @\\\"\\\\\\\")[1]), AccountNTDomain = tostring(split(Account, @\\\"\\\\\\\")[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Multiple RDP connections from Single System\",\"description\":\"Identifies when an RDP connection is made to multiple systems and above the normal connection count for the previous 7 days.\\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"name\":\"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed.\\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated \u003e= ago(auditLookback) and TimeGenerated \u003c ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are\\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName has \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(InitiatedBy.user.userPrincipalName)),\\n tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend TargetResourceName = tolower(tostring(TargetResource.displayName))\\n )\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount \u003e threshold;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated \u003e= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(InitiatedBy.user.ipAddress)) and tostring(InitiatedBy.user.ipAddress) != \u0027null\u0027, tostring(InitiatedBy.user.ipAddress),\\n isnotempty(tostring(InitiatedBy.app.ipAddress)) and tostring(InitiatedBy.app.ipAddress) != \u0027null\u0027, tostring(InitiatedBy.app.ipAddress),\\n \u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(InitiatedBy.user.userPrincipalName)),\\n tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend TargetResourceName = tolower(tostring(TargetResource.displayName)),\\n props = TargetResource.modifiedProperties\\n )\\n| parse props with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend UserAgent = tostring(AdditionalDetail.value)\\n )\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy\\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = make_set(Reason,100) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\\n| extend timestamp = TimeGenerated, Name = tolower(tostring(split(InitiatedBy,\u0027@\u0027,0)[0])), UPNSuffix = tolower(tostring(split(InitiatedBy,\u0027@\u0027,1)[0]))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatedBy\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetResourceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Rare application consent\",\"description\":\"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor.\\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events.\\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-01-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\"name\":\"06a9b845-6a95-4432-a78b-83919b28c375\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n// Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal \u003e percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIPMax\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly detection for total volume of traffic\",\"description\":\"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"name\":\"3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Hacking Tool\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername\\n| extend AccountName = tostring(split(SrcUsername, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(SrcUsername, \\\"@\\\")[1])\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running a hacking tool\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by a hacking tool and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Execution\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"A host is potentially running a hacking tool (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.\u003cbr\u003eYou can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\"name\":\"53e936c6-6c30-4d12-8343-b8a0456e8429\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend timestamp=TimeGenerated\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingProcessAccountDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT malware hashes\",\"description\":\"This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceImageLoadEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7b9df32-1367-402d-b385-882daf6e3020\",\"name\":\"a7b9df32-1367-402d-b385-882daf6e3020\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog =~ \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==10\\n| parse EventData with * \u0027TargetImage\\\"\u003e\u0027 TargetImage \\\"\u003c\\\" * \u0027GrantedAccess\\\"\u003e\u0027 GrantedAccess \\\"\u003c\\\" * \u0027CallTrace\\\"\u003e\u0027 CallTrace \\\"\u003c\\\" * \\n| where GrantedAccess =~ \\\"0x1FFFFF\\\" and TargetImage =~ \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and CallTrace has_any (\\\"dbghelp.dll\\\",\\\"dbgcore.dll\\\")\\n| parse EventData with * \u0027SourceProcessGUID\\\"\u003e\u0027 SourceProcessGUID \\\"\u003c\\\" * \u0027SourceImage\\\"\u003e\u0027 SourceImage \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"SourceImage\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Dumping LSASS Process Into a File\",\"description\":\"Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\\nAfter a user logs on, the system generates and stores a variety of credential materials in LSASS process memory.\\nThese credential materials can be harvested by an administrative user or system and used to conduct lateral movement using alternate authentication materials.\\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\\nRef: https://attack.mitre.org/techniques/T1003/001/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2399891-383c-4caf-ae67-68a008b9f89e\",\"name\":\"e2399891-383c-4caf-ae67-68a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = materialize (\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n | where TI_ipEntity != \\\"NO_IP\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now()\\n);\\nIP_TI\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique \\n(\\n _Im_NetworkSession (starttime=ago(dt_lookBack))\\n | where isnotempty(SrcIpAddr)\\n | summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated) by SrcIpAddr, DstIpAddr, Dvc, EventProduct, EventVendor \\n | lookup (IP_TI | project TI_ipEntity, Active) on $left.SrcIpAddr == $right.TI_ipEntity\\n | project-rename SrcMatch = Active\\n | lookup (IP_TI | project TI_ipEntity, Active) on $left.DstIpAddr == $right.TI_ipEntity\\n | project-rename DstMatch = Active\\n | where SrcMatch or DstMatch\\n | extend \\n IoCIP = iff(SrcMatch, SrcIpAddr, DstIpAddr),\\n IoCDirection = iff(SrcMatch, \\\"Source\\\", \\\"Destination\\\")\\n)on $left.TI_ipEntity == $right.IoCIP\\n| where imNWS_mintime \u003c ExpirationDateTime\\n| project imNWS_mintime, imNWS_maxtime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SrcIpAddr, DstIpAddr, IoCDirection, IoCIP, Dvc, EventVendor, EventProduct\",\"customDetails\":{\"EventStartTime\":\"imNWS_mintime\",\"EventEndTime\":\"imNWS_maxtime\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\",\"IoCIPDirection\":\"IoCDirection\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IoCIP\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A network session {{IoCDirection}} address {{IoCIP}} matched an IoC.\",\"alertDescriptionFormat\":\"The {{IoCDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to Network Session Events (ASIM Network Session schema)\",\"description\":\"This rule identifies a match Network Sessions for which the source or destination IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"AzureNSG\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"AIVectraStream\",\"dataTypes\":[\"VectraStream\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"CiscoMeraki\",\"dataTypes\":[\"Syslog\",\"CiscoMerakiNativePoller\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"name\":\"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.7\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.Caller\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, Caller\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, EmailSenderName, EmailRecipient,\\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue,\\nResourceGroup, SubscriptionId\\n| extend Name = tostring(split(Caller, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(Caller, \u0027@\u0027, 1)[0])\\n| extend timestamp = AzureActivity_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"TI map Email entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\"name\":\"40ba9493-4183-4eee-974f-87fe39c8f267\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Identity alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Identity\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (AATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"name\":\"d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, NewProcessId, Computer\\n | join kind=inner (SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ParentProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend newProcess = Process\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.NewProcessId == $right.ProcessId, timekey, Computer\\n | extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n | extend AccountName = tostring(split(TargetAccount, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(TargetAccount, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"name\":\"70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),\\n modProps = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = modProps on \\n (\\n where Property.displayName =~ \\\"Role.WellKnownObjectName\\\"\\n | extend DisplayName = trim(\u0027\\\"\u0027,tostring(Property.displayName)),\\n GroupName = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| extend InitiatingAppId = tostring(InitiatedBy.app.appId)\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingAppServicePrincipalName = tostring(InitiatedBy.app.servicePrincipalName)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) \\n| extend InitiatingUserRoles = InitiatedBy.user.roles\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatingAppName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppId, InitiatingAppServicePrincipalId, InitiatingIpAddress, InitiatingUserRoles, DisplayName, GroupName, TargetUserPrincipalName\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\\n| extend TargetName = tostring(split(TargetUserPrincipalName,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"NRT User added to Microsoft Entra ID Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Microsoft Entra ID please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"name\":\"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n (WindowsEvent\\n| where EventID == 4663 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\") and EventData has_any (scriptExtensions) \\n| where EventData has_any (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (scriptExtensions)\\n| extend AccessMask = tostring(EventData.AccessMask)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n and\\n TargetFileName has_any (scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where FileName has_any(scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"[Deprecated] - Silk Typhoon UM Service writing suspicious file\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\"name\":\"04384937-e927-4595-8f3c-89ff58ed231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.1\",\"severity\":\"Low\",\"query\":\"let IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible Forest Blizzard attempted credential harvesting - Sept 2020\",\"description\":\"Surfaces potential Forest Blizzard group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7965f0be-c039-4d18-8ee8-9a6add8aecf3\",\"name\":\"7965f0be-c039-4d18-8ee8-9a6add8aecf3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688\\n| where CommandLine has_all (\u0027net user\u0027, \u0027/add\u0027) \\n| parse CommandLine with * \\\"user \\\" username \\\" \\\"*\\n| extend password = extract(@\\\"\\\\buser\\\\s+[^\\\\s]+\\\\s+([^\\\\s]+)\\\", 1, CommandLine) \\n| where username in(\u0027DefaultAccount\u0027) or password in(\u0027P@ssw0rd1234\u0027, \u0027_AS_@1394\u0027) \\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(DeviceProcessEvents \\n| where InitiatingProcessCommandLine has_all(\u0027net user\u0027, \u0027/add\u0027) \\n| parse InitiatingProcessCommandLine with * \\\"user \\\" username \\\" \\\"* \\n| extend password = extract(@\\\"\\\\buser\\\\s+[^\\\\s]+\\\\s+([^\\\\s]+)\\\", 1, InitiatingProcessCommandLine) \\n| where username in(\u0027DefaultAccount\u0027) or password in(\u0027P@ssw0rd1234\u0027, \u0027_AS_@1394\u0027) \\n| extend Account = strcat(InitiatingProcessAccountDomain, @\u0027\\\\\u0027, InitiatingProcessAccountName), Computer = DeviceName\\n)\\n)\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(Account, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"DEV-0270 New User Creation\",\"description\":\"The following query tries to detect creation of a new user using a known DEV-0270 username/password schema\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-09-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/042f2801-a375-4cfd-bd29-041fc7ed88a0\",\"name\":\"042f2801-a375-4cfd-bd29-041fc7ed88a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n//Find risky Signin\\n| where RiskState == \\\"atRisk\\\" and ResultType == 0\\n| extend Signin_Time = TimeGenerated\\n| summarize\\n AppDisplayName=make_set(AppDisplayName),\\n ClientAppUsed=make_set(ClientAppUsed),\\n UserAgent=make_set(UserAgent),\\n CorrelationId=make_set(CorrelationId),\\n Signin_Time= min(Signin_Time),\\n RiskEventTypes=make_set(RiskEventTypes)\\n by\\n ConditionalAccessStatus,\\n IPAddress,\\n IsRisky,\\n ResourceDisplayName,\\n RiskDetail,\\n ResultType,\\n RiskLevelAggregated,\\n RiskLevelDuringSignIn,\\n RiskState,\\n UserPrincipalName=tostring(tolower(UserPrincipalName)),\\n SourceSystem\\n| join kind=inner (\\n CommonSecurityLog\\n | where DeviceVendor has_any (\\\"Palo Alto Networks\\\", \\\"Fortinet\\\", \\\"Check Point\\\", \\\"Zscaler\\\")\\n | where DeviceProduct startswith \\\"FortiGate\\\" or DeviceProduct startswith \\\"PAN\\\" or DeviceProduct startswith \\\"VPN\\\" or DeviceProduct startswith \\\"FireWall\\\" or DeviceProduct startswith \\\"NSSWeblog\\\" or DeviceProduct startswith \\\"URL\\\"\\n | where DeviceAction != \\\"Block\\\"\\n | where isnotempty(RequestURL)\\n | where isnotempty(SourceUserName)\\n | extend SourceUserName = tolower(SourceUserName)\\n | summarize\\n min(TimeGenerated),\\n max(TimeGenerated),\\n Activity=make_set(Activity)\\n by DestinationHostName, DestinationIP, RequestURL, SourceUserName=tostring(tolower(SourceUserName)),DeviceVendor,DeviceProduct\\n | extend 3p_observed_Time= min_TimeGenerated,Name = tostring(split(SourceUserName,\\\"@\\\")[0]),UPNSuffix =tostring(split(SourceUserName,\\\"@\\\")[1]))\\n on $left.IPAddress == $right.DestinationIP and $left.UserPrincipalName == $right.SourceUserName\\n| extend Timediff = datetime_diff(\u0027day\u0027, 3p_observed_Time, Signin_Time)\\n| where Timediff \u003c= 1 and Timediff \u003e= 0\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DestinationHostName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Risky user signin observed in non-Microsoft network device\",\"description\":\"This content is utilized to identify instances of successful login by risky users, who have been observed engaging in potentially suspicious network activity on non-Microsoft network devices.\",\"lastUpdatedDateUTC\":\"2024-06-14T00:00:00Z\",\"createdDateUTC\":\"2023-05-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/594c653d-719a-4c23-b028-36e3413e632e\",\"name\":\"594c653d-719a-4c23-b028-36e3413e632e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend Name = iif(Actor contains \\\"@\\\", split(Actor, \\\"@\\\")[0], Actor)\\n| extend UPNSuffix = iif(Actor contains \\\"@\\\", split(Actor, \\\"@\\\")[1], \\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Actor\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPaddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\"name\":\"500415fb-bba7-4227-a08a-9857fb61b6a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", OfficeObjectId,\\n Operation =~ \\\"New-TransportRule\\\", ParsedParameters.Name,\\n \\\"Unknown\\\")\\n| mv-expand ExpandedParameters = todynamic(Parameters)\\n| where ExpandedParameters.Name in~ (\\\"BlindCopyTo\\\", \\\"RedirectMessageTo\\\") and isnotempty(ExpandedParameters.Value)\\n| extend RedirectTo = ExpandedParameters.Value\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend From = ParsedParameters.From\\n| project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, From, Operation, RuleName, Parameters\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Mail redirect via ExO transport rule\",\"description\":\"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-05-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"name\":\"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"W3CIISLog\\n| where csMethod == \u0027GET\u0027\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp = TimeGenerated\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(csUserName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(csUserName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"csUserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"cIP\"}]}],\"tactics\":[\"Persistence\",\"CommandAndControl\"],\"displayName\":\"SUPERNOVA webshell\",\"description\":\"Identifies SUPERNOVA webshell based on W3CIISLog data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2021-01-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"name\":\"7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, AccountName = SubjectUserName, AccountNTDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName, SubjectAccount\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection.\\nThe first CommandLine component is looking for Python decoding base64.\\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\"name\":\"5efb0cfd-063d-417a-803b-562eae5b0301\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need to exhibit execution of more \\\"new\\\" connections than this number.\\nlet NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\"\\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName))\\n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\"\\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)\\n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iff(\\nType == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\nstrcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| where CurrentCount \u003e= HistoricCount + NewConnectionThreshold\\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount,\\n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend timestamp = StartTime\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Addition/Abuse - Historic allow list\",\"description\":\"This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and not historically included in the allow list Build/Release runs.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"name\":\"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.3\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has_any (\\\".decode(\u0027base64\u0027)\\\", \\\"base64 --decode\\\", \\\".decode64(\\\" )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend FileName=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, CommandLine, ParentProcessName\\n));\\nProcessCreationEvents \\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"name\":\"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by FileHashValue\\n| project CommonSecurityLog_TimeGenerated, FileHashValue, FileHashType, Description, ThreatType,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend AccountName = tostring(split(SourceUserName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(SourceUserName, \\\"@\\\")[1])\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Microsoft COVID-19 file hash indicator matches\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\"lastUpdatedDateUTC\":\"2024-11-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CefAma\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"name\":\"572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let inviting_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend InitiatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(InitiatingUserPrincipalName)\\n | summarize by InitiatingUserPrincipalName);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend InitiatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | where isnotempty(InitiatingUserPrincipalName) and InitiatingUserPrincipalName !in (inviting_users)\\n | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend TargetAadUserId = tostring(TargetResources[0].id)\\n | extend invitingUser = InitiatingUserPrincipalName, invitedUserPrincipalName = TargetUserPrincipalName\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | extend TargetAccountName = tostring(split(TargetUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, OperationName, Result, TargetUserPrincipalName, TargetAadUserId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"TargetAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Guest Users Invited to Tenant by New Inviters\",\"description\":\"Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts added should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0255b5f-2a3c-4112-8744-e6757af3283a\",\"name\":\"d0255b5f-2a3c-4112-8744-e6757af3283a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P4D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"// You can leave out Anomalies that are already monitored through other Analytics Rules\\n//let _MonitoredRules = dynamic([\\\"TestAlertName\\\"]);\\nlet query_frequency = 1h;\\nlet query_lookback = 3d;\\nAnomalies\\n| where TimeGenerated \u003e ago(query_frequency)\\n//| where not(RuleName has_any (_MonitoredRules))\\n| join kind = leftanti (\\n Anomalies\\n | where TimeGenerated between (ago(query_frequency + query_lookback)..ago(query_frequency))\\n | distinct RuleName\\n) on RuleName\\n| extend Name = tostring(split(UserPrincipalName, \\\"@\\\")[0]), UPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Unusual Anomaly - {{RuleName}}\",\"alertDescriptionFormat\":null,\"alertTacticsColumnName\":\"Tactics\",\"alertSeverityColumnName\":null},\"displayName\":\"Unusual Anomaly\",\"description\":\"Anomaly Rules generate events in the Anomalies table. This scheduled rule tries to detect Anomalies that are not usual, they could be a type of Anomaly that has recently been activated, or an infrequent type. The detected Anomaly should be reviewed, if it is relevant enough, eventually a separate scheduled Analytics Rule could be created specifically for that Anomaly Type, so an alert and/or incident is generated everytime that type of Anomaly happens.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"name\":\"06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\MicrosoftOnline\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n ( WindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n( WindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend Name = tostring(split(Account, \\\"\\\\\\\\\\\")[1]), NTDomain = tostring(split(Account, \\\"\\\\\\\\\\\")[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Microsoft Entra ID Health Service Agents Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Microsoft Entra ID Health service agents (e.g AD FS).\\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent.\\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ac77493-3cae-4840-8634-15fb23f8fb68\",\"name\":\"8ac77493-3cae-4840-8634-15fb23f8fb68\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let BEC_Keywords = dynamic([ \u0027invoice\u0027,\u0027payment\u0027,\u0027paycheck\u0027,\u0027transfer\u0027,\u0027bank statement\u0027,\u0027bank details\u0027,\u0027closing\u0027,\u0027funds\u0027,\u0027bank account\u0027,\u0027account details\u0027,\u0027remittance\u0027,\u0027purchase\u0027,\u0027deposit\u0027,\\\"PO#\\\",\\\"Zahlung\\\",\\\"Rechnung\\\",\\\"Paiement\\\", \\\"virement bancaire\\\",\\\"Bankuberweisung\\\",\u0027hacked\u0027,\u0027phishing\u0027]);\\nOfficeActivity\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (BEC_Keywords)\\n or BodyContainsWords has_any (BEC_Keywords)\\n or SubjectOrBodyContainsWords has_any (BEC_Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend UserName = split(UserId, \u0027@\u0027)[0], DomainName = split(UserId, \u0027@\u0027)[1]\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"UserName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"DomainName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious BEC Inbox Rule\",\"description\":\"Often times after the initial compromise in a BEC attack the attackers create inbox rules to delete emails that contain certain keywords related to their BEC attack.\\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. \",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"name\":\"3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1\\n| mv-expand UserId to typeof(string)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"NRT Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination.\\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"name\":\"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.9\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\n// let ioc_lookBack = 14d;\\n// ThreatIntelligenceIndicator\\n// // Picking up only IOC\u0027s that contain the entities we want\\n// | where isnotempty(Url)\\n// | where TimeGenerated \u003e= ago(ioc_lookBack)\\n// | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n// | where Active == true and ExpirationDateTime \u003e now()\\n// // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n// | join kind=innerunique (\\n// OfficeActivity\\n// | where TimeGenerated \u003e= ago(dt_lookBack)\\n// //Extract the Url from a number of potential fields\\n// | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n// | where isnotempty(Url)\\n// // Ensure we get a clean URL\\n// | extend Url = tostring(split(Url, \u0027;\u0027)[0])\\n// | extend OfficeActivity_TimeGenerated = TimeGenerated\\n// // Project a single user identity that we can use for entity mapping\\n// | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))\\n// ) on Url\\n// | where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n// | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url\\n// | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation,\\n// UserType, OfficeWorkload, Parameters, Url, User\\n// | extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(User, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(User, \u0027@\u0027, 1)[0])\\ndatatable() []\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map URL Entity to OfficeActivity Data [Deprecated]\",\"description\":\"This query is Deprecated as its filter conditions will never yield results. This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in OfficeActivity data.\",\"lastUpdatedDateUTC\":\"2024-09-12T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"name\":\"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Low\",\"query\":\"// Add or remove operation names below as per your requirements. For operations lists, please refer to https://learn.microsoft.com/en-us/Azure/role-based-access-control/resource-provider-operations#all\\nlet szOperationNames = dynamic([\\\"Microsoft.Compute/virtualMachines/write\\\", \\\"Microsoft.Resources/deployments/write\\\", \\\"Microsoft.Resources/subscriptions/resourceGroups/write\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue, bin(TimeGenerated,1d)\\n// Returns all the records from the right side that don\u0027t have matches from the left.\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated,100), ActivityStatusValue = make_set(ActivityStatusValue,100), CorrelationIds = make_set(CorrelationId,100), ResourceGroups = make_set(ResourceGroup,100), ResourceIds = make_set(_ResourceId,100), ActivityCountByCallerIPAddress = count()\\nby CallerIpAddress, Caller, OperationNameValue) on CallerIpAddress, Caller, OperationNameValue;\\nRareCaller\\n| extend Name = iif(Caller has \u0027@\u0027,tostring(split(Caller,\u0027@\u0027,0)[0]),\\\"\\\")\\n| extend UPNSuffix = iif(Caller has \u0027@\u0027,tostring(split(Caller,\u0027@\u0027,1)[0]),\\\"\\\")\\n| extend AadUserId = iif(Caller !has \u0027@\u0027,Caller,\\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious Resource deployment\",\"description\":\"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen caller.\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"name\":\"c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where isnotempty(CommandLine)\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n | extend HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Base64 Encoded Windows Process Command-lines\",\"description\":\"This detection identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"name\":\"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.5\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project TimeGenerated, Total, baseline, anomalies, score;\\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e ago(2d)\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress, 1000), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString, 1000) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h)\\n | where HourlyCount \u003e 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\\n | order by HourlyCount desc\\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100\\n| where PercentofTotal \u003e percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\\n| order by PercentofTotal desc\\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId, SourceIPMax, IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"Client_IPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIPMax\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Exchange workflow MailItemsAccessed operation anomaly\",\"description\":\"Identifies anomalous increases in Exchange mail items accessed operations.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\"name\":\"69b7723c-2889-469f-8b55-a2d355ed9c87\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for DNS events\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and DNS events\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | mv-expand SingleIP = split(IPAddresses, \\\", \\\") to typeof(string)\\n | extend DNS_TimeGenerated = TimeGenerated\\n )\\n on $left.TI_ipEntity == $right.SingleIP\\n // Filter out DNS events that occurred after the expiration of the corresponding indicator\\n | where DNS_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and SingleIP, and keep the DNS event with the latest timestamp\\n | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated, *) by IndicatorId, SingleIP\\n // Select the desired output fields\\n | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n | extend timestamp = DNS_TimeGenerated, HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to DnsEvents\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DnsEvents.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f4a28082-2808-4783-9736-33c1ae117475\",\"name\":\"f4a28082-2808-4783-9736-33c1ae117475\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Retrieve Azure AD SigninLogs within the last day\\nSigninLogs \\n// Filter for specific AppDisplayNames, ResultType, and Risk Levels\\n| where AppDisplayName in (\\\"Azure Portal\\\", \\\"ADFS Trust\\\", \\\"Microsoft Azure PowerShell\\\")\\n and RiskLevelAggregated == \\\"high\\\"\\n and RiskLevelDuringSignIn == \\\"high\\\"\\n// Summarize AppDisplayNames by relevant attributes\\n| extend Result = iff(ResultType == 0, \\\"Successful Signin\\\", \\\"Failed Signin\\\")\\n| summarize make_set(AppDisplayName)\\n by\\n IPAddress,\\n signInTime=TimeGenerated,\\n UserPrincipalName,\\n RiskEventTypes,\\n RiskEventTypes_V2\\n// Inner join with AWS CloudTrail events\\n| join kind=inner (\\n AWSCloudTrail\\n | where isempty(ErrorMessage)\\n | where EventSource in (\\\"iam.amazonaws.com\\\", \\\"identitystore.amazonaws.com\\\", \\\"workmail.amazonaws.com\\\", \\\"workdocs.amazonaws.com\\\")\\n // List of AWS event names\\n | where EventName in~ (\\\"CreateRole\\\", \\\"DeleteRole\\\", \\\"CreateUser\\\", \\\"CreateAccessKey\\\", \\\"DeleteAccessKey\\\", \\\"CreateGroup\\\", \\\"AddUserToGroup\\\", \\\"ChangePassword\\\", \\\"DeleteGroup\\\", \\\"DeleteUser\\\", \\\"RemoveUserFromGroup\\\", \\\"CreateVirtualMFADevice\\\", \\\"DeleteLoginProfile\\\", \\\"CreateOrganization\\\", \\\"SetDefaultMailDomain\\\", \\\"SetMailUserDetails\\\", \\\"CreateMailUser\\\", \\\"ResetPassword\\\", \\\"RegisterToWorkMail\\\", \\\"DisableMailUsers\\\", \\\"EnableMailUsers\\\", \\\"DeleteServiceSpecificCredential\\\", \\\"CreateServiceSpecificCredential\\\", \\\"UpdateAccountEmailAddress\\\", \\\"DeleteGroupPolicy\\\", \\\"UploadServerCertificate\\\") \\n // Summarize relevant attributes\\n | summarize make_set(RequestParameters), make_set(ResponseElements)\\n by\\n SourceIpAddress,\\n UserIdentityArn,\\n UserIdentityType,\\n EventName,\\n EventTime=TimeGenerated,\\n EventSource\\n )\\n on $left.IPAddress == $right.SourceIpAddress \\n// Calculate time difference in hours between AWS event and Azure sign-in\\n| extend timedef = datetime_diff(\\\"hour\\\", EventTime, signInTime)\\n// Filter for time differences within a certain range\\n| where timedef between (0 .. 8)\",\"customDetails\":{\"AwsUser\":\"UserIdentityArn\",\"RiskEventTypes\":\"RiskEventTypes\",\"AzureUser\":\"UserPrincipalName\",\"AWSEventName\":\"EventName\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"High-Risk Cross-Cloud User Impersonation\",\"description\":\"This detection focuses on identifying high-risk cross-cloud activities and sign-in anomalies that may indicate potential security threats. The query starts by analyzing Microsoft Entra ID Signin Logs to pinpoint instances where specific applications, risk levels, and result types align. It then correlates this information with relevant AWS CloudTrail events to identify activities across Azure and AWS environments.\",\"lastUpdatedDateUTC\":\"2023-11-12T00:00:00Z\",\"createdDateUTC\":\"2023-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\"name\":\"155f40c6-610d-497d-85fc-3cf06ec13256\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\",\\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList))\\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList)))\\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames)\\n| extend DNSName = Request_Name \\n| extend IPCustomEntity = ClientIP\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (DomainNames) \\n| extend DNSName = Fqdn \\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (DomainNames)\\n| extend DNSName = QueryName\\n| extend IPCustomEntity = SourceIp\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Known Phosphorus group domains/IP\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"name\":\"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.2.4\",\"severity\":\"Medium\",\"query\":\"// Set threshold for the number of downloads/uploads from a new user agent\\nlet threshold = 5;\\n// Define constants for SharePoint file operations\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\n// Define the historical activity for analysis\\nlet starttime = 14d; // Define the start time for historical data (14 days ago)\\nlet endtime = 1d; // Define the end time for historical data (1 day ago)\\n// Extract the base events for analysis\\nlet Baseevents =\\n OfficeActivity\\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where RecordType =~ szSharePointFileOperation\\n | where Operation in~ (szOperations)\\n | where isnotempty(UserAgent);\\n// Identify frequently occurring user agents\\nlet FrequentUA = Baseevents\\n | summarize FUACount = count() by UserAgent, RecordType, Operation\\n | where FUACount \u003e= threshold\\n | distinct UserAgent;\\n// Calculate a user baseline for further analysis\\nlet UserBaseLine = Baseevents\\n | summarize Count = count() by UserId, Operation, Site_Url\\n | summarize AvgCount = avg(Count) by UserId, Operation, Site_Url;\\n// Extract recent activity for analysis\\nlet RecentActivity = OfficeActivity\\n | where TimeGenerated \u003e ago(endtime)\\n | where RecordType =~ szSharePointFileOperation\\n | where Operation in~ (szOperations)\\n | where isnotempty(UserAgent)\\n | where UserAgent in~ (FrequentUA)\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OfficeObjectIdCount = dcount(OfficeObjectId), OfficeObjectIdList = make_set(OfficeObjectId), UserAgentSeenCount = count() \\n by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url;\\n// Analyze user behavior based on baseline and recent activity\\nlet UserBehaviorAnalysis = UserBaseLine\\n | join kind=inner (RecentActivity) on UserId, Operation, Site_Url\\n | extend Deviation = abs(UserAgentSeenCount - AvgCount) / AvgCount;\\n// Filter and format results for specific user behavior analysis\\nUserBehaviorAnalysis\\n | where Deviation \u003e 25\\n | extend UserIdName = tostring(split(UserId, \u0027@\u0027)[0]), UserIdUPNSuffix = tostring(split(UserId, \u0027@\u0027)[1])\\n | project-reorder StartTime, EndTime, UserAgent, UserAgentSeenCount, UserId, ClientIP, Site_Url\\n | project-away Site_Url1, UserId1, Operation1\\n | order by UserAgentSeenCount desc, UserAgent asc, UserId asc, Site_Url asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"UserIdName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UserIdUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Site_Url\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via devices with previously unseen user agents\",\"description\":\"Identifies anomalies if the number of documents uploaded or downloaded from device(s) associated with a previously unseen user agent exceeds a threshold (default is 5) and deviation (default is 25).\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0101e08d-99cd-4a97-a9e0-27649c4369ad\",\"name\":\"0101e08d-99cd-4a97-a9e0-27649c4369ad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P2D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// In User \u0026 Groups and in Applications, the following \\\"AccessType\\\" values in columns PremodifiedOutboundSettings and ModifiedOutboundSettings are interpreted accordingly\\n// When Access Type in premodified outbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified outbound settings value was 2 that means that the initial access was blocked.\\n// When Access Type in modified outbound settings value is 1 that means that now access is allowed. When Access Type in modified outbound settings value is 2 that means that now access is blocked.\\nAuditLogs\\n| where OperationName has \\\"Update a partner cross-tenant access setting\\\"\\n| mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type =~ \\\"Policy\\\"\\n | extend Properties = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = Properties on\\n (\\n where Property.displayName =~ \\\"b2bDirectConnectOutbound\\\"\\n | extend PremodifiedOutboundSettings = trim(\u0027\\\"\u0027,tostring(Property.oldValue)),\\n ModifiedOutboundSettings = trim(@\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where PremodifiedOutboundSettings != ModifiedOutboundSettings\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Cross-tenant Access Settings Organization Outbound Direct Settings Changed\",\"description\":\"Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Direct Settings are changed for \\\"Users \u0026 Groups\\\" and for \\\"Applications\\\".\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8955c0fb-3408-47b0-a3b9-a1faec41e427\",\"name\":\"8955c0fb-3408-47b0-a3b9-a1faec41e427\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^\u0027]*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange Server Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types on an Exchange Server. This could indicate attempted deployment of webshells. \\nThis query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nThis log is commonly found at C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\Logging\\\\OABGeneratorLog on the Exchange server. Details on collecting custom logs into Sentinel\\ncan be found here: https://learn.microsoft.com/azure/sentinel/connect-custom-logs\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"name\":\"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.3\",\"severity\":\"Medium\",\"query\":\"// Define the lookback periods for time-based filters\\nlet dt_lookBack = 1h; // Look back 1 hour for DNS events\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to domains\\nlet Domain_Indicators = ThreatIntelligenceIndicator\\n // Filter out indicators without domain names\\n | where isnotempty(DomainName)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now()\\n | extend TI_DomainEntity = DomainName;\\n// Create a list of TLDs in our threat feed for later validation\\nlet maxListSize = 100000; // Define the maximum allowed size for each list\\nlet list_tlds = Domain_Indicators\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | project tld\\n | summarize make_list(tld, maxListSize);\\n// Perform a join between domain indicators and DNS events to identify potential malicious activity\\nDomain_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n // Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n ) on $left.TI_DomainEntity==$right.Name\\n // Filter out DNS events that occurred after the expiration of the corresponding indicator\\n | where DNS_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and Name, and keep the DNS event with the latest timestamp\\n | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated, *) by IndicatorId, Name\\n // Select the desired output fields\\n | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType, Type, TI_DomainEntity\\n // Extract hostname and DNS domain from the Computer field\\n | extend HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\\n // Rename the timestamp field\\n | extend timestamp = DNS_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map Domain entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1080fc1-13d1-479b-8340-255f0290d96c\",\"name\":\"a1080fc1-13d1-479b-8340-255f0290d96c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | where TargetResources has \\\"AppAddress\\\"\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend AddedBy = iif(isnotempty(InitiatingUserPrincipalName), InitiatingUserPrincipalName, InitiatingAppName)\\n | extend TargetAppName = tostring(TargetResources.displayName)\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, TargetAppName, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, AddedUrls, AddedBy, UserAgent\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application Redirect URL Update\",\"description\":\"Detects the redirect URL of an app being changed.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"name\":\"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where isnotempty(FileHashValue)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| extend FileHashValue = toupper(FileHashValue)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique ( union isfuzzy=true\\n (SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(FileHash)\\n ),\\n (WindowsEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(EventData.FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(EventData.FileHash)\\n )\\n)\\non $left.FileHashValue == $right.FileHash\\n| where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, FileHash\\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nProcess, FileHash, Computer, Account, Event, FileHashValue, FileHashType\\n| extend NTDomain = tostring(split(Account, \u0027\\\\\\\\\u0027, 0)[0]), Name = tostring(split(Account, \u0027\\\\\\\\\u0027, 1)[0])\\n| extend HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027)) \\n| extend timestamp = SecurityEvent_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map File Hash to Security Event\",\"description\":\"Identifies a match in Security Event data from any File Hash IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"name\":\"a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Extracts plaintext IPv4 addresses\\nlet ipv4_plaintext_extraction_regex = @\\\"((?:(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(?:\\\\.)){3}(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]){1,3})\\\";\\n// Identified base64 encoded IPv4 addresses\\nlet ipv4_encoded_identification_regex = @\\\"\\\\=([a-zA-Z0-9\\\\/\\\\+]*(?:(?:MC|Au|wL|MS|Eu|xL|Mi|Iu|yL|My|Mu|zL|NC|Qu|0L|NS|Uu|1L|Ni|Yu|2L|Ny|cu|3L|OC|gu|4L|OS|ku|5L){1}[a-zA-Z0-9\\\\/\\\\+]{2,4}){3}[a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Extractes IPv4 addresses as hex values\\nlet ipv4_decoded_hex_extract = @\\\"((?:(?:61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|2f|2b|3d),){7,15})\\\";\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n// Identify requests with encoded IPv4 addresses\\n| where RequestURL matches regex ipv4_encoded_identification_regex\\n| project TimeGenerated, RequestURL\\n// Extract IP candidates in their base64 encoded format, significantly reducing the dataset\\n| extend extracted_encoded_ip_candidate = extract_all(ipv4_encoded_identification_regex, RequestURL)\\n// We could have more than one candidate, expand them out\\n| mv-expand extracted_encoded_ip_candidate to typeof(string)\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), make_set(RequestURL) by extracted_encoded_ip_candidate\\n// Pad if we need to\\n| extend extracted_encoded_ip_candidate = iff(strlen(extracted_encoded_ip_candidate) % 2 == 0, extracted_encoded_ip_candidate, strcat(extracted_encoded_ip_candidate, \\\"=\\\"))\\n// Now decode the candidate to a long array, we cannot go straight to string as it cannot handle non-UTF8, we need to strip that first\\n| extend extracted_encoded_ip_candidate = tostring(base64_decode_toarray(extracted_encoded_ip_candidate))\\n// Extract the IP candidates from the array\\n| extend hex_extracted = extract_all(ipv4_decoded_hex_extract, extracted_encoded_ip_candidate)\\n// Expand, it\u0027s still possible that we might have more than 1 IP\\n| mv-expand hex_extracted\\n// Now we should have a clean string. We need to put it back into a dynamic array to convert back to a string.\\n| extend hex_extracted = trim_end(\\\",\\\", tostring(hex_extracted))\\n| extend hex_extracted = strcat(\\\"[\\\",hex_extracted,\\\"]\\\")\\n| extend hex_extracted = todynamic(hex_extracted)\\n| extend extracted_encoded_ip_candidate = todynamic(extracted_encoded_ip_candidate)\\n// Convert the array back into a string\\n| extend decoded_ip_candidate = make_string(hex_extracted)\\n| summarize by decoded_ip_candidate, tostring(set_RequestURL), Start, End\\n// Now the IP candidates will be in plaintext, extract the IPs using a regex\\n| extend ipmatch = extract_all(ipv4_plaintext_extraction_regex, decoded_ip_candidate)\\n// If it\u0027s not an IP, throw it out\\n| where isnotnull(ipmatch)\\n| mv-expand ipmatch to typeof(string)\\n// Join with DeviceNetworkEvents to find instances where an IP of a machine in our MDE estate sent it\u0027s IP in a base64 encoded string\\n| join (\\n DeviceNetworkEvents\\n | summarize make_set(DeviceId), make_set(DeviceName) by RemoteIP\\n) on $left.ipmatch == $right.RemoteIP\\n| project Start, End, IPmatch=ipmatch, RequestURL=set_RequestURL, DeviceNames=set_DeviceName, DeviceIds=set_DeviceId, RemoteIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPmatch\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"IP address of Windows host encoded in web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded IP addresses. After identifying candidates the query joins with DeviceNetworkEvents to idnetify any machine within the network using that IP address. Alerts indicate that the IP address of a machine within your network was seen with it\u0027s IP address base64 encoded in an outbound web request. This method of egressing the IP was seen used in POLONIUM\u0027s RunningRAT tool, however the detection is generic.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"name\":\"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, \\ntimekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n| where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, FileEditDomain = InitiatingProcessAccountDomain, FileEditUpn = InitiatingProcessAccountUpn, \\nDeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, DeviceName\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess) by timekey, DeviceName, BuildParentProcess, BuildProcess, FileEditAccount, FileEditDomain, FileEditUpn\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"FileEditUpn\"},{\"identifier\":\"Name\",\"columnName\":\"FileEditAccount\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"FileEditDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise - MDE\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\"name\":\"2560515c-07d1-434e-87fb-ebe3af267760\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\") \\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\" and array_length(TargetResource.modifiedProperties) \u003e 0 and isnotnull(TargetResource.displayName)\\n | extend props = TargetResource.modifiedProperties,\\n Type = tostring(TargetResource.type),\\n PermissionsAddedTo = tostring(TargetResource.displayName)\\n )\\n| mv-apply Property = props on \\n (\\n where Property.displayName =~ \\\"DelegatedPermissionGrant.Scope\\\"\\n | extend DisplayName = tostring(Property.displayName), Permissions = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend InitiatingUserAgent = tostring(AdditionalDetail.value)\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| project-away props, TargetResource, AdditionalDetail, Property\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName has \\\"Consent to application\\\"\\n | mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend AppName = tostring(TargetResource.displayName),\\n AppId = tostring(TargetResource.id)\\n )\\n| project AppName, AppId, CorrelationId) on CorrelationId\\n| project-away CorrelationId1\\n| project-reorder TimeGenerated, OperationName, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, InitiatingUserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\\n| extend Name = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Mail.Read Permissions Granted to Application\",\"description\":\"This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.\",\"lastUpdatedDateUTC\":\"2024-01-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"name\":\"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),\\n modProps = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = modProps on \\n (\\n where Property.displayName =~ \\\"Role.WellKnownObjectName\\\"\\n | extend DisplayName = trim(\u0027\\\"\u0027,tostring(Property.displayName)),\\n GroupName = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| extend InitiatingAppId = InitiatedBy.app.appId\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingAppServicePrincipalName = tostring(InitiatedBy.app.servicePrincipalName)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingUserRoles = InitiatedBy.user.roles\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatingAppName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppId, InitiatingAppName, InitiatingAppServicePrincipalName, InitiatingAppServicePrincipalId, InitiatingIpAddress, DisplayName, GroupName, InitiatingUserRoles, TargetUserPrincipalName\\n| extend AccountName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), AccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\\n| extend TargetName = tostring(split(TargetUserPrincipalName,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User added to Microsoft Entra ID Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Microsoft Entra ID please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a779e2d5-9109-4f0a-a75e-f3d4f3c58560\",\"name\":\"a779e2d5-9109-4f0a-a75e-f3d4f3c58560\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let sha256Hashes = dynamic([\\\"78c255a98003a101fa5ba3f49c50c6922b52ede601edac5db036ab72efc57629\\\", \\\"0588f61dc7e4b24554cffe4ea56d043d8f6139d2569bc180d4a77cf75b68792f\\\", \\\"441a3810b9e89bae12eea285a63f92e98181e9fb9efd6c57ef6d265435484964\\\", \\\"cbae79f66f724e0fe1705d6b5db3cc8a4e89f6bdf4c37004aa1d45eeab26e84b\\\", \\\"fd6515a71530b8329e2c0104d0866c5c6f87546d4b44cc17bbb03e64663b11fc\\\", \\\"5d169e083faa73f2920c8593fb95f599dad93d34a6aa2b0f794be978e44c8206\\\", \\\"7f29b69eb1af1cc6c1998bad980640bfe779525fd5bb775bc36a0ce3789a8bfc\\\", \\\"02a59fe2c94151a08d75a692b550e66a8738eb47f0001234c600b562bf8c227d\\\", \\\"7f84bf6a016ca15e654fb5ebc36fd7407cb32c69a0335a32bfc36cb91e36184d\\\", \\\"afab2e77dc14831f1719e746042063a8ec107de0e9730249d5681d07f598e5ec\\\", \\\"894138dfeee756e366c65a197b4dbef8816406bc32697fac6621601debe17d53\\\", \\\"4611340fdade4e36f074f75294194b64dcf2ec0db00f3d958956b4b0d6586431\\\", \\\"c96ae21b4cf2e28eec222cfe6ca903c4767a068630a73eca58424f9a975c6b7d\\\", \\\"fa30be45c5c5a8f679b42ae85410f6099f66fe2b38eb7aa460bcc022babb41ca\\\", \\\"e64bea4032cf2694e85ede1745811e7585d3580821a00ae1b9123bb3d2d442d6\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\\n| where (Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = tostring(Hashes[1])\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"[Deprecated] - Denim Tsunami File Hashes July 2022\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"name\":\"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\" \\n| where Operation =~ \\\"New-InboxRule\\\" and (ResultStatus =~ \\\"True\\\" or ResultStatus =~ \\\"Succeeded\\\")\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\\n| extend OriginatingServerName = tostring(split(OriginatingServer, \\\" \\\")[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"OriginatingServerName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.\\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\"name\":\"bf07ca9c-e408-443a-8939-6860a45a929e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps New Extension Added\",\"description\":\"Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \\nThis query looks for new extensions that are not from a configurable list of approved publishers.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"name\":\"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 1102 and EventSourceName =~ \\\"Microsoft-Windows-Eventlog\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n),\\n(\\nWindowsEvent\\n| where EventID == 1102 and Provider =~ \\\"Microsoft-Windows-Eventlog\\\"\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend Activity= \\\"1102 - The audit log was cleared.\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n)\\n)\\n| extend Name=tostring(split(Account, \\\"@\\\")[0]), UPNSuffix=tostring(split(Account, \\\"@\\\")[1])\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared.\\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"name\":\"d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n| join (\\n DuoSecurityAuthentication_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(access_device_ip_s)\\n // renaming time column so it is clear the log this came from\\n | extend Duo_TimeGenerated = isotimestamp_t\\n)\\non $left.TI_ipEntity == $right.access_device_ip_s\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\\n| extend timestamp = Duo_TimeGenerated, Name = tostring(split(user_name_s, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(user_name_s, \u0027@\u0027, 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"user_name_s\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"access_device_ip_s\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to Duo Security\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DuoSecurity.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"CiscoDuoSecurity\",\"dataTypes\":[\"CiscoDuo\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"name\":\"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"let cmdTokens0 = dynamic([\u0027vbscript\u0027,\u0027jscript\u0027]);\\nlet cmdTokens1 = dynamic([\u0027mshtml\u0027,\u0027RunHTMLApplication\u0027]);\\nlet cmdTokens2 = dynamic([\u0027Execute\u0027,\u0027CreateObject\u0027,\u0027RegRead\u0027,\u0027window.close\u0027]);\\n(union isfuzzy=true \\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688 and EventData has_all(cmdTokens2) and EventData has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(EventData has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId)\\n| extend Name = tostring(split(Account, \\\"\\\\\\\\\\\")[1]), NTDomain = tostring(split(Account, \\\"\\\\\\\\\\\")[0])\\n| extend DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027)), HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Midnight Blizzard - Script payload stored in Registry\",\"description\":\"This query identifies when a process execution command-line indicates that a registry value is written to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"name\":\"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents\\n| where TimeGenerated \u003e ago(endtime)\\n| where Name has \\\"in-addr.arpa\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name), ReverseDNSLookup_List = make_set(Name,100) by ClientIP\\n| where dcount_Name \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name, ReverseDNSLookup_List\\n// Filter out previously seen IPs\\n// Returns all the records from the left side that don\u0027t have matches from the right\\n| join kind=leftanti (DnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name has \\\"in-addr.arpa\\\"\\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name \u003e threshold\\n | project ClientIP , dcount_Name\\n) on ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Rare client observed with high reverse DNS lookup count\",\"description\":\"Identifies clients with a high reverse DNS counts that could be carrying out reconnaissance or discovery activity.\\nAlerts are generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\"name\":\"46ac55ae-47b8-414a-8f94-89ccd1962178\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let queryperiod = 1d;\\nlet mode = dynamic([\u0027Blocked\u0027, \u0027Detected\u0027]);\\nlet successCode = dynamic([\u0027200\u0027, \u0027101\u0027,\u0027204\u0027, \u0027400\u0027,\u0027504\u0027,\u0027304\u0027,\u0027401\u0027,\u0027500\u0027]);\\nlet sessionBin = 30m;\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where ResourceProvider == \u0027MICROSOFT.NETWORK\u0027 and Category =~ \u0027ApplicationGatewayFirewallLog\u0027 and action_s in (mode)\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\\n| extend SessionBlockedStarted = row_window_session(TimeGenerated, queryperiod, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| summarize SessionBlockedEnded = max(TimeGenerated), SessionBlockedCount = count() by hostname_s, clientIp_s, SessionBlockedStarted\\n| extend TimeKey = range(bin(SessionBlockedStarted, sessionBin), bin(SessionBlockedEnded, sessionBin), sessionBin)\\n| mv-expand TimeKey to typeof(datetime)\\n| join kind = inner(\\n AzureDiagnostics\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where Category =~ \u0027ApplicationGatewayAccessLog\u0027 and (isempty(httpStatus_d) or httpStatus_d in (successCode))\\n | extend TimeKey = bin(TimeGenerated, sessionBin)\\n | extend hostname_s = coalesce(hostname_s,host_s), clientIp_s = coalesce(clientIp_s,clientIP_s)\\n) on TimeKey, hostname_s , clientIp_s\\n| where TimeGenerated between (SessionBlockedStarted..SessionBlockedEnded)\\n| extend\\n originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", \\\"\\\"),\\n serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", \\\"\\\")\\n| summarize\\n SuccessfulAccessCount = count(),\\n UserAgents = make_set(userAgent_s, 250),\\n RequestURIs = make_set(requestUri_s, 250),\\n OriginalRequestURIs = make_set(originalRequestUriWithArgs_s, 250),\\n SuccessCodes = make_set(httpStatus_d, 250),\\n SuccessCodes_BackendServer = make_set(serverStatus_s, 250),\\n take_any(SessionBlockedEnded, SessionBlockedCount)\\n by hostname_s, clientIp_s, SessionBlockedStarted\\n| where SessionBlockedCount \u003e SuccessfulAccessCount\\n| extend BlockvsSuccessRatio = SessionBlockedCount/toreal(SuccessfulAccessCount)\\n| sort by BlockvsSuccessRatio desc, SessionBlockedStarted asc\\n| project-reorder SessionBlockedStarted, SessionBlockedEnded, hostname_s, clientIp_s, SessionBlockedCount, SuccessfulAccessCount, BlockvsSuccessRatio, SuccessCodes, RequestURIs, OriginalRequestURIs, UserAgents\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"clientIp_s\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"A potentially malicious web request was executed against a web server\",\"description\":\"Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the ratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric).\\nA high ratio value for a given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number of blocked requests and a few unobstructed logs that may be malicious but have passed undetected through the WAF. The successCode variable defines what the detection thinks is a successful status code and should be altered to fit the environment.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"name\":\"6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.6\",\"severity\":\"High\",\"query\":\"let IPList = externaldata(IPAddress:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//Network logs\\nlet CSlogSourceIP = CommonSecurityLog | summarize by IPAddress = SourceIP, Type;\\nlet CSlogDestIP = CommonSecurityLog | summarize by IPAddress = DestinationIP, Type;\\nlet CSlogMsgIP = CommonSecurityLog | extend MessageIP = extract(IPRegex, 0, Message) | summarize by IPAddress = MessageIP, Type;\\nlet DnsIP = DnsEvents | summarize by IPAddress = IPAddresses, Type;\\n// If you have enabled the _Im_Dns and/or imNetworkSession normalization in your workspace, you can uncomment one or both below. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let imDnsIP = _Im_Dns (response_has_any_prefix=IPList) | summarize by IPAddress = ResponseName, Type;\\n//let imNetSessIP = imNetworkSession (dstipaddr_has_any_prefix=IPList) | summarize by IPAddress = DstIpAddr, Type;\\n//Cloud service logs\\nlet officeIP = OfficeActivity | summarize by IPAddress = ClientIP, Type;\\nlet signinIP = SigninLogs | summarize by IPAddress, Type;\\nlet nonintSigninIP = AADNonInteractiveUserSignInLogs | summarize by IPAddress, Type;\\nlet azureActIP = AzureActivity | summarize by IPAddress = CallerIpAddress, Type;\\nlet awsCtIP = AWSCloudTrail | summarize by IPAddress = SourceIpAddress, Type;\\n//Device logs\\nlet vmConnSourceIP = VMConnection | summarize by IPAddress = SourceIp, Type;\\nlet vmConnDestIP = VMConnection | summarize by IPAddress = DestinationIp, Type;\\nlet iisLogIP = W3CIISLog | summarize by IPAddress = cIP, Type;\\nlet devNetIP = DeviceNetworkEvents | summarize by IPAddress = RemoteIP, Type;\\n//need to parse to get IP\\nlet azureDiagIP = AzureDiagnostics | where ResourceType == \\\"AZUREFIREWALLS\\\" | where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\")\\n| where msg_s has_any (IPList) | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action | summarize by IPAddress = DestinationHost, Type;\\nlet sysEvtIP = Event | where Source == \\\"Microsoft-Windows-Sysmon\\\" | where EventID == 3 | where EventData has_any (IPList) | extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) | extend IPAddress = iff(SourceIP in (IPList), SourceIP, DestinationIP) | summarize by IPAddress, Type;\\n// If you have enabled the _Im_DNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP, imDnsIP, imNetSessIP\\n// If you uncomment above, then comment out the line below\\nlet ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP\\n| summarize by IPAddress\\n| where isnotempty(IPAddress) | where not(ipv4_is_private(IPAddress)) and IPAddress !in (\u00270.0.0.0\u0027,\u0027127.0.0.1\u0027);\\nlet ipMatch = ipsort | where IPAddress in (IPList);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch) or Message has_any (ipMatch)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", MessageIP in (ipMatch), \\\"Message\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"No Match\\\")\\n),\\n(OfficeActivity\\n| where ClientIP in (ipMatch)\\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| extend timestamp = TimeGenerated , IPEntity = SourceIPAddress , AccountEntity = Account\\n),\\n(DnsEvents\\n| where IPAddresses has_any (ipMatch)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress, HostEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (ipMatch) or DestinationIp in (ipMatch)\\n| project TimeGenerated, Computer, SourceIp, DestinationIp, Type\\n| extend IPMatch = case( SourceIp in (ipMatch), \\\"SourceIP\\\", DestinationIp in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| where EventData has_any (ipMatch)\\n| project TimeGenerated, EventData, UserName, Computer, Type\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch)\\n| extend IPMatch = case( SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountEntity = UserName, HostEntity = Computer , IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountEntity = UserPrincipalName, IPEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountEntity = UserPrincipalName, IPEntity = IPAddress\\n),\\n(W3CIISLog\\n| where cIP in (ipMatch)\\n| project TimeGenerated, Computer, cIP, csUserName, Type\\n| extend timestamp = TimeGenerated, IPEntity = cIP, HostEntity = Computer, AccountEntity = csUserName\\n),\\n(AzureActivity\\n| where CallerIpAddress in (ipMatch)\\n| project TimeGenerated, CallerIpAddress, Caller, Type\\n| extend timestamp = TimeGenerated, IPEntity = CallerIpAddress, AccountEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where SourceIpAddress in (ipMatch)\\n| project TimeGenerated, SourceIpAddress, UserIdentityUserName, Type\\n| extend timestamp = TimeGenerated, IPEntity = SourceIpAddress, AccountEntity = UserIdentityUserName\\n),\\n(\\nDeviceNetworkEvents\\n| where RemoteIP in (ipMatch)\\n| where ActionType =~ \\\"InboundConnectionAccepted\\\"\\n| project TimeGenerated, RemoteIP, DeviceName, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, HostEntity = DeviceName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\")\\n| where msg_s has_any (ipMatch)\\n| project TimeGenerated, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceIP \u0027:\u0027 SourcePort \u0027to \u0027 DestinationIP \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationIP has_any (ipMatch)\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIP\\n)\\n// If you have enabled the _Im_Dns and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//,\\n//(_Im_Dns (response_has_any_prefix=IPList)\\n//| project TimeGenerated, ResponseName, SrcIpAddr, Type\\n//| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr\\n//| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress, HostEntity = Host\\n//),\\n//(imNetworkSession (dstipaddr_has_any_prefix=IPList)\\n//| project TimeGenerated, DstIpAddr, SrcIpAddr, Type\\n//| extend timestamp = TimeGenerated, IPEntity = DstIpAddr, HostEntity = SrcIpAddr\\n//)\\n)\\n| extend Name = tostring(split(AccountEntity, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(AccountEntity, \u0027@\u0027, 1)[0])\\n| extend HostName = tostring(split(HostEntity, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(HostEntity, \u0027.\u0027), 1, -1), \u0027.\u0027))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Log4j vulnerability exploit aka Log4Shell IP IOC\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228.\\n References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228\",\"lastUpdatedDateUTC\":\"2024-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoAsaAma\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"name\":\"32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"// Enter a reference list of malicious file artifacts\\nlet MaliciousFileArtifacts = dynamic ([\\\"lsass.dmp\\\",\\\"test.pwd\\\",\\\"lsremora.dll\\\",\\\"lsremora64.dll\\\",\\\"fgexec.exe\\\",\\\"pwdump\\\",\\\"kirbi\\\",\\\"wce_ccache\\\",\\\"wce_krbtkts\\\",\\\"wceaux.dll\\\",\\\"PwHashes\\\",\\\"SAM.out\\\",\\\"SECURITY.out\\\",\\\"SYSTEM.out\\\",\\\"NTDS.out\\\" \\\"DumpExt.dll\\\",\\\"DumpSvc.exe\\\",\\\"cachedump64.exe\\\",\\\"cachedump.exe\\\",\\\"pstgdump.exe\\\",\\\"servpw64.exe\\\",\\\"servpw.exe\\\",\\\"pwdump.exe\\\",\\\"fgdump-log\\\"]);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==11\\n| parse EventData with * \u0027TargetFilename\\\"\u003e\u0027 TargetFilename \\\"\u003c\\\" *\\n| where TargetFilename has_any (MaliciousFileArtifacts)\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, Image, ProcessGuid, TargetFilename\\n| extend HostName = split(Computer, \u0027.\u0027, 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027)\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetFilename\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Image\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - File Artifacts\",\"description\":\"This query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names.\\nRef: https://jpcertcc.github.io/ToolAnalysisResultSheet/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"name\":\"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"let opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\n| summarize make_set(Operation, 500);\\nOfficeActivity\\n// Only admin or global-admin can disable/remove policy\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Office Policy Tampering\",\"description\":\"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"name\":\"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(domain_lookBack) and TimeGenerated \u003c ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to unpopular website (possible malicious payload delivery)\\\"\\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlOriginal\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Connection to Unpopular Website Detected\",\"description\":\"Detects first connection to an unpopular website (possible malicious payload delivery).\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"name\":\"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"High\",\"query\":\"// We can use this configuration TimeDeltaInMinutes if you want to chnage the time window that we try to match the alerts\\nlet TimeDeltaInMinutes = 10;\\nlet Alert_UnfamiliarSignInProps = \\nSecurityAlert\\n| where TimeGenerated \u003e ago(1d)\\n| where ProductName =~ \\\"Azure Active Directory Identity Protection\\\"\\n| where AlertName =~ \\\"Unfamiliar sign-in properties\\\"\\n| mv-expand Entity = todynamic(Entities)\\n| where Entity.Type =~ \\\"account\\\"\\n| extend AadTenantId = tostring(Entity.AadTenantId)\\n| extend AadUserId = tostring(Entity.AadUserId)\\n| join kind=inner (\\nIdentityInfo\\n| distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName\\n| extend UserName = AccountDisplayName\\n| extend UserAccount = AccountUPN\\n| where isnotempty(AccountDisplayName) and isnotempty(UserAccount)\\n| project AccountTenantId, AccountObjectId, UserAccount, UserName\\n)\\non\\n$left.AadTenantId == $right.AccountTenantId,\\n$left.AadUserId == $right.AccountObjectId\\n| extend CompromisedEntity = iff(CompromisedEntity == \\\"N/A\\\" or isempty(CompromisedEntity), UserAccount, CompromisedEntity)\\n| extend Alert_UnfamiliarSignInProps_Time = TimeGenerated\\n| extend Alert_UnfamiliarSignInProps_Name = AlertName\\n| extend Alert_UnfamiliarSignInProps_Severity = AlertSeverity\\n| project AadTenantId, AadUserId, AccountTenantId, AccountObjectId, Alert_UnfamiliarSignInProps_Name, Alert_UnfamiliarSignInProps_Severity, Alert_UnfamiliarSignInProps_Time, UserAccount, UserName\\n;\\nlet Alert_AtypicalTravels = \\nSecurityAlert\\n| where TimeGenerated \u003e ago(1d)\\n| where ProductName =~ \\\"Azure Active Directory Identity Protection\\\"\\n| where AlertName =~ \\\"Atypical travel\\\"\\n| mv-expand Entity = todynamic(Entities)\\n| where Entity.Type =~ \\\"account\\\"\\n| extend AadTenantId = tostring(Entity.AadTenantId)\\n| extend AadUserId = tostring(Entity.AadUserId)\\n| join kind=inner (\\nIdentityInfo\\n| distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName\\n| extend UserName = AccountDisplayName\\n| extend UserAccount = AccountUPN\\n| where isnotempty(AccountDisplayName) and isnotempty(UserAccount)\\n| project AccountTenantId, AccountObjectId, UserAccount, UserName\\n)\\non\\n$left.AadTenantId == $right.AccountTenantId,\\n$left.AadUserId == $right.AccountObjectId\\n| extend CompromisedEntity = iff(CompromisedEntity == \\\"N/A\\\" or isempty(CompromisedEntity), UserAccount, CompromisedEntity)\\n| extend Alert_AtypicalTravels_Time = TimeGenerated\\n| extend Alert_AtypicalTravels_Name = AlertName\\n| extend Alert_AtypicalTravels_Severity = AlertSeverity\\n| extend ExtendedProperties_json= parse_json(ExtendedProperties)\\n| extend CurrentLocation = tostring(ExtendedProperties_json.[\\\"Current Location\\\"])\\n| extend PreviousLocation = tostring(ExtendedProperties_json.[\\\"Previous Location\\\"])\\n| extend CurrentIPAddress = tostring(ExtendedProperties_json.[\\\"Current IP Address\\\"])\\n| extend PreviousIPAddress = tostring(ExtendedProperties_json.[\\\"Previous IP Address\\\"])\\n| project AadTenantId, AadUserId, AccountTenantId, AccountObjectId, Alert_AtypicalTravels_Name, Alert_AtypicalTravels_Severity, Alert_AtypicalTravels_Time, CurrentIPAddress, PreviousIPAddress, CurrentLocation, PreviousLocation, UserAccount, UserName, CompromisedEntity\\n;\\nAlert_UnfamiliarSignInProps\\n| join kind=inner Alert_AtypicalTravels on UserAccount\\n| where abs(datetime_diff(\u0027minute\u0027, Alert_UnfamiliarSignInProps_Time, Alert_AtypicalTravels_Time)) \u003c= TimeDeltaInMinutes\\n| extend TimeDelta = Alert_UnfamiliarSignInProps_Time - Alert_AtypicalTravels_Time\\n| project UserAccount, Alert_UnfamiliarSignInProps_Name, Alert_UnfamiliarSignInProps_Severity, Alert_UnfamiliarSignInProps_Time, Alert_AtypicalTravels_Name, Alert_AtypicalTravels_Severity, Alert_AtypicalTravels_Time, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress, UserName\\n| extend UserEmailName = split(UserAccount,\u0027@\u0027)[0], UPNSuffix = split(UserAccount,\u0027@\u0027)[1]\",\"customDetails\":{\"Alert1_Name\":\"Alert_UnfamiliarSignInProps_Name\",\"Alert1_Time\":\"Alert_UnfamiliarSignInProps_Time\",\"Alert1_Severity\":\"Alert_UnfamiliarSignInProps_Severity\",\"Alert2_Name\":\"Alert_AtypicalTravels_Name\",\"Alert2_Time\":\"Alert_AtypicalTravels_Time\",\"Alert2_Severity\":\"Alert_AtypicalTravels_Severity\",\"TimeDelta\":\"TimeDelta\",\"CurrentLocation\":\"CurrentLocation\",\"PreviousLocation\":\"PreviousLocation\",\"CurrentIPAddress\":\"CurrentIPAddress\",\"PreviousIPAddress\":\"PreviousIPAddress\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"},{\"identifier\":\"Name\",\"columnName\":\"UserEmailName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CurrentIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PreviousIPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Correlate Unfamiliar sign-in properties \u0026 atypical travel alerts\",\"description\":\"The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.\",\"lastUpdatedDateUTC\":\"2023-04-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/05eca115-c4b5-48e4-ba6e-07db57695be2\",\"name\":\"05eca115-c4b5-48e4-ba6e-07db57695be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let baseline_time = 7d;\\nlet detection_time = 1d;\\nDynamics365Activity\\n| where TimeGenerated between(ago(baseline_time)..ago(detection_time-1d))\\n| where OriginalObjectId contains \u0027ExportToExcel\u0027\\n| extend numQueryCount = todouble(QueryResults)\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), \u0027,\u0027) + 1), numQueryCount)\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\n| summarize sum(QueryCount) by UserId\\n| extend HistoricalBaseline = sum_QueryCount\\n| join (Dynamics365Activity\\n| where TimeGenerated \u003e ago(detection_time)\\n| where OriginalObjectId contains \u0027ExportToExcel\u0027\\n| extend numQueryCount = todouble(QueryResults)\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), \u0027,\u0027) + 1), numQueryCount)\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\n| summarize sum(QueryCount) by UserId\\n| extend CurrentExportRate = sum_QueryCount) on UserId\\n| where CurrentExportRate \u003e HistoricalBaseline\\n| project UserId, HistoricalBaseline, CurrentExportRate\\n| join kind=inner(Dynamics365Activity\\n| where TimeGenerated \u003e ago(detection_time)\\n| where OriginalObjectId contains \u0027ExportToExcel\u0027\\n| extend numQueryCount = todouble(QueryResults)\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), \u0027,\u0027) + 1), numQueryCount)\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))) on UserId\\n| project TimeGenerated, UserId, QueryCount, UserAgent, OriginalObjectId, ClientIP, HistoricalBaseline, CurrentExportRate, CorrelationId, CrmOrganizationUniqueName\\n| summarize QuerySizes = make_set(QueryCount), MostRecentQuery = max(TimeGenerated), IPs = make_set(ClientIP), UserAgents = make_set(UserAgent) by UserId, CrmOrganizationUniqueName, HistoricalBaseline, CurrentExportRate\\n| extend timestamp = MostRecentQuery, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Mass Export of Dynamics 365 Records to Excel\",\"description\":\"The query detects user exporting a large amount of records from Dynamics 365 to Excel, significantly more records exported than any other recent activity by that user.\",\"lastUpdatedDateUTC\":\"2022-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Dynamics365\",\"dataTypes\":[\"Dynamics365Activity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\"name\":\"327cd4ed-ca42-454b-887c-54e1c91363c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Defender Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Endpoint alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Endpoint\",\"lastUpdatedDateUTC\":\"2019-10-24T00:00:00Z\",\"createdDateUTC\":\"2019-10-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"name\":\"0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated \u003e ago(1d)\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname\\n | extend HostName = tostring(split(DvcHostname, \\\".\\\")[0]), DomainIndex = toint(indexof(DvcHostname, \u0027.\u0027))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(DvcHostname, DomainIndex + 1), DvcHostname)\\n | project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\n A threat actor may use these policies to deploy files or scripts to all hosts in a domain.\\n This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"name\":\"066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\nWindowsEvent\\n| where EventID == 4688 and (EventData has_any (file_path1) or EventData has_any (file_path2) or EventData has_any (file_path3) or EventData has_any (\u0027reg add\u0027) or EventData has_any (reg_key) )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where (CommandLine has_any (file_path1)) or\\n (CommandLine has_any (file_path3)) or\\n (CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or \\n (NewProcessName has_any (file_path1)) or\\n (NewProcessName has_any (file_path3)) or\\n (ParentProcessName has_any (file_path1)) or \\n (ParentProcessName has_any (file_path3)) \\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| extend IPCustomEntity = tostring(EventData.IpAddress)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, IPCustomEntity\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Caramel Tsunami Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as Caramel Tsunami\",\"lastUpdatedDateUTC\":\"2023-07-18T00:00:00Z\",\"createdDateUTC\":\"2022-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"name\":\"1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let PortScanThreshold = 50;\\n_Im_NetworkSession\\n| where ipv4_is_private(SrcIpAddr) == False\\n| where SrcIpAddr !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize AttemptedPortsCount=dcount(DstPortNumber), AttemptedPorts=make_set(DstPortNumber, 100), ReportedBy=make_set(strcat(EventVendor, \\\"/\\\", EventProduct), 20) by SrcIpAddr, bin(TimeGenerated, 5m)\\n| where AttemptedPortsCount \u003e PortScanThreshold\",\"customDetails\":{\"AttemptedPortsCount\":\"AttemptedPortsCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential port scan from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"A port scan has been performed from address {{SrcIpAddr}} over {{AttemptedPortsCount}} ports within 5 minutes. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Discovery\"],\"displayName\":\"Port scan detected (ASIM Network Session schema)\",\"description\":\"This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"AzureNSG\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoAsaAma\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"AIVectraStream\",\"dataTypes\":[\"VectraStream\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoMeraki\",\"dataTypes\":[\"Syslog\",\"CiscoMerakiNativePoller\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"name\":\"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where CommandLine has_all (cmdList)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountEntity = Account, HostEntity = Computer\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where EventData has_all (cmdList)\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_all (cmdList)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountEntity = Account, HostEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessCommandLine has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName, HostEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, AccountEntity = User, HostEntity = Computer\\n)\\n)\\n| extend HostName = tostring(split(HostEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(HostEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(HostEntity, DomainIndex + 1), HostEntity)\\n| extend AccountName = tostring(split(AccountEntity, @\u0027\\\\\u0027)[1]), AccountDomain = tostring(split(AccountEntity, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountEntity\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Email access via active sync\",\"description\":\"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\n- Note that this query can be changed to use the KQL \\\"has_all\\\" operator, which hasn\u0027t yet been documented officially, but will be soon.\\n In short, \\\"has_all\\\" will only match when the referenced field has all strings in the list.\\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps \",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-02-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\"name\":\"f041e01d-840d-43da-95c8-4188f6cef546\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | distinct Country, Actor, TimeGenerated\\n) on Actor \\n| where set_Country !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"GitHub Activites from a New Country\",\"description\":\"Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"name\":\"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| where OldE2ESetting =~ \u0027false\u0027 and NewE2ESetting =~ \u0027true\u0027\\n| extend AccountName = tostring(split(User, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(User, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"tactics\":[\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Zoom E2E Encryption Disabled\",\"description\":\"This alerts when end to end encryption is disabled for Zoom meetings.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"name\":\"b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.3\",\"severity\":\"High\",\"query\":\"let UA_threats = dynamic([\\\"FoxBlade\\\", \\\"WhisperGate\\\", \\\"Lasainraw\\\", \\\"SonicVote\\\", \\\"CaddyWiper\\\", \\\"AprilAxe\\\", \\\"FiberLake\\\", \\\"Industroyer\\\", \\\"DesertBlade\\\"]);\\nSecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatFamilyName in~ (UA_threats)\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Ukraine threats\",\"description\":\"This query looks for Microsoft Defender AV detections for malware observed in relation to the war in Ukraine.\\n Ref: https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/ \",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"name\":\"ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1d;\\nlet TotalEventsThreshold = 25;\\nlet TimeSeriesData = AzureActivity \\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now())) \\n| where OperationNameValue endswith \\\"delete\\\" \\n| project TimeGenerated, Caller \\n| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Caller;\\nTimeSeriesData \\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, \u0027linefit\u0027) \\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long) \\n| where TimeGenerated \u003e= startofday(ago(endtime)) \\n| where anomalies \u003e 0 \\n| project Caller, TimeGenerated, Total, baseline, anomalies, score \\n| where Total \u003e TotalEventsThreshold and baseline \u003e 0 \\n| join (AzureActivity \\n| where TimeGenerated \u003e startofday(ago(endtime)) \\n| where OperationNameValue endswith \\\"delete\\\" \\n| summarize count(), make_set(OperationNameValue,100), make_set(_ResourceId,100) by bin(TimeGenerated, timeframe), Caller ) on TimeGenerated, Caller \\n| extend Name = iif(Caller has \u0027@\u0027,tostring(split(Caller,\u0027@\u0027,0)[0]),\\\"\\\")\\n| extend UPNSuffix = iif(Caller has \u0027@\u0027,tostring(split(Caller,\u0027@\u0027,1)[0]),\\\"\\\")\\n| extend AadUserId = iif(Caller !has \u0027@\u0027,Caller,\\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AadUserId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Mass Cloud resource deletions Time Series Anomaly\",\"description\":\"This query generates the baseline pattern of cloud resource deletions by an individual and generates an anomaly when any unusual spike is detected. These anomalies from unusual or privileged users could be an indication of a cloud infrastructure takedown by an adversary.\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11c3d541-5fa5-49df-8218-d1c98584473b\",\"name\":\"11c3d541-5fa5-49df-8218-d1c98584473b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Retrieve SecurityAlerts generated within the last day\\n SecurityAlert \\n // Filter alerts for Azure Active Directory Identity Protection and High severity\\n | where ProductName has \\\"Azure Active Directory Identity Protection\\\"\\n | where AlertSeverity == \\\"High\\\"\\n // Extract IP address entities from the \u0027Entities\u0027 field\\n | extend ipAddress = extract(@\u0027\\\\b(?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\b\u0027, 0, Entities)\\n // Filter out alerts without IP address entities\\n | where isnotempty(ipAddress)\\n // Summarize entities per unique combination of attributes\\n | summarize make_set(Entities)\\n by\\n AlertTime = TimeGenerated,\\n ipAddress,\\n AlertName,\\n ProductName,\\n AlertSeverity\\n // Perform an inner join with AWS CloudTrail events\\n | join kind=inner (\\n AWSCloudTrail\\n | where isempty(ErrorMessage)\\n | extend UserType = tostring(parse_json(RequestParameters).userType) \\n | where EventName in~ (\\\"CreateRole\\\", \\\"DeleteRole\\\", \\\"CreateUser\\\", \\\"CreateAccessKey\\\", \\\"DeleteAccessKey\\\", \\\"CreateGroup\\\", \\\"AddUserToGroup\\\", \\\"ChangePassword\\\", \\\"DeleteGroup\\\", \\\"DeleteUser\\\", \\\"RemoveUserFromGroup\\\", \\\"CreateVirtualMFADevice\\\", \\\"DeleteLoginProfile\\\") \\n | summarize\\n make_set(RequestParameters),\\n make_set(ResponseElements)\\n by\\n SourceIpAddress,\\n UserIdentityArn,\\n UserIdentityType,\\n EventName,\\n EventTime = TimeGenerated\\n )\\n on $left.ipAddress == $right.SourceIpAddress \\n // Filter results based on temporal correlation\\n | where AlertTime between ((EventTime - 1h) .. (EventTime + 1h))\",\"customDetails\":{\"AWSUser\":\"UserIdentityArn\",\"AlertIp\":\"ipAddress\",\"AlertName\":\"AlertName\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"User impersonation by Identity Protection alerts\",\"description\":\"This detection focuses on identifying user-related events involving IAM roles, groups, user access, and password changes. It examines instances where the user\u0027s IP address matches and alerts generated by Identity Protection share the same IP address. The analysis occurs within a time window of 1 hour, helping to flag potential cases of user impersonation.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2023-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"name\":\"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet AuthorizedBypassers = dynamic([\u0027foo@baz.com\u0027, \u0027test@foo.com\u0027]);\\nlet historicBypassers = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| parse ScopeDisplayName with OrganizationName \u0027(Organization)\u0027\\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name,\\n BypassReason = Data.BypassReason, PRLink = strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_git/\u0027, Data.RepoName, \u0027/pullrequest/\u0027, Data.PullRequestId)\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"PRLink\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Pull Request Policy Bypassing - Historic allow list\",\"description\":\"This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\"name\":\"f2eb15bd-8a88-4b24-9281-e133edfba315\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.8\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet Signins = materialize(union isfuzzy=true\\n (SigninLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)),\\n (AADNonInteractiveUserSignInLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)));\\nlet SigninIPs = Signins | summarize make_list(IPAddress);\\nlet TI = materialize(ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | extend TI_ipEntity = coalesce(NetworkIP, EmailSourceIpAddress, NetworkDestinationIP, NetworkSourceIP)\\n | where TI_ipEntity in (SigninIPs)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now()\\n | where Description !contains_cs \\\"State: inactive;\\\" and Description !contains_cs \\\"State: falsepos;\\\");\\nTI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (Signins) on $left.TI_ipEntity == $right.IPAddress\\n| project-rename SigninLogs_TimeGenerated = TimeGenerated\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = SigninLogs_TimeGenerated, Name = tostring(split(UserPrincipalName, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(UserPrincipalName, \u0027@\u0027, 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to SigninLogs\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SigninLogs.\",\"lastUpdatedDateUTC\":\"2023-07-18T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"name\":\"8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.4\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Cryptominer\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| summarize N_Events=count() by SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername\\n| extend AccountName = tostring(split(SrcUsername, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(SrcUsername, \\\"@\\\")[1])\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The host {{SrcIpAddr}} is potentially running a crypto miner\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by crypto miners and indicates crypto mining activity on the client.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"A host is potentially running a crypto miner (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.\u003cbr\u003eYou can add custom crypto mining indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5db427b2-f406-4274-b413-e9fcb29412f8\",\"name\":\"5db427b2-f406-4274-b413-e9fcb29412f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~ \u0027Add member to role request denied (PIM activation)\u0027\\n| mv-apply ResourceItem = TargetResources on \\n (\\n where ResourceItem.type =~ \\\"Role\\\"\\n | extend Role = trim(@\u0027\\\"\u0027,tostring(ResourceItem.displayName))\\n )\\n| mv-apply ResourceItem = TargetResources on \\n (\\n where ResourceItem.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = trim(@\u0027\\\"\u0027,tostring(ResourceItem.userPrincipalName))\\n )\\n| where ResultReason != \\\"RoleAssignmentExists\\\"\\n| where isnotempty(InitiatedBy.user)\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend TargetName = tostring(split(TargetUserPrincipalName,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,\u0027@\u0027,1)[0])\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\\n| project-reorder TimeGenerated, TargetUserPrincipalName, Role, OperationName, Result, ResultDescription\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NRT PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2024-08-19T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"name\":\"4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-38647\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend HostName = tostring(split(VirtualMAchine, \\\".\\\")[0]), DomainIndex = toint(indexof(VirtualMAchine, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(VirtualMAchine, DomainIndex + 1), VirtualMAchine)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"VirtualMAchine\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to OMIGOD CVE-2021-38647\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647.\\nOMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"name\":\"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Low\",\"query\":\"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold\\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated \u003e ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction\\n// where destination IPs are public\\n| where ipv4_is_private(DestinationIP) == false\\n// sort into source-\u003edestination \u0027sessions\u0027\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds \u003e TimeDeltaThresholdInSeconds\\n// summarize the deltas by source-\u003edestination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers \u003e 1.5 or outliers \u003c -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev \u003c MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount \u003e TotalBeaconsThreshold and (sum_SentBytes \u003e 0 or sum_ReceivedBytes \u003e 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity \u003e= (10*TimeDeltaThresholdInSeconds)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Fortinet - Beacon pattern detected\",\"description\":\"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"name\":\"3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.5\",\"severity\":\"Medium\",\"query\":\"let riskScoreCutoff = 20; //Adjust this based on volume of results\\nlet starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 50;\\nlet aadFunc = (tableName:string){\\n // Failed Signins attempts with reasoning related to conditional access policies.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultDescription has_any (\\\"conditional access\\\", \\\"CA\\\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\nallSignins\\n| make-series DailyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1d by UserPrincipalName\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(DailyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand DailyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n// Filtering low count events per baselinethreshold\\n| where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n| extend AnomalyHour = TimeGenerated\\n| project UserPrincipalName, AnomalyHour, TimeGenerated, DailyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\\n| extend UserPrincipalName = tolower(UserPrincipalName)\\n| join kind=leftouter (\\n IdentityInfo\\n | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\\n | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled\\n | summarize\\n Tags = make_set(Tags, 1000),\\n GroupMembership = make_set(GroupMembership, 1000),\\n AssignedRoles = make_set(AssignedRoles, 1000),\\n UserType = make_set(UserType, 1000),\\n UserAccountControl = make_set(UserType, 1000)\\n by AccountUPN\\n | extend UserPrincipalName=tolower(AccountUPN)\\n) on UserPrincipalName\\n| join kind=leftouter (\\n BehaviorAnalytics\\n | where ActivityType in (\\\"FailedLogOn\\\", \\\"LogOn\\\")\\n | where isnotempty(SourceIPAddress)\\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress\\n | project-rename IPAddress = SourceIPAddress\\n | summarize\\n UsersInsights = make_set(UsersInsights, 1000),\\n DevicesInsights = make_set(DevicesInsights, 1000),\\n IPInvestigationPriority = sum(InvestigationPriority)\\n by IPAddress)\\non IPAddress\\n| extend UEBARiskScore = IPInvestigationPriority\\n| where UEBARiskScore \u003e riskScoreCutoff\\n| sort by UEBARiskScore desc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Accounts - Sign in Failure due to CA Spikes\",\"description\":\" Identifies spike in failed sign-ins from user accounts due to conditional access policied.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.\",\"lastUpdatedDateUTC\":\"2024-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"name\":\"cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName =~ \\\"Add owner to application\\\"\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend TargetUserPrincipalName = TargetResources[0].userPrincipalName\\n | extend TargetAadUserId = tostring(TargetResources[0].id)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | mv-expand mod_props\\n | where mod_props.displayName =~ \\\"Application.DisplayName\\\"\\n | extend TargetAppName = tostring(parse_json(tostring(mod_props.newValue)))\\n | extend AddedUser = TargetUserPrincipalName\\n | extend UpdatedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | extend TargetAccountName = tostring(split(TargetUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingAadUserId, InitiatingUserPrincipalName, InitiatingIPAddress, TargetAppName, AddedUser, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"TargetAadUserId\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Ownership\",\"description\":\"Detects changes to the ownership of an appplicaiton.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://learn.microsoft.com/en-gb/entra/architecture/security-operations-applications#new-owner\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"name\":\"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Office 365 Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Office 365 alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Office 365\",\"lastUpdatedDateUTC\":\"2020-09-01T00:00:00Z\",\"createdDateUTC\":\"2020-04-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"name\":\"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"CommonSecurityLog\\n| where isempty(CommunicationDirection)\\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - threat detection message fired\",\"description\":\"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd78a122-d377-415a-afe9-f22e08d2112c\",\"name\":\"dd78a122-d377-415a-afe9-f22e08d2112c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"// Add other permissions to this list as needed\\nlet permissions = dynamic([\\\".All\\\", \\\"ReadWrite\\\", \\\"Mail.\\\", \\\"offline_access\\\", \\\"Files.Read\\\", \\\"Notes.Read\\\", \\\"ChannelMessage.Read\\\", \\\"Chat.Read\\\", \\\"TeamsActivity.Read\\\",\\n\\\"Group.Read\\\", \\\"EWS.AccessAsUser.All\\\", \\\"EAS.AccessAsUser.All\\\"]);\\nlet auditList = \\nAuditLogs\\n| where OperationName =~ \\\"Add app role assignment to service principal\\\"\\n| mv-expand TargetResources[0].modifiedProperties\\n| extend TargetResources_0_modifiedProperties = column_ifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n| where isnotempty(TargetResources_0_modifiedProperties)\\n;\\nlet detailsList = auditList\\n| where TargetResources_0_modifiedProperties.displayName =~ \\\"AppRole.Value\\\" or TargetResources_0_modifiedProperties.displayName =~ \\\"DelegatedPermissionGrant.Scope\\\"\\n| extend Permissions = split((parse_json(tostring(TargetResources_0_modifiedProperties.newValue))), \\\" \\\")\\n| where Permissions has_any (permissions)\\n| summarize AddedPermissions=make_set(Permissions,200) by CorrelationId\\n| join kind=inner auditList on CorrelationId\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend InitiatedBy = tostring(iff(isnotempty(InitiatingUserPrincipalName),InitiatingUserPrincipalName, InitiatingAppName))\\n| extend displayName = tostring(TargetResources_0_modifiedProperties.displayName), newValue = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\\n| where displayName == \\\"ServicePrincipal.ObjectID\\\" or displayName == \\\"ServicePrincipal.DisplayName\\\"\\n| extend displayName = case(displayName == \\\"ServicePrincipal.ObjectID\\\", \\\"ServicePrincipalObjectID\\\", displayName == \\\"ServicePrincipal.DisplayName\\\", \\\"ServicePrincipalDisplayName\\\", displayName)\\n| project TimeGenerated, CorrelationId, Id, AddedPermissions = tostring(AddedPermissions), InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIPAddress, InitiatingUserPrincipalName, InitiatedBy, displayName, newValue\\n;\\ndetailsList | project Id, displayName, newValue\\n| evaluate pivot(displayName, make_set(newValue))\\n| join kind=inner detailsList on Id\\n| extend ServicePrincipalObjectID = todynamic(column_ifexists(\\\"ServicePrincipalObjectID\\\", \\\"\\\")), ServicePrincipalDisplayName = todynamic(column_ifexists(\\\"ServicePrincipalDisplayName\\\", \\\"\\\"))\\n| mv-expand ServicePrincipalObjectID, ServicePrincipalDisplayName\\n| project-away Id1, displayName, newValue\\n| extend ServicePrincipalObjectID = tostring(ServicePrincipalObjectID), ServicePrincipalDisplayName = tostring(ServicePrincipalDisplayName)\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), EventIds = make_set(Id,200) by CorrelationId, AddedPermissions, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIPAddress, InitiatingUserPrincipalName, InitiatedBy, ServicePrincipalDisplayName, ServicePrincipalObjectID\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"ServicePrincipalObjectID\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned App Role With Sensitive Access\",\"description\":\"Detects a Service Principal being assigned an app role that has sensitive access such as Mail.Read.\\n A threat actor who compromises a Service Principal may assign it an app role to allow it to access sensitive data, or to perform other actions.\\n Ensure that any assignment to a Service Principal is valid and appropriate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions\",\"lastUpdatedDateUTC\":\"2023-12-30T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/defe4855-0d33-4362-9557-009237623976\",\"name\":\"defe4855-0d33-4362-9557-009237623976\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let query_frequency = 1h;\\nlet query_period = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(query_frequency)\\n| where Category =~ \\\"UserManagement\\\" and OperationName =~ \\\"Delete user\\\"\\n| mv-expand TargetResource = TargetResources\\n| where TargetResource[\\\"type\\\"] == \\\"User\\\" and TargetResource[\\\"userPrincipalName\\\"] has \\\"#EXT#\\\"\\n| extend ParsedDeletedUserPrincipalName = extract(@\\\"^[0-9a-f]{32}([^\\\\#]+)\\\\#EXT\\\\#\\\", 1, tostring(TargetResource[\\\"userPrincipalName\\\"]))\\n| extend\\n Initiator = iif(isnotempty(InitiatedBy[\\\"app\\\"]), tostring(InitiatedBy[\\\"app\\\"][\\\"displayName\\\"]), tostring(InitiatedBy[\\\"user\\\"][\\\"userPrincipalName\\\"])),\\n InitiatorId = iif(isnotempty(InitiatedBy[\\\"app\\\"]), tostring(InitiatedBy[\\\"app\\\"][\\\"servicePrincipalId\\\"]), tostring(InitiatedBy[\\\"user\\\"][\\\"id\\\"])),\\n Delete_IPAddress = tostring(InitiatedBy[tostring(bag_keys(InitiatedBy)[0])][\\\"ipAddress\\\"])\\n| project Delete_TimeGenerated = TimeGenerated, Category, Identity, Initiator, Delete_IPAddress, OperationName, Result, ParsedDeletedUserPrincipalName, InitiatedBy, AdditionalDetails, TargetResources, InitiatorId, CorrelationId\\n| join kind=inner (\\n SigninLogs\\n | where TimeGenerated \u003e ago(query_period)\\n | where ResultType == 0\\n | summarize take_any(*) by UserPrincipalName\\n | extend ParsedUserPrincipalName = translate(\\\"@\\\", \\\"_\\\", UserPrincipalName)\\n | project SigninLogs_TimeGenerated = TimeGenerated, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, IPAddress, LocationDetails, AppDisplayName, ResourceDisplayName, ClientAppUsed, UserAgent, DeviceDetail, UserId, UserType, OriginalRequestId, ParsedUserPrincipalName\\n ) on $left.ParsedDeletedUserPrincipalName == $right.ParsedUserPrincipalName\\n| where SigninLogs_TimeGenerated \u003e Delete_TimeGenerated\\n| project-away ParsedDeletedUserPrincipalName, ParsedUserPrincipalName\\n| extend\\n AccountName = tostring(split(UserPrincipalName, \\\"@\\\")[0]),\\n AccountUPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Suspicious Login from deleted guest account\",\"description\":\" This query will detect logins from guest account which was recently deleted. \\nFor any successful logins from deleted identities should be investigated further if any existing user accounts have been altered or linked to such identity prior deletion\",\"lastUpdatedDateUTC\":\"2024-01-03T00:00:00Z\",\"createdDateUTC\":\"2022-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/017e095a-94d8-430c-a047-e51a11fb737b\",\"name\":\"017e095a-94d8-430c-a047-e51a11fb737b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let domains =\\n SigninLogs\\n | where ResultType == 0\\n | extend domain = split(UserPrincipalName, \\\"@\\\")[1]\\n | extend domain = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tolower(tostring(domain));\\n AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend InitiatedBy = tostring(iff(isnotempty(InitiatingUserPrincipalName),InitiatingUserPrincipalName, InitiatingAppName))\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | where isnotempty(AddedUrls)\\n | mv-expand AddedUrls\\n | extend AddedUrls = trim(@\u0027\\\"\u0027, tostring(AddedUrls))\\n | extend Domain = extract(\\\"^(?:https?:\\\\\\\\/\\\\\\\\/)?(?:[^@\\\\\\\\/\\\\\\\\n]+@)?(?:www\\\\\\\\.)?([^:\\\\\\\\/?\\\\\\\\n]+)/\\\", 1, replace_string(tolower(AddedUrls), \u0027\\\"\u0027, \\\"\\\"))\\n | where isnotempty(Domain)\\n | extend Domain = strcat(split(Domain, \\\".\\\")[-2], \\\".\\\", split(Domain, \\\".\\\")[-1])\\n | where Domain !in (domains)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, InitiatedBy, UserAgent, InitiatingIPAddress\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"URL Added to Application from Unknown Domain\",\"description\":\"Detects a URL being added to an application where the domain is not one that is associated with the tenant.\\n The query uses domains seen in sign in logs to determine if the domain is associated with the tenant.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://learn.microsoft.com/en-gb/entra/architecture/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/16da3a2a-af29-48a0-8606-d467c180fe18\",\"name\":\"16da3a2a-af29-48a0-8606-d467c180fe18\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let Threshold = 1;\\nAzureDiagnostics\\n| where Category =~ \\\"FrontDoorWebApplicationFirewallLog\\\"\\n| where action_s =~ \\\"AnomalyScoring\\\"\\n| where details_msg_s has \\\"SQL Injection\\\"\\n| parse details_data_s with MessageText \\\"Matched Data:\\\" MatchedData \\\"AND \\\" * \\\"table_name FROM \\\" TableName \\\" \\\" *\\n| project trackingReference_s, host_s, requestUri_s, TimeGenerated, clientIP_s, details_matches_s, details_msg_s, details_data_s, TableName, MatchedData\\n| join kind = inner(\\nAzureDiagnostics\\n| where Category =~ \\\"FrontDoorWebApplicationFirewallLog\\\"\\n| where action_s =~ \\\"Block\\\") on trackingReference_s\\n| summarize URI_s = make_set(requestUri_s,100), Table = make_set(TableName,100), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TrackingReference = make_set(trackingReference_s,100), Matched_Data = make_set(MatchedData,100), Detail_Data = make_set(details_data_s,100), Detail_Message = make_set(details_msg_s,100), Total_TrackingReference = dcount(trackingReference_s) by clientIP_s, host_s, action_s\\n| where Total_TrackingReference \u003e= Threshold\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URI_s\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"clientIP_s\"}]}],\"tactics\":[\"DefenseEvasion\",\"Execution\",\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Front Door Premium WAF - SQLi Detection\",\"description\":\"Identifies a match for a SQL Injection attack in the Front Door Premium WAF logs. The threshold value in the query can be changed as per your infrastructure\u0027s requirements.\\nReferences: https://owasp.org/Top10/A03_2021-Injection/\",\"lastUpdatedDateUTC\":\"2023-12-20T00:00:00Z\",\"createdDateUTC\":\"2022-10-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"name\":\"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host, AccountCustomEntity=User\\n),\\n(_Im_WebSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(SigninLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (IPList) \\n| extend DestinationIP = Fqdn \\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWNetworkRule\\n| where isnotempty(DestinationIp)\\n| where DestinationIp has_any (IPList) \\n| extend DestinationIP = DestinationIp \\n| extend IPCustomEntity = SourceIp\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Known Seashell Blizzard IP\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWNetworkRule\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"name\":\"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName: string) {\\n table(tableName)\\n | where ResultType == 500121\\n | where Status has \\\"MFA Denied; user declined the authentication\\\" or Status has \\\"MFA denied; Phone App Reported Fraud\\\"\\n | extend Type = Type, PublicIP = IPAddress\\n | extend\\n Name = tostring(split(UserPrincipalName, \u0027@\u0027, 0)[0]),\\n UPNSuffix = tostring(split(UserPrincipalName, \u0027@\u0027, 1)[0])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet dvcInfo = DeviceInfo\\n | extend SensorHealthState = column_ifexists(\\\"SensorHealthState\\\", \\\"\\\")\\n | where OnboardingStatus == \\\"Onboarded\\\" and SensorHealthState == \\\"Active\\\"\\n | project PublicIP, AadDeviceId;\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| join kind=leftouter dvcInfo on PublicIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AppDisplayName\"},{\"identifier\":\"AppId\",\"columnName\":\"AppId\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"[Deprecated] Explicit MFA Deny\",\"description\":\"User explicitly denies MFA push, indicating that login was not expected and the account\u0027s password may be compromised.\\nThis rule is deprecated as of July-2024. Alternative rule with similar logic and contex from more data source \\nis available at https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/MFARejectedbyUser.yaml\",\"lastUpdatedDateUTC\":\"2024-07-25T00:00:00Z\",\"createdDateUTC\":\"2020-10-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\"name\":\"2391ce61-8c8d-41ac-9723-d945b2e90720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Low\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\\n| join kind=leftouter (\\n SecurityEvent\\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday \u003e= coalesce(CountPrev7day,0)*threshold and CountToday \u003e= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027,\\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027,\\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName)\\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day)\\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\\n| order by sum_CountToday desc nulls last\\n| extend timestamp = StartTime, NTDomain = tostring(split(Account, \u0027\\\\\\\\\u0027, 0)[0]), Name = tostring(split(Account, \u0027\\\\\\\\\u0027, 1)[0]), HostName = tostring(split(WorkstationName, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(WorkstationName, \u0027.\u0027), 1, -1), \u0027.\u0027))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"WorkstationName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Process\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Windows Logon Failures\",\"description\":\"This query identifies user accounts which has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"name\":\"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend HashAlgorithm = \\\"MD5\\\"\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingProcessAccountDomain\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"MD5\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"name\":\"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Low\",\"query\":\"let threshold = 1; // Modify this threshold value to reduce false positives based on your environment\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| mv-apply CAP = parse_json(ConditionalAccessPolicies) on (\\n project ConditionalAccessPoliciesName = CAP.displayName, result = CAP.result\\n | where result =~ \\\"failure\\\"\\n)\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status,10), StatusDetails = make_list(StatusDetails,50), IPAddresses = make_list(IPAddress,100), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId,100), ConditionalAccessPoliciesName = make_list(ConditionalAccessPoliciesName,100)\\nby UserPrincipalName, UserId, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, Type\\n| where IPAddressCount \u003e threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mv-expand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = make_set(IPAddresses,100), Status = make_set(Status,10), CorrelationIds = make_set(CorrelationIds,100), ConditionalAccessPoliciesName = make_set(ConditionalAccessPoliciesName,100)\\nby StartTime, EndTime, UserPrincipalName, UserId, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, IPAddressCount, Type\\n| extend IPAddressFirst = tostring(IPAddresses[0]), Name = tostring(split(UserPrincipalName, \\\"@\\\")[0]), UPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddressFirst\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Attempt to bypass conditional access rule in Microsoft Entra ID\",\"description\":\"Identifies an attempt to Bypass conditional access rule(s) in Microsoft Entra ID.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access or if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences:\\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"name\":\"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| where Data.NewValue == 1 or Data.NewValue \u003c Data.OldValue/2\\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Retention Reduced\",\"description\":\"AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"name\":\"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount \u003e triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated \u003e ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Name\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Possible contact with a domain generated by a DGA\",\"description\":\"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance.\\nThis detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\\nNOTE - The top1M csv zip file used in the query is dynamic and may produce different results over various time periods. It\u0027s important to cross-check the events against the entities involved in the incident.\",\"lastUpdatedDateUTC\":\"2024-10-17T00:00:00Z\",\"createdDateUTC\":\"2020-03-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"name\":\"d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"// Administrative roles to look for, default is all admin roles\\nlet roles = dynamic([\\\"Administrator\\\", \\\"Admin\\\"]);\\n// The maximum distances between and invite and acceptance\\nlet maxTimeBetweenInviteAccept = 30min;\\n// The delta (minutes) between the invite being sent and the account being escalated\\nlet deltaBetweenInviteEscalation = 60;\\n// Collect external user invitations\\nlet invite = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Invite external user\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"userPrincipalName\\\"])\\n| extend InviteInitiator = tostring(InitiatedBy.[\\\"user\\\"].[\\\"userPrincipalName\\\"])\\n| where isnotempty(InviteInitiator);\\n// Collect redeem events\\nlet redeem = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Redeem external user invite\\\"\\n| where Result =~ \\\"success\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"displayName\\\"]) | extend Target = tostring(extract(@\\\"UPN\\\\:\\\\s(.+)\\\\,\\\\sEmail\\\",1,Target))\\n| where isnotempty(Target);\\n// Union the inivtation and redeem data then run the sequence_detect kusto plugin\\ninvite\\n| union redeem\\n| order by TimeGenerated\\n| project TimeGenerated, Target, InviteInitiator, OperationName, TenantId\\n| evaluate sequence_detect(TimeGenerated, maxTimeBetweenInviteAccept, maxTimeBetweenInviteAccept, invite=(OperationName has \\\"Invite external user\\\"), redeem=(OperationName has \\\"Redeem external user invite\\\"), Target)\\n| join kind=innerunique (\\nAuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in~ (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n// Limit to external accounts\\n| where TargetResources.userPrincipalName has \\\"EXT\\\"\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n// Perform check for admin roles\\n| where RoleName has_any(roles)\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by TimeGenerated, OperationName, RoleName, Target, Initiator, Result\\n) on Target\\n// Calculate delta between the invite and the account escalation\\n| extend delta = datetime_diff(\\\"minute\\\", TimeGenerated, invite_TimeGenerated)\\n| where delta \u003c= deltaBetweenInviteEscalation\\n| project InvitationTime=invite_TimeGenerated, RedeemTime=redeem_TimeGenerated, GrantTime=TimeGenerated, ExternalUser=Target, RoleGranted=RoleName, AdminInitiator=Initiator, MinsBetweenInviteAndEscalation=delta\\n| extend ExternalUserName = tostring(split(ExternalUser, \u0027@\u0027, 0)[0]), ExternalUserUPNSuffix = tostring(split(ExternalUser, \u0027@\u0027, 1)[0])\\n| extend AdminInitiatorName = tostring(split(AdminInitiator, \u0027@\u0027, 0)[0]), AdminInitiatorUPNSuffix = tostring(split(AdminInitiator, \u0027@\u0027, 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ExternalUserName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"ExternalUserUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AdminInitiatorName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AdminInitiatorUPNSuffix\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"New External User Granted Admin Role\",\"description\":\"This query will detect instances where a newly invited external user is granted an administrative role.\\nBy default this query will alert on any granted administrative role, however this can be modified using the roles variable if false positives occur in your environment. The maximum delta between invite and escalation to admin is 60 minues, this can be configured using the deltaBetweenInviteEscalation variable.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-06-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"name\":\"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center\",\"severitiesFilter\":[\"Low\",\"Medium\",\"High\"],\"displayName\":\"Create incidents based on Microsoft Defender for Cloud\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud\",\"lastUpdatedDateUTC\":\"2021-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"name\":\"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Active Directory Identity Protection\",\"displayName\":\"Create incidents based on Azure Active Directory Identity Protection alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\"name\":\"a357535e-f722-4afe-b375-cff362b2b376\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation\\n| parse ExtendedProperties with * \u0027User-Agent\\\\\\\\\\\":\\\\\\\\\\\"\u0027 UserAgent2 \u0027\\\\\\\\\u0027 *\\n| parse ExtendedProperties with * \u0027UserAgent\\\", \\\"Value\\\": \\\"\u0027 UserAgent1 \u0027\\\"\u0027 *\\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == \u0027AzureActiveDirectoryStsLogon\u0027, UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\"\\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\"\\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != \u0027-\u0027\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \u0027\\\\\\\"\u0027\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent contains_cs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent contains_cs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend AccountName = split(Account, \\\"@\\\")[0], UPNSuffix = split(Account, \\\"@\\\")[1]\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"Malformed user agent\",\"description\":\"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"name\":\"56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4657\\n | parse ObjectName with \\\"\\\\\\\\REGISTRY\\\\\\\\\\\" KeyPrefix \\\"\\\\\\\\\\\" RegistryKey\\n | project-reorder RegistryKey\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (\\n SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Computer\\n | extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n | extend AccountName = tostring(split(TargetAccount, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(TargetAccount, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1cc0ba27-c5ca-411a-a779-fbc89e26be83\",\"name\":\"1cc0ba27-c5ca-411a-a779-fbc89e26be83\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"// Filter alerts from specific Microsoft security products with medium and high severity\\nSecurityAlert \\n| where ProductName in (\\\"Microsoft 365 Defender\\\", \\\"Azure Active Directory\\\", \\\"Microsoft Defender Advanced Threat Protection\\\", \\\"Microsoft Cloud App Security\\\", \\\"Azure Active Directory Identity Protection\\\", \\\"Microsoft Defender ATP\\\")\\n| where AlertSeverity has_any (\\\"Medium\\\", \\\"High\\\")\\n// Parse JSON entities and extend AlertTimeGenerated\\n| extend Entities = parse_json(Entities), AlertTimeGenerated=TimeGenerated\\n// Extract and process IP entities\\n| mv-apply Entity = Entities on \\n ( \\n where Entity.Type == \u0027ip\u0027 \\n | extend EntityIp = tostring(Entity.Address) \\n ) \\n// Extract and process account entities\\n| mv-apply Entity = Entities on \\n ( \\n where Entity.Type == \u0027account\u0027 \\n | extend AccountObjectId = tostring(Entity.AadUserId)\\n )\\n// Filter out records with empty EntityIp\\n| where isnotempty(EntityIp)\\n// Summarize data and create sets of entities and system alert IDs\\n| summarize Entitys=make_set(Entity), SystemAlertIds=make_set(SystemAlertId)\\n by \\n AlertName,\\n ProductName,\\n AlertSeverity,\\n EntityIp,\\n Tactics,\\n Techniques,\\n ProviderName,\\n AlertTime= bin(AlertTimeGenerated, 1d),\\n AccountObjectId\\n// Join with GCPAuditLogs for VM instance creation\\n| join kind=inner (\\n GCPAuditLogs\\n | where ServiceName == \\\"compute.googleapis.com\\\" and MethodName endswith \\\"instances.insert\\\"\\n | extend\\n GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),\\n GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),\\n GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),\\n VMStatus = tostring(parse_json(Response).status),\\n VMOperation=tostring(parse_json(Response).operationType),\\n VMName= tostring(parse_json(Request).name),\\n VMType = tostring(split(parse_json(Request).machineType, \\\"/\\\")[-1])\\n | where GCPUserUPN !has \\\"gserviceaccount.com\\\"\\n | where VMOperation == \\\"insert\\\" and isnotempty(GCPUserIp) and GCPUserIp != \\\"private\\\"\\n | project\\n GCPOperationTime=TimeGenerated,\\n VMName,\\n VMStatus,\\n MethodName,\\n GCPUserUPN,\\n ProjectId,\\n GCPUserIp,\\n GCPUserUA,\\n VMOperation,\\n VMType\\n )\\n on $left.EntityIp == $right.GCPUserIp \\n// Join with IdentityInfo to enrich user identity details\\n| join kind=inner (IdentityInfo \\n | distinct AccountObjectId, AccountUPN, JobTitle\\n )\\n on AccountObjectId \\n// Calculate the time difference between the alert and VM creation for further analysis\\n| extend TimeDiff= datetime_diff(\u0027day\u0027, AlertTime, GCPOperationTime),Name = split(GCPUserUPN, \\\"@\\\")[0], UPNSuffix = split(GCPUserUPN, \\\"@\\\")[1]\",\"customDetails\":{\"AlertName\":\"AlertName\",\"AlertProDuctName\":\"ProductName\",\"AlertUserName\":\"AccountUPN\",\"AlertUserObjectId\":\"AccountObjectId\",\"AlertIds\":\"SystemAlertIds\",\"AlertIp\":\"EntityIp\",\"GCPUserAgent\":\"GCPUserUA\",\"GCPVMName\":\"VMName\",\"GCPProjectId\":\"ProjectId\",\"GCPVMType\":\"VMType\",\"CorrelationWith\":\"GCPAuditLogs\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"GCPUserIp\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GCPUserUPN\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"IP address {{GCPUserIp}} Assocated with {{AlertName}} found in GCP VM creation event by {{GCPUserUPN}}\",\"alertDescriptionFormat\":\"This detection correlates \u0027{{ProductName}}\u0027 Alert IP addresse Entity found in VM instance creation in GCP {{ProjectId}}. It identifies successful compute instance creation, from suspicious IP addresse. By joining these datasets on network entities and IP addresses, it detects unauthorized Initial access attempts across GCP environments.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":\"AlertSeverity\"},\"tactics\":[\"InitialAccess\",\"Execution\",\"Discovery\"],\"displayName\":\"Suspicious VM Instance Creation Activity Detected\",\"description\":\"This detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2023-10-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"GCPAuditLogsDefinition\",\"dataTypes\":[\"GCPAuditLogs\"]},{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"name\":\"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for AzureActivity logs\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n // Filter out indicators without relevant IP address fields\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n // Select the IP entity based on availability of different IP fields\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and AzureActivity logs to identify potential malicious activity\\nIP_Indicators\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, CallerIpAddress\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, \\nCaller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = AzureActivity_TimeGenerated\\n| extend Name = iif(Caller has \u0027@\u0027, tostring(split(Caller,\u0027@\u0027,0)[0]), \\\"\\\")\\n| extend UPNSuffix = iif(Caller has \u0027@\u0027, tostring(split(Caller,\u0027@\u0027,1)[0]), \\\"\\\")\\n| extend AadUserId = iif(Caller !has \u0027@\u0027, tostring(Caller), \\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to AzureActivity\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in AzureActivity.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"name\":\"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet compressedTypes = dynamic([\u0027zip\u0027, \u0027rar\u0027, \u0027tar\u0027, \u0027x-7z-compressed\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType has_any (compressedTypes)\\n| summarize count(), make_set(attachedMimeType) by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple archived attachments to the same recipient\",\"description\":\"Detects when multiple emails where sent to the same recipient with large archived attachments.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"name\":\"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\\nlet allowed_sources = dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// Look for feeds created or modified at either the organization or project level\\n| where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and locations in the allow list\\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"External Upstream Source Added to Azure DevOps Feed\",\"description\":\"The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \\nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\"name\":\"ab4b6944-a20d-42ab-8b63-238426525801\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated \u003e= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = VMProcess\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n | project-away exePathArr;\\nlet computers = VMComputer\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind = inner (processes) on AgentId, Machine, Process\\n | join kind = inner (computers) on AgentId, Machine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"FirstPid\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Directory\",\"columnName\":\"DirectoryName\"},{\"identifier\":\"Name\",\"columnName\":\"Filename\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Solorigate Domains Found in VM Insights\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMProcess\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMComputer\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9f9c1e51-4fb1-4510-a675-c7c2fb32f47e\",\"name\":\"9f9c1e51-4fb1-4510-a675-c7c2fb32f47e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let knotweed_sigs = dynamic([\\\"JumplumpDropper\\\", \\\"Jumplump\\\", \\\"Corelump\\\", \\\"Medcerc\\\", \\\"SuspModuleLoad\\\", \\\"Mexlib\\\"]);\\n let mde_data = (DeviceInfo\\n | extend DeviceName = tolower(DeviceName)\\n | join kind=rightouter ( SecurityAlert\\n | where ProviderName =~ \\\"MDATP\\\"\\n | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n | where ThreatFamilyName in~ (knotweed_sigs)\\n | extend CompromisedEntity = tolower(CompromisedEntity)\\n ) on $left.DeviceName == $right.CompromisedEntity);\\n let event_data = ( Event\\n | where EventID in (1006, 1009, 1116, 1119)\\n | extend ThreatData = parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_xml(EventData).DataItem)).EventData)).Data))\\n | mv-expand ThreatData\\n | where tostring(ThreatData.[\\\"@Name\\\"]) == \\\"Threat Name\\\"\\n | extend EventData = parse_xml(EventData)\\n | where tostring(ThreatData.[\\\"#text\\\"]) has_any (knotweed_sigs));\\n union mde_data, event_data\\n | extend ThreatName = iif(isnotempty(ThreatName), ThreatName, tostring(ThreatData.[\\\"#text\\\"]))\\n | extend ThreatFamilyName = iif(isnotempty(ThreatFamilyName), ThreatFamilyName, split(tostring(ThreatData.[\\\"#text\\\"]), \\\"/\\\")[-1])\\n | extend TimeGenerated = iif(isnotempty(TimeGenerated), TimeGenerated, TimeGenerated1)\\n | extend DeviceName = iif(isnotempty(DeviceName), DeviceName, Computer)\\n | project-reorder TimeGenerated, CompromisedEntity, ThreatName, ThreatFamilyName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"[Deprecated] - Denim Tsunami AV Detection\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"name\":\"c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let auditList =\\nAuditLogs\\n| where TimeGenerated \u003e= ago(14d)\\n| where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n| where Result =~ \\\"success\\\"\\n| extend TargetUserPrincipalName = tostring(TargetResources[2].userPrincipalName)\\n| extend displayName = tostring(TargetResources[0].displayName)\\n| extend displayName2 = tostring(TargetResources[3].displayName)\\n| extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n;\\nlet lookbackList = auditList\\n| where TimeGenerated between(ago(14d)..ago(1d))\\n;\\nlet recentList = auditList\\n| where TimeGenerated \u003e ago(1d)\\n;\\nlet newlyElevated = recentList\\n| join kind = leftanti lookbackList on ElevatedRole, TargetUserPrincipalName\\n;\\nnewlyElevated | project Id, AdditionalDetails\\n| mv-expand bagexpansion=array AdditionalDetails\\n| evaluate bag_unpack(AdditionalDetails)\\n| extend key = column_ifexists(\\\"key\\\", \u0027\u0027), value = column_ifexists(\\\"value\\\", \u0027\u0027)\\n| evaluate pivot(key, make_set(value))\\n| extend ipaddr = todynamic(column_ifexists(\\\"ipaddr\\\", \\\"\\\"))\\n| mv-expand ipaddr\\n| project Id, InitiatingIPAddress = tostring(ipaddr)\\n| join kind=rightouter newlyElevated on Id\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIPAddress = iff(isnotempty(tostring(InitiatedBy.user.ipAddress)), tostring(InitiatedBy.user.ipAddress), InitiatingIPAddress)\\n| extend ElevatedBy = iff(isnotempty(InitiatingUserPrincipalName), InitiatingUserPrincipalName, InitiatingAppName)\\n| extend ElevatedUser = TargetUserPrincipalName\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n| extend TargetAccountName = tostring(split(TargetUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \\\"@\\\")[1])\\n| project-reorder ElevatedUser, ElevatedRole, ResultReason, ElevatedBy, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, TargetUserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account Elevated to New Role\",\"description\":\"Detects an account that is elevated to a new role where that account has not had that role in the last 14 days.\\n Role elevations are a key mechanism for gaining permissions, monitoring which users have which roles, and for anomalies in those roles is useful for finding suspicious activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"name\":\"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Low\",\"query\":\"let threshold = 15;\\nSyslog\\n| where ProcessName =~ \\\"sshd\\\"\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| parse kind=relaxed SyslogMessage with * \\\"invalid user \\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\" *\\n// using distinct below as it has been seen that Syslog can duplicate entries depending on implementation\\n| distinct TimeGenerated, Computer, user, ip, port, SyslogMessage, _ResourceId\\n| summarize EventTimes = make_list(TimeGenerated), PerHourCount = count() by bin(TimeGenerated,4h), ip, Computer, user, _ResourceId\\n| where PerHourCount \u003e threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes)\\n| summarize StartTime = min(EventTimes), EndTime = max(EventTimes), UserList = make_set(user), ComputerList = make_set(Computer), ResourceIdList = make_set(_ResourceId), sum(PerHourCount) by IPAddress = ip\\n// bringing through single computer and user if array only has 1, otherwise, referencing the column and hashing the ComputerList or UserList so we don\u0027t get accidental entity matches when reviewing alerts\\n| extend HostName = iff(array_length(ComputerList) == 1, tostring(ComputerList[0]), strcat(\\\"SeeComputerListField\\\",\\\"_\\\", tostring(hash(tostring(ComputerList)))))\\n| extend Account = iff(array_length(ComputerList) == 1, tostring(UserList[0]), strcat(\\\"SeeUserListField\\\",\\\"_\\\", tostring(hash(tostring(UserList)))))\\n| extend ResourceId = iff(array_length(ResourceIdList) == 1, tostring(ResourceIdList[0]), strcat(\\\"SeeResourceIdListField\\\",\\\"_\\\", tostring(hash(tostring(ResourceIdList)))))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Account\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SSH - Potential Brute Force\",\"description\":\"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\\n Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur.\\n As an example - ComputerList is an array that we check for a single value and write that into the HostName field for use in the entity mapping within Sentinel.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"SyslogAma\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"name\":\"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Low\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add =\\n(union isfuzzy=true\\n(SecurityEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account\\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n),\\n(WindowsEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend AddingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupAddedTo = TargetUserName\\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n)\\n);\\nlet AC_Remove =\\n( union isfuzzy=true\\n(SecurityEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" *\\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, AccountRemoved = tolower(AccountRemoved),\\nRemovingAccount, RemovingAccountLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n),\\n(WindowsEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" *\\n| where isnotempty(AccountRemoved)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend RemovingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupRemovedFrom = TargetUserName\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| extend RemovedAccountLogonId= tostring(EventData.SubjectLogonId)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, AccountRemoved = tolower(AccountRemoved),\\nRemovingAccount, RemovedAccountLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n));\\nAC_Add\\n| join kind = inner AC_Remove \\non $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend DurationinSecondAfter_Removed = datetime_diff (\u0027second\u0027, AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed \u003e 0\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend RemovedAccountName = tostring(split(AccountRemoved, @\\\"\\\\\\\")[1]), RemovedAccountNTDomain = tostring(split(AccountRemoved, @\\\"\\\\\\\")[0])\\n| extend RemovingAccountName = tostring(split(RemovingAccount, @\\\"\\\\\\\")[1]), RemovingAccountNTDomain = tostring(split(RemovingAccount, @\\\"\\\\\\\")[0])\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountRemoved\"},{\"identifier\":\"Name\",\"columnName\":\"RemovedAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"RemovedAccountNTDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"RemovingAccount\"},{\"identifier\":\"Name\",\"columnName\":\"RemovingAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"RemovingAccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Account added and removed from privileged groups\",\"description\":\"Identifies accounts that are added to a privileged group and then quickly removed, which could be a sign of compromise.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2019-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\"name\":\"79566f41-df67-4e10-a703-c38a6213afd8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"Application\\\"\\n | extend targetDisplayName = tostring(TargetResource.displayName),\\n targetId = tostring(TargetResource.id),\\n targetType = tostring(TargetResource.type),\\n keyEvents = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = keyEvents on \\n (\\n where Property.displayName =~ \\\"KeyDescription\\\"\\n | extend new_value_set = parse_json(tostring(Property.newValue)),\\n old_value_set = parse_json(tostring(Property.oldValue))\\n )\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage =~ \\\"Verify\\\"\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend UserAgent = tostring(AdditionalDetail.value)\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend Name = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\"name\":\"5f0d80db-3415-4265-9d52-8466b7372e3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps PAT used with Browser\",\"description\":\"Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \\nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \\nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"name\":\"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.8\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet URLRegex = \\\"((https?|ftp|ldap|wss?|file):\\\\\\\\/\\\\\\\\/(([\\\\\\\\:\\\\\\\\%\\\\\\\\w\\\\\\\\_\\\\\\\\-]+(\\\\\\\\.|@))*((xn--)?[a-zA-Z0-9\\\\\\\\-]+\\\\\\\\.)+(xn--[a-z0-9]+|[A-Za-z]+)|\\\\\\\\d{1,3}\\\\\\\\.\\\\\\\\d{1,3}\\\\\\\\.\\\\\\\\d{1,3}\\\\\\\\.\\\\\\\\d{0,3})[.,:\\\\\\\\w@?^=%\u0026\\\\\\\\/~+#-]*[\\\\\\\\w@?^=%\u0026\\\\\\\\/~+#-])\\\";\\nlet SecurityEvents = materialize(SecurityAlert\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Extract URL from JSON data\\n | mv-expand parse_json(Entities)\\n | where isnotempty(Entities.Url) or isnotempty(Entities.Urls)\\n | extend Url = coalesce(Entities.Url, Entities.Urls)\\n | mv-expand Url\\n | extend Url = tolower(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated);\\nlet EventUrls = materialize(SecurityEvents | distinct Url | summarize make_list(Url));\\nThreatIntelligenceIndicator\\n| where isnotempty(Url)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| extend Url = tolower(Url)\\n| where tolower(Url) in (EventUrls)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n| where Description !contains_cs \\\"State: inactive;\\\" and Description !contains_cs \\\"State: falsepos;\\\" \\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (SecurityEvents) on Url\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project timestamp = Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Compromised_Host\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map URL Entity to SecurityAlert Data\",\"description\":\"This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in SecurityAlert data.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"name\":\"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action its unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"name\":\"a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Low\",\"query\":\"let error403_count_threshold=200;\\n_Im_WebSession(eventresultdetails_in=dynamic([\\\"403\\\"]))\\n| extend ParsedUrl=parse_url(Url)\\n| extend UrlHost=tostring(ParsedUrl[\\\"Host\\\"]), UrlSchema=tostring(ParsedUrl[\\\"Schema\\\"])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr\\n| where NumberOfErrors \u003e error403_count_threshold\\n| sort by NumberOfErrors desc\\n| extend Url=tostring(Urls[0])\",\"customDetails\":{\"NumberOfErrors\":\"NumberOfErrors\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of HTTP authentication failures from {{SrcIpAddr}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Persistence\",\"CredentialAccess\"],\"displayName\":\"Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)\",\"description\":\"This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\\nThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d714ef62-1a56-4779-804f-91c4158e528d\",\"name\":\"d714ef62-1a56-4779-804f-91c4158e528d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let ImagesList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\"]); \\nlet OriginalFileNameList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\",\\\"SR.exe\\\",\\\"utilman2.exe\\\",\\\"ScreenMagnifier.exe\\\"]); \\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027ProcessId\\\"\u003e\u0027 ProcessId \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where Image has_any (ImagesList) and not (OriginalFileName has_any (OriginalFileNameList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessId, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(User, \\\"\\\\\\\\\\\")[1]), AccountNTDomain = tostring(split(User, \\\"\\\\\\\\\\\")[0])\\n| extend ImageFileName = tostring(split(Image, \\\"\\\\\\\\\\\")[-1])\\n| extend ImageDirectory = replace_string(Image, ImageFileName, \\\"\\\")\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"},{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessId\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ImageFileName\"},{\"identifier\":\"Directory\",\"columnName\":\"ImageDirectory\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Modification of Accessibility Features\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\\nTwo common accessibility programs are C:\\\\Windows\\\\System32\\\\sethc.exe, launched when the shift key is pressed five times and C:\\\\Windows\\\\System32\\\\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as \\\"sticky keys\\\", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1]\\nRef: https://attack.mitre.org/techniques/T1546/008/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"name\":\"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Low\",\"query\":\"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 25;\\nlet TotalEventsThreshold = 30;\\nlet MostFrequentTimeDeltaThreshold = 25;\\nlet PercentBeaconThreshold = 80;\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where ipv4_is_private(DestinationIP)== false\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold\\n| summarize count(), sum(ReceivedBytes), sum(SentBytes)\\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes)\\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents \u003e TotalEventsThreshold and MostFrequentTimeDeltaCount \u003e MostFrequentTimeDeltaThreshold\\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Palo Alto - potential beaconing detected\",\"description\":\"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns.\\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing.\\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586\",\"lastUpdatedDateUTC\":\"2024-11-07T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CefAma\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"name\":\"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Low\",\"query\":\"let match_window = 3m;\\nAzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\")\\n| where ActivityStatusValue =~ \\\"Success\\\"\\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\\n| join kind = inner\\n(AzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/write\\\")\\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\\n) on Caller, TimeKey\\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, \u0027 , \u0027, OperationNameValue1)\\n| extend Name = tostring(split(Caller,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Caller,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UserIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New CloudShell User\",\"description\":\"Identifies when a user creates an Azure CloudShell for the first time.\\nMonitor this activity to ensure only the expected users are using CloudShell.\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50eb4cbd-188f-44f4-b964-bab84dcdec10\",\"name\":\"50eb4cbd-188f-44f4-b964-bab84dcdec10\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let timeframe = 1d;\\nlet time_window = 5m;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4688\\n| where Process has_any (\\\"java.exe\\\", \\\"javaw.exe\\\") and CommandLine has \\\"SysAidServer\\\" \\n| summarize by ParentProcessName,Process, Account, Computer, CommandLine, timekey= bin(TimeGenerated, time_window), TimeGenerated, SubjectLogonId\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4663\\n| where Process has_any (\\\"java.exe\\\", \\\"javaw.exe\\\")\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| where ObjectName endswith \\\".jsp\\\" \\n| summarize by ParentProcessName, Account, Computer, ObjectName, ProcessName, timekey= bin(TimeGenerated, time_window), TimeGenerated, SubjectLogonId)\\n on timekey, Computer, SubjectLogonId\\n),\\n(DeviceFileEvents \\n| where InitiatingProcessFileName has_any (\\\"java.exe\\\", \\\"javaw.exe\\\") \\n| where InitiatingProcessCommandLine has \\\"SysAidServer\\\" \\n| where FileName endswith \\\".jsp\\\" \\n| extend Account = strcat(InitiatingProcessAccountDomain, @\u0027\\\\\u0027, InitiatingProcessAccountName), Computer = DeviceName\\n),\\n(imFileEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"java.exe\\\", \\\"javaw.exe\\\") \\n| where ActingProcessCommandLine has \\\"SysAidServer\\\" \\n| where FilePath endswith \\\".jsp\\\" \\n| extend Account = ActorUsername, Computer = DvcHostname\\n)\\n)\\n| extend AccountName = tostring(split(Account, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(Account, @\u0027\\\\\u0027)[0])\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Identify SysAid Server web shell creation\",\"description\":\"This query looks for potential webshell creation by the threat actor Mercury after the sucessful exploitation of SysAid server. \\nReference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"name\":\"bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where OperationName =~ \\\"Delete user\\\"\\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type == \\\"User\\\"\\n | extend UserPrincipalName = extract(@\u0027([a-f0-9]{32})?(.*)\u0027, 2, tostring(TargetResource.userPrincipalName))\\n )\\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\\n| join kind=inner (\\n AuditLogs\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where OperationName =~ \\\"Add user\\\" \\n | mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type == \\\"User\\\"\\n | extend UserPrincipalName = trim(@\u0027\\\"\u0027,tostring(TargetResource.userPrincipalName))\\n )\\n | project-rename Creation_TimeGenerated = TimeGenerated\\n) on UserPrincipalName\\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\\n| where TimeDelta between (time(0s) .. queryperiod)\\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\\n| extend timestamp = Deletion_TimeGenerated, Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletedByIPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account Created and Deleted in Short Timeframe\",\"description\":\"Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95543d6d-f00d-4193-a63f-4edeefb7ec36\",\"name\":\"95543d6d-f00d-4193-a63f-4edeefb7ec36\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZincOctober2022IOCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet useragents = (iocs | where Type =~ \\\"useragent\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains) or SourceIP has_any (IPList) or DestinationIP has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend timestamp = TimeGenerated, AccountEntity = SourceUserID, UrlEntity = RequestURL , IPEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains) or IPAddresses has_any (IPList)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer\\n| extend timestamp = TimeGenerated, HostEntity = Host, DNSCustomEntity = DNSName, IPEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains) or SourceIp has_any (IPList) or DestinationIp has_any (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIp, HostEntity = Computer, ProcessEntity = ProcessName, DNSCustomEntity = DNSName\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP has_any (IPList) or DestinationIP has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountEntity = UserName, ProcessEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostEntity = Computer , IPEntity = DestinationIP\\n), \\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP has_any (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, HostEntity = DeviceName, UrlEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where Category =~ \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP has_any (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where Category =~ \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationHost has_any (domains) or SourceHost has_any (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostEntity = Computer , AccountEntity = UserName, ProcessEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmEntity = \\\"SHA256\\\", FileHashEntity = SHA256\\n), \\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName , AccountEntity = InitiatingProcessAccountName, ProcessEntity = InitiatingProcessFileName, AlgorithmEntity = \\\"SHA256\\\", FileHashEntity = InitiatingProcessSHA256\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName , AccountEntity = RequestAccountName, ProcessEntity = InitiatingProcessFileName, AlgorithmEntity = \\\"SHA256\\\", FileHashEntity = InitiatingProcessSHA256\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName , AccountEntity = InitiatingProcessAccountName, ProcessEntity = InitiatingProcessFileName, AlgorithmEntity = \\\"SHA256\\\", FileHashEntity = InitiatingProcessSHA256\\n),\\n(OfficeActivity\\n| where ClientIP has_any (IPList) or UserAgent has_any (useragents)\\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, AccountEntity = UserId\\n)\\n)\\n| extend HostName = tostring(split(HostEntity, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(HostEntity, \u0027.\u0027), 1, -1), \u0027.\u0027))\\n| extend Name = tostring(split(AccountEntity, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(AccountEntity, \u0027@\u0027, 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"[Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022\",\"description\":\"Use Microsoft\u0027s up-to-date Threat Intelligence solution from the Content Hub to replace the deprecated query with outdated IoCs. Install it from: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoAsaAma\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CefAma\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsFirewallAma\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\"name\":\"223db5c1-1bf8-47d8-8806-bed401b356a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Low\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet aadFunc = (tableName:string){\\nlet azPortalSignins = materialize(table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70044\\\", \\\"70043\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins\\n) on UserPrincipalName\\n| where TimeGenerated \u003e TimeGenerated1 or isempty(TimeGenerated1)\\n| project-away TimeGenerated1, UserPrincipalName1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup\\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend FullLocation = strcat(Region,\u0027|\u0027, State, \u0027|\u0027, City) \\n| summarize TimeGenerated = make_list(TimeGenerated,100), Status = make_list(Status,100), IPAddresses = make_list(IPAddress,100), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\\n| where (IPAddressCount \u003e= threshold_IPAddressCount and FailedLogonCount \u003e= threshold_Failed) or FailedLogonCount \u003e= threshold_FailedwithSingleIP\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed login attempts to Azure Portal\",\"description\":\"Identifies failed login attempts in the Microsoft Entra ID SigninLogs to the Azure Portal. Many failed logon attempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack.\\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to \u0027Keep me signed in\u0027 interrupt when the user was signing-in.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6b652b4f-9810-4eec-9027-7aa88ce4db23\",\"name\":\"6b652b4f-9810-4eec-9027-7aa88ce4db23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where CommandLine has \\\"wmic computersystem get domain\\\" and ParentProcessName has \\\"dllhost.exe\\\"\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(DeviceProcessEvents \\n| where ProcessCommandLine has \\\"wmic computersystem get domain\\\" and InitiatingProcessFileName =~ \\\"dllhost.exe\\\" and InitiatingProcessCommandLine has \\\"dllhost.exe\\\"\\n| extend Account = strcat(InitiatingProcessAccountDomain, @\u0027\\\\\u0027, InitiatingProcessAccountName), Computer = DeviceName\\n)\\n)\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(Account, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Dev-0270 WMIC Discovery\",\"description\":\"The query below identifies dllhost.exe using WMIC to discover additional hosts and associated domains in the environment.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-09-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\"name\":\"910124df-913c-47e3-a7cd-29e1643fa55e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5;\\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails)\\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountName = tostring(split(UserPrincipalName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AWS Console logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Microsoft Entra ID logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\"name\":\"80733eb7-35b2-45b6-b2b8-3c51df258206\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\",\\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\",\\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\",\\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\",\\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\",\\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage),\\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage),\\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage),\\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend AccountName = tostring(split(User, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(User, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools. This query presumes the default Squid log format is being used.\\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2024-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"SyslogAma\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"name\":\"9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet querystarttime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the cisco umbrella top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n | extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n | extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n | mvexpand Trigram=AllTriGrams to typeof(string)\\n | summarize triCount=count() by Trigram\\n | sort by triCount desc\\n | where triCount \u003e triThreshold\\n | distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = _Im_WebSession\\n| where isnotempty(Url)\\n| extend Name = tolower(tostring(parse_url(Url)[\\\"Host\\\"]))\\n| summarize NameCount=count() by Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n _Im_WebSession\\n | where isnotempty(Url)\\n | extend Url = tolower(Url)\\n | summarize arg_max(TimeGenerated, EventVendor, SrcIpAddr) by Url\\n | extend Name=tostring(parse_url(Url)[\\\"Host\\\"])\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SrcIpAddr, Url\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SrcIpAddr, Url, NameCount\",\"customDetails\":{\"DGAPattern\":\"DGADomain\",\"NameCount\":\"NameCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential communication from {{SrcIpAddr}} with a Domain Generation Algorithm (DGA) based host {{Name}}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} communicated with host {{Name}} that have a domain name that might have been generated by a Domain Generation Algorithm (DGA), identified by the pattern {{DGADomain}}. DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like and uses the model to identify domains that may have been randomly generated by an algorithm.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema)\",\"description\":\"This rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA).\\nDGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like nad uses the model to identify domains that may have been randomly generated by an algorithm. You can modify the triThreshold and dgaLengthThreshold query parameters to change Analytic Rule sensitivity. The higher the numbers, the less noisy the rule is.\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"name\":\"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime \u003e= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime \u003c ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime\\n| extend Name = tostring(split(Account, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(Account, \u0027@\u0027, 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"New UserAgent observed in last 24 hours\",\"description\":\"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments, these new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are usually stable with low numbers of detections.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e95aef3-a1e0-4063-8e74-cd59aa59f245\",\"name\":\"6e95aef3-a1e0-4063-8e74-cd59aa59f245\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\\\"\\n| summarize\\n TimeGenerated = arg_max(TimeGenerated, Properties),\\n ActivityStatusValue = make_set(ActivityStatusValue, 5),\\n take_any(Caller, CallerIpAddress, OperationName, ResourceGroup, Resource)\\n by CorrelationId, _ResourceId, OperationNameValue\\n| extend ResourceHierarchy = split(_ResourceId, \\\"/\\\")\\n| extend MonitoredResourcePath = strcat_array(array_slice(ResourceHierarchy, 0, array_length(ResourceHierarchy)-5), \\\"/\\\")\\n| join kind=leftanti (\\n AzureActivity\\n | where OperationNameValue !~ \\\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\\\" and OperationNameValue endswith \\\"/DELETE\\\" and ActivityStatusValue has_any (\\\"Success\\\", \\\"Succeeded\\\")\\n | project _ResourceId\\n) on $left.MonitoredResourcePath == $right._ResourceId\\n| extend\\n Name = iif(Caller has \\\"@\\\", tostring(split(Caller, \\\"@\\\")[0]), \\\"\\\"),\\n UPNSuffix = iif(Caller has \\\"@\\\", tostring(split(Caller, \\\"@\\\")[1]), \\\"\\\"),\\n AadUserId = iif(Caller has \\\"@\\\", \\\"\\\", Caller)\\n| project TimeGenerated, Caller, CallerIpAddress, OperationNameValue, OperationName, ActivityStatusValue, ResourceGroup, MonitoredResourcePath, Resource, Properties, Name, UPNSuffix, AadUserId, _ResourceId, CorrelationId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Diagnostic settings removed from a resource\",\"description\":\"This query looks for diagnostic settings that are removed from a resource.\\nThis could indicate an attacker or malicious internal trying to evade detection before malicious act is performed.\\nIf the diagnostic settings are being deleted as part of a parent resource deletion, the event is ignores.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-06-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\"name\":\"3ff0fffb-d963-40c0-b235-3404f915add7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"GitHubAuditData\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, Repository\\n| extend Name = iif(Actor contains \\\"@\\\", split(Actor, \\\"@\\\")[0], Actor)\\n| extend UPNSuffix = iif(Actor contains \\\"@\\\", split(Actor, \\\"@\\\")[1], \\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Actor\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/825991eb-ea39-4590-9de2-ee97ef42eb93\",\"name\":\"825991eb-ea39-4590-9de2-ee97ef42eb93\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or (ProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ProcessCommandLine has (\u0027.wav\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\nor (ProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, InitiatingProcessFolderPath, ProcessId, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256, FileName\\n| extend Account = AccountName, Computer = DeviceName, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = FileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\"), AlgorithmCustomEntity = \\\"SHA256\\\"\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, Account = SourceUserID, AlgorithmCustomEntity = \\\"SHA256\\\"\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or (ActingProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ActingProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ActingProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ActingProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027.wav\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\n or (ActingProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = Hash\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash, AlgorithmCustomEntity = \\\"SHA256\\\"\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\\n| where (Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes)) or (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027) or (CommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = tostring(Hashes[1]), AlgorithmCustomEntity = \\\"SHA256\\\"\\n),\\n(DnsEvents\\n| where Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, File = ProcessName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = Fqdn, IPCustomEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = QueryName, IPCustomEntity = SourceIp\\n),\\n(DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) \\n| where RemoteUrl in~ (domains) \\n| project Type, TimeGenerated, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessAccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"[Deprecated] - Aqua Blizzard Actor IOCs - Feb 2022\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"name\":\"d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let threshold = 3;\\nPulseConnectSecure\\n| where Messages contains \\\"Unauthenticated request url /dana-na/\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Source_IP\\n| where count_ \u003e threshold\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"Source_IP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack\",\"description\":\"This query identifies exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893) to the VPN server\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-05-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d99cf5c3-d660-436c-895b-8a8f8448da23\",\"name\":\"d99cf5c3-d660-436c-895b-8a8f8448da23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Medium\",\"query\":\"let riskScoreCutoff = 3; //Adjust this score threshold based on volume of results. Activities identified as the most abnormal receive the highest scores (on a scale of 0-10)\\nSigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| extend UserPrincipalName = tolower(UserPrincipalName)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\" or additionalDetails_ has \\\"fraud\\\"\\n| summarize StartTime = min(TimeGenerated), EndTIme = max(TimeGenerated) by UserPrincipalName, UserId, AADTenantId, FailedIPAddress = IPAddress\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\\n| join kind=leftouter (\\n IdentityInfo\\n | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\\n | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled\\n | summarize\\n Tags = make_set(Tags, 1000),\\n GroupMembership = make_set(GroupMembership, 1000),\\n AssignedRoles = make_set(AssignedRoles, 1000),\\n UserType = make_set(UserType, 1000),\\n UserAccountControl = make_set(UserType, 1000)\\n by AccountUPN\\n | extend UserPrincipalName=tolower(AccountUPN)\\n) on UserPrincipalName\\n//Below it will be joined with BehaviorAnalytics table to the Failed IP Addresses\\n| join kind=leftouter (\\n BehaviorAnalytics\\n | where ActivityType in (\\\"FailedLogOn\\\", \\\"LogOn\\\")\\n | where isnotempty(SourceIPAddress)\\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress, UserName\\n | project-rename FailedIPAddress = SourceIPAddress, Name = UserName\\n | summarize\\n MaxInvestigationScore = max(InvestigationPriority) // Only retrieve maximum Investigation Property score for both FailedIP and User\\n by FailedIPAddress, Name)\\non FailedIPAddress, Name // Joining on both IP and User so as to only return context associated with same user\\n| extend UEBARiskScore = MaxInvestigationScore\\n| project-away *1 // removing duplicate columns post outer join from output\\n| where UEBARiskScore \u003e riskScoreCutoff\\n| sort by UEBARiskScore desc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"MFA Rejected by User\",\"description\":\"Identifies occurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results. \\nPlease note, MFA Failed logons from known IP ranges can be benign depending on the conditional access policies. In case of noisy behavior, consider tuning the source IP ranges or location filter after careful consideration\",\"lastUpdatedDateUTC\":\"2024-12-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"name\":\"caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\\n| where Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = tostring(Hashes[1])\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"[Deprecated] - Tarrask malware IOC - April 2022\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\"name\":\"155e9134-d5ad-4a6f-88f3-99c220040b66\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Medium\",\"query\":\"// Set the lookback to determine if user has created pipelines before\\nlet timeback = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a list of previous Release Pipeline creators to exclude\\nlet releaseusers = AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show results where the user as AADIdP alerts\\n//| where Alerts \u003e 0\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Pipeline modified by a new user\",\"description\":\"There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \\nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Microsoft Entra ID Protection in order to show if the user conducting the action has any associated Microsoft Entra ID Protection alerts. You can also choose to filter this detection to only alert when the user also has Microsoft Entra ID Protection alerts associated with them.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b7643904-5081-4920-917e-a559ddc3448f\",\"name\":\"b7643904-5081-4920-917e-a559ddc3448f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let Threshold = 1;\\nAzureDiagnostics\\n| where Category =~ \\\"FrontDoorWebApplicationFirewallLog\\\"\\n| where action_s =~ \\\"AnomalyScoring\\\"\\n| where details_msg_s has \\\"XSS\\\"\\n| parse details_data_s with MessageText \\\"Matched Data:\\\" MatchedData \\\"AND \\\" * \\\"table_name FROM \\\" TableName \\\" \\\" *\\n| project trackingReference_s, host_s, requestUri_s, TimeGenerated, clientIP_s, details_matches_s, details_msg_s, details_data_s, TableName, MatchedData\\n| join kind = inner(\\nAzureDiagnostics\\n| where Category =~ \\\"FrontDoorWebApplicationFirewallLog\\\"\\n| where action_s =~ \\\"Block\\\") on trackingReference_s\\n| summarize URI_s = make_set(requestUri_s,100), Table = make_set(TableName,100), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TrackingReference = make_set(trackingReference_s,100), Matched_Data = make_set(MatchedData,100), Detail_Data = make_set(details_data_s,100), Detail_Message = make_set(details_msg_s,100), Total_TrackingReference = dcount(trackingReference_s) by clientIP_s, host_s, action_s\\n| where Total_TrackingReference \u003e= Threshold\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URI_s\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"clientIP_s\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Front Door Premium WAF - XSS Detection\",\"description\":\"Identifies a match for an XSS attack in the Front Door Premium WAF logs. The threshold value in the query can be changed as per your infrastructure\u0027s requirements.\\n References: https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)\",\"lastUpdatedDateUTC\":\"2023-12-20T00:00:00Z\",\"createdDateUTC\":\"2022-10-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"name\":\"9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.3\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where NumberOfInfectedFiles \u003e 0\\n| extend timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"AzureID\",\"columnName\":\"_ResourceId\"}]}],\"displayName\":\"AppServices AV Scan with Infected Files\",\"description\":\"Identifies if an AV scan finds infected files in Azure App Services.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/422ca2bf-598b-4872-82bb-5f7e8fa731e7\",\"name\":\"422ca2bf-598b-4872-82bb-5f7e8fa731e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| extend FileName=tostring(split(NewProcessName, @\u0027\\\\\u0027)[(-1)]), ProcessCommandLine = CommandLine, InitiatingProcessFileName=ParentProcessName\\n| where (FileName =~ \\\"powershell.exe\\\" and ProcessCommandLine has_all(\\\"try\\\", \\\"Add-MpPreference\\\", \\\"-ExclusionPath\\\", \\\"ProgramData\\\", \\\"catch\\\")) or (FileName =~ \u0027powershell.exe\u0027 and ProcessCommandLine has_all(\u0027Add-PSSnapin\u0027, \u0027Get-Recipient\u0027, \u0027-ExpandProperty\u0027, \u0027EmailAddresses\u0027, \u0027SmtpAddress\u0027, \u0027-hidetableheaders\u0027) )\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, InitiatingProcessFileName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(DeviceProcessEvents \\n| where (FileName =~ \\\"powershell.exe\\\" and ((ProcessCommandLine has_all(\\\"try\\\", \\\"Add-MpPreference\\\", \\\"-ExclusionPath\\\", \\\"ProgramData\\\", \\\"catch\\\")) or (ProcessCommandLine has_all(\u0027Add-PSSnapin\u0027, \u0027Get-Recipient\u0027, \u0027-ExpandProperty\u0027, \u0027EmailAddresses\u0027, \u0027SmtpAddress\u0027, \u0027-hidetableheaders\u0027))))\\nor ( InitiatingProcessFileName =~ \u0027powershell.exe\u0027 and (((InitiatingProcessCommandLine has_all(\u0027$file=\u0027, \u0027dllhost.exe\u0027, \u0027Invoke-WebRequest\u0027, \u0027-OutFile\u0027)) or ((InitiatingProcessCommandLine has_all(\u0027$admins=\u0027, \u0027System.Security.Principal.SecurityIdentifier\u0027, \u0027Translate\u0027, \u0027-split\u0027, \u0027localgroup\u0027, \u0027/add\u0027, \u0027$rdp=\u0027))))))\\n| extend Account = strcat(InitiatingProcessAccountDomain, @\u0027\\\\\u0027, InitiatingProcessAccountName), Computer = DeviceName\\n)\\n)\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(Account, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Exfiltration\",\"DefenseEvasion\"],\"displayName\":\"Dev-0270 Malicious Powershell usage\",\"description\":\"DEV-0270 heavily uses powershell to achieve their objective at various stages of their attack. To locate powershell related activity tied to the actor, Microsoft Sentinel customers can run the following query.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-09-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb8a9c1c-f532-4630-817c-1ecd8a60ed80\",\"name\":\"eb8a9c1c-f532-4630-817c-1ecd8a60ed80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P2D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has \\\"Delete partner specific cross-tenant access setting\\\"\\n| mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type =~ \\\"Policy\\\"\\n | extend Properties = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = Properties on\\n (\\n where Property.displayName =~ \\\"tenantId\\\"\\n | extend ExtTenantDeleted = trim(\u0027\\\"\u0027,tostring(Property.oldValue))\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Cross-tenant Access Settings Organization Deleted\",\"description\":\"Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is deleted from the Microsoft Entra ID Cross-tenant Access Settings.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"name\":\"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Agent Pool Created Then Deleted\",\"description\":\"As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this detection focuses on the creation of new self-hosted pools.\\nTo further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), as an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"name\":\"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"//Collect the alert events\\nlet alertData = SecurityAlert\\n| where DisplayName has \\\"Potential malware uploaded to\\\"\\n| extend Entities = parse_json(Entities)\\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData\\n| where Entities[\u0027Type\u0027] =~ \\\"ip\\\"\\n| extend AttackerIP = tostring(Entities[\u0027Address\u0027]), AttackerCountry = tostring(Entities[\u0027Location\u0027][\u0027CountryName\u0027]);\\n//Parse the file data\\nlet FileData = alertData\\n| where Entities[\u0027Type\u0027] =~ \\\"file\\\"\\n| extend MaliciousFileDirectory = tostring(Entities[\u0027Directory\u0027]), MaliciousFileName = tostring(Entities[\u0027Name\u0027]), MaliciousFileHashes = tostring(Entities[\u0027FileHashes\u0027]);\\n//Combine the File and IP data together\\nipData\\n| join (FileData) on VendorOriginalId\\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create a type column so we can track if it was a File storage or blobl storage upload\\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\")\\n| join (\\n union\\n StorageFileLogs,\\n StorageBlobLogs\\n //File upload operations\\n | where OperationName =~ \\\"PutBlob\\\" or OperationName =~ \\\"PutRange\\\"\\n //Parse out the uploader IP\\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename from the Uri\\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don\u0027t work\\n //We can work around this by making it an array then converting it to hex from an int\\n | extend base64Char = base64_decode_toarray(ResponseMd5)\\n | mv-expand base64Char\\n | extend hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) \u003c 2, strcat(\\\"0\\\", hexChar), hexChar)\\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\")\\n | summarize make_list(hexChar, 1000) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable\\n | extend Md5Hash = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the summarise into a ClientIP row\\n | extend p = pack(\\\"FileName\\\", FileName, \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable)\\n | summarize UploadedFileInfo=make_list(p, 10000), FilesUploaded=count() by ClientIP\\n | join kind=leftouter (\\n union\\n StorageFileLogs,\\n StorageBlobLogs\\n | where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\"\\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\")\\n | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable)\\n | summarize DeletedFileInfo=make_list(p, 10000), FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP == $right.ClientIP\\n| mvexpand UploadedFileInfo\\n| extend LinkedMaliciousFileName = tostring(UploadedFileInfo.FileName)\\n| extend LinkedMaliciousFileHash = tostring(UploadedFileInfo.Md5Hash)\\n| extend HashAlgorithm = \\\"MD5\\\"\\n| project AlertTimeGenerated = TimeGenerated, LinkedMaliciousFileName, LinkedMaliciousFileHash, HashAlgorithm, AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"AttackerIP\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"LinkedMaliciousFileHash\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Linked Malicious Storage Artifacts\",\"description\":\"This query identifies the additional files uploaded by the same IP address which triggered a malware alert for malicious content upload on Azure Blob or File Storage Container.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"name\":\"94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer\\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = EventDetail.[4].[\\\"#text\\\"]\\n| where Image has_any (file_path1) or Image has_any (file_path3)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = DestinationIP\\n), \\n(DeviceNetworkEvents\\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, UrlCustomEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(AZFWDnsQuery\\n| where QueryName has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = QueryName, IPCustomEntity = SourceIp\\n),\\n(AZFWApplicationRule\\n| where Fqdn has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Fqdn, IPCustomEntity = SourceIp\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\\n),\\n(DeviceRegistryEvents\\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"[Deprecated] - Caramel Tsunami Actor IOC - July 2021\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceRegistryEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"name\":\"f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let query_frequency = 1h;\\nlet query_period = 2h;\\nAuditLogs\\n| where TimeGenerated \u003e ago(query_period)\\n| where Category =~ \\\"ApplicationManagement\\\" and LoggedByService =~ \\\"Core Directory\\\"\\n| where OperationName =~ \\\"Add app role assignment to service principal\\\"\\n| mv-expand TargetResource = TargetResources\\n| mv-expand modifiedProperty = TargetResource[\\\"modifiedProperties\\\"]\\n| where tostring(modifiedProperty[\\\"displayName\\\"]) == \\\"AppRole.Value\\\"\\n| extend PermissionGrant = tostring(modifiedProperty[\\\"newValue\\\"])\\n| where PermissionGrant has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| mv-apply modifiedProperty = TargetResource[\\\"modifiedProperties\\\"] on (\\n summarize modifiedProperties = make_bag(\\n bag_pack(tostring(modifiedProperty[\\\"displayName\\\"]),\\n bag_pack(\\\"oldValue\\\", trim(@\u0027[\\\\\\\"\\\\s]+\u0027, tostring(modifiedProperty[\\\"oldValue\\\"])),\\n \\\"newValue\\\", trim(@\u0027[\\\\\\\"\\\\s]+\u0027, tostring(modifiedProperty[\\\"newValue\\\"])))), 100)\\n)\\n| project\\n PermissionGrant_TimeGenerated = TimeGenerated,\\n PermissionGrant_OperationName = OperationName,\\n PermissionGrant_Result = Result,\\n PermissionGrant,\\n AppDisplayName = tostring(modifiedProperties[\\\"ServicePrincipal.DisplayName\\\"][\\\"newValue\\\"]),\\n AppServicePrincipalId = tostring(modifiedProperties[\\\"ServicePrincipal.ObjectID\\\"][\\\"newValue\\\"]),\\n PermissionGrant_InitiatedBy = InitiatedBy,\\n PermissionGrant_TargetResources = TargetResources,\\n PermissionGrant_AdditionalDetails = AdditionalDetails,\\n PermissionGrant_CorrelationId = CorrelationId\\n| join kind=inner (\\n AuditLogs\\n | where TimeGenerated \u003e ago(query_frequency)\\n | where Category =~ \\\"RoleManagement\\\" and LoggedByService =~ \\\"Core Directory\\\" and AADOperationType =~ \\\"Assign\\\"\\n | where isnotempty(InitiatedBy[\\\"app\\\"])\\n | mv-expand TargetResource = TargetResources\\n | mv-expand modifiedProperty = TargetResource[\\\"modifiedProperties\\\"]\\n | where tostring(modifiedProperty[\\\"displayName\\\"]) in (\\\"Role.DisplayName\\\", \\\"RoleDefinition.DisplayName\\\")\\n | extend RoleAssignment = tostring(modifiedProperty[\\\"newValue\\\"])\\n | where RoleAssignment contains \\\"Admin\\\"\\n | project\\n RoleAssignment_TimeGenerated = TimeGenerated,\\n RoleAssignment_OperationName = OperationName,\\n RoleAssignment_Result = Result,\\n RoleAssignment,\\n TargetType = tostring(TargetResources[0][\\\"type\\\"]),\\n Target = iff(isnotempty(TargetResources[0][\\\"displayName\\\"]), tostring(TargetResources[0][\\\"displayName\\\"]), tolower(TargetResources[0][\\\"userPrincipalName\\\"])),\\n TargetId = tostring(TargetResources[0][\\\"id\\\"]),\\n RoleAssignment_InitiatedBy = InitiatedBy,\\n RoleAssignment_TargetResources = TargetResources,\\n RoleAssignment_AdditionalDetails = AdditionalDetails,\\n RoleAssignment_CorrelationId = CorrelationId,\\n AppServicePrincipalId = tostring(InitiatedBy[\\\"app\\\"][\\\"servicePrincipalId\\\"])\\n ) on AppServicePrincipalId\\n| where PermissionGrant_TimeGenerated \u003c RoleAssignment_TimeGenerated\\n| extend\\n TargetName = tostring(split(Target, \\\"@\\\")[0]),\\n TargetUPNSuffix = tostring(split(Target, \\\"@\\\")[1])\\n| project PermissionGrant_TimeGenerated, PermissionGrant_OperationName, PermissionGrant_Result, PermissionGrant, AppDisplayName, AppServicePrincipalId, PermissionGrant_InitiatedBy, PermissionGrant_TargetResources, PermissionGrant_AdditionalDetails, PermissionGrant_CorrelationId, RoleAssignment_TimeGenerated, RoleAssignment_OperationName, RoleAssignment_Result, RoleAssignment, TargetType, Target, TargetName, TargetUPNSuffix, TargetId, RoleAssignment_InitiatedBy, RoleAssignment_TargetResources, RoleAssignment_AdditionalDetails, RoleAssignment_CorrelationId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AppDisplayName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"Persistence\"],\"displayName\":\"Admin promotion after Role Management Application Permission Grant\",\"description\":\"This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).\\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission allows an app to manage permission grants for application permissions to any API.\\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c37711a4-5f44-4472-8afc-0679bc0ef966\",\"name\":\"c37711a4-5f44-4472-8afc-0679bc0ef966\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"3.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type == \\\"sha256\\\" | project IoC);\\nlet FilePaths = (iocs | where Type =~ \\\"FilePath\\\" | project IoC);\\nlet POST_URI = (iocs | where Type =~ \\\"URI1\\\" | project IoC);\\nlet GET_URI = (iocs | where Type =~ \\\"URI2\\\" | project IoC);\\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\\nlet ADFS_Servers1 = datatable(Computer:string)\\n[ \\\"\u003cADFS01\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\",\\n\\\"\u003cADFS02\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\"\\n];\\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \\\"Microsoft.IdentityServer.ServiceHost.exe\\\".\\nlet ADFS_Servers2 = \\n(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( WindowsEvent\\n| where EventID == 4688 and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"// and not(EventData has \\\"0x3e4\\\")\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName == \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| distinct Computer\\n),\\n(DeviceProcessEvents\\n| where InitiatingProcessFileName == \u0027Microsoft.IdentityServer.ServiceHost.exe\u0027\\n| extend Computer = DeviceName\\n| distinct Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n);\\nlet ADFS_Servers =\\nADFS_Servers1\\n| union (ADFS_Servers2 | distinct Computer);\\n(union isfuzzy=true\\n(DeviceNetworkEvents\\n| where DeviceName in (ADFS_Servers)\\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" and EventID == \u00277\u0027\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ImageLoaded = EventDetail.[5].[\\\"#text\\\"], Hashes = EventDetail.[11].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\\n| extend Type = strcat(Type,\\\":\\\",EventID, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where DeviceName in (ADFS_Servers)\\n| extend FilePath = strcat(FolderPath, \u0027\\\\\\\\\u0027, FileName)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceImageLoadEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where EventDetail has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(W3CIISLog \\n| where ( csMethod == \u0027GET\u0027 and csUriStem has_any (GET_URI)) or (csMethod == \u0027POST\u0027 and csUriStem has_any (POST_URI))\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \\nby cIP, cIP_MethodCountType = \\\"Count of repeated entries, this is to reduce rowsets returned\\\", csMethod, \\ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\\n),\\n(imFileEvent\\n| where DvcHostname in (ADFS_Servers)\\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"[Deprecated] - Midnight Blizzard IOCs related to FoggyWeb backdoor\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-09-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f3e2d35f-1202-4215-995c-4654ef07d1d8\",\"name\":\"f3e2d35f-1202-4215-995c-4654ef07d1d8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let BEC_Keywords = dynamic([ \u0027invoice\u0027,\u0027payment\u0027,\u0027paycheck\u0027,\u0027transfer\u0027,\u0027bank statement\u0027,\u0027bank details\u0027,\u0027closing\u0027,\u0027funds\u0027,\u0027bank account\u0027,\u0027account details\u0027,\u0027remittance\u0027,\u0027purchase\u0027,\u0027deposit\u0027,\\\"PO#\\\",\\\"Zahlung\\\",\\\"Rechnung\\\",\\\"Paiement\\\", \\\"virement bancaire\\\",\\\"Bankuberweisung\\\",\u0027hacked\u0027,\u0027phishing\u0027]);\\n// Adjust this threshold based on your environment\\nlet sensitivity = 2.5;\\nlet Events = materialize(AWSCloudTrail\\n| where TimeGenerated between (ago(14d)..ago(0d))\\n| where UserIdentityAccountId != \\\"anonymous\\\"\\n| where EventSource startswith \\\"s3.\\\"\\n| where EventName =~ \\\"GetObject\\\"\\n| extend FilePath = tostring(parse_json(RequestParameters).key)\\n| where FilePath has_any(BEC_Keywords)\\n);\\nEvents\\n| summarize dcount(FilePath) by UserIdentityPrincipalid, bin(startofday(TimeGenerated), 1d)\\n| summarize CountOfDocs = make_list(dcount_FilePath, 10000), TimeStamp = make_list(TimeGenerated, 10000) by UserIdentityPrincipalid\\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(CountOfDocs, sensitivity, -1, \u0027linefit\u0027)\\n| mv-expand CountOfDocs to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double),Score to typeof(double), Baseline to typeof(long)\\n| where Anomalies \u003e 0\\n| project TimeStamp, CountOfDocs, Baseline, Score, Anomalies, UserIdentityPrincipalid\\n| join kind=inner(Events | extend TimeStamp = startofday(TimeGenerated)) on TimeStamp, UserIdentityPrincipalid\\n| extend Name = iif(UserIdentityUserName contains \\\"@\\\", split(UserIdentityUserName, \\\"@\\\")[0], UserIdentityUserName)\\n| extend UPNSuffix = iif(UserIdentityUserName contains \\\"@\\\", split(UserIdentityUserName, \\\"@\\\")[1], \\\"\\\")\\n| project-reorder TimeGenerated, UserIdentityType, UserIdentityPrincipalid, UserIdentityUserName, FilePath, EventName, UserAgent, SourceIpAddress, CountOfDocs, Baseline, Score\",\"customDetails\":{\"UserType\":\"UserIdentityType\",\"Event\":\"EventName\",\"UserAgent\":\"UserAgent\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserIdentityUserName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FilePath\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Suspicious access of {{CountOfDocs}} BEC related documents in AWS S3 buckets by {{UserIdentityUserName}}\",\"alertDescriptionFormat\":\"This query looks for users (in this case {{UserIdentityUserName}}) with suspicious spikes in the number of files accessed (in this case {{CountOfDocs}})that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks. The query looks for access to files in AWS S3 storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. \\nThis query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities.\\n\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Collection\"],\"displayName\":\"Suspicious access of BEC related documents in AWS S3 buckets\",\"description\":\"This query looks for users with suspicious spikes in the number of files accessed that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks.\\nThe query looks for access to files in AWS S3 storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. \\nThis query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2023-02-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"name\":\"9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"beesweiserdog.com\\\", \\n \\\"bluehostfit.com\\\", \\n \\\"business-toys.com\\\", \\n \\\"cleanskycloud.com\\\", \\n \\\"cumberbat.com\\\", \\n \\\"czreadsecurity.com\\\", \\n \\\"dgtresorgouv.com\\\", \\n \\\"dimediamikedask.com\\\", \\n \\\"diresitioscon.com\\\", \\n \\\"elcolectador.com\\\", \\n \\\"elperuanos.org\\\", \\n \\\"eprotectioneu.com\\\", \\n \\\"fheacor.com\\\", \\n \\\"followthewaterdata.com\\\", \\n \\\"francevrteepress.com\\\", \\n \\\"futtuhy.com\\\", \\n \\\"gardienweb.com\\\", \\n \\\"heimflugaustr.com\\\", \\n \\\"ivpsers.com\\\", \\n \\\"jkeducation.org\\\", \\n \\\"micrlmb.com\\\", \\n \\\"muthesck.com\\\", \\n \\\"netscalertech.com\\\", \\n \\\"newgoldbalmap.com\\\", \\n \\\"news-laestrella.com\\\", \\n \\\"noticialif.com\\\", \\n \\\"opentanzanfoundation.com\\\", \\n \\\"optonlinepress.com\\\", \\n \\\"palazzochigi.com\\\", \\n \\\"pandemicacre.com\\\", \\n \\\"papa-ser.com\\\", \\n \\\"pekematclouds.com\\\", \\n \\\"pipcake.com\\\", \\n \\\"popularservicenter.com\\\", \\n \\\"projectsyndic.com\\\", \\n \\\"qsadtv.com\\\", \\n \\\"sankreal.com\\\", \\n \\\"scielope.com\\\", \\n \\\"seoamdcopywriting.com\\\", \\n \\\"slidenshare.com\\\", \\n \\\"somoswake.com\\\", \\n \\\"squarespacenow.com\\\", \\n \\\"subapostilla.com\\\", \\n \\\"suzukicycles.net\\\", \\n \\\"tatanotakeeps.com\\\", \\n \\\"tijuanazxc.com\\\", \\n \\\"transactioninfo.net\\\", \\n \\\"eurolabspro.com\\\", \\n \\\"adelluminate.com\\\", \\n \\\"headhunterblue.com\\\", \\n \\\"primenuesty.com\\\" \\n ]);\\nlet SHA256Hashes = dynamic ([\\\"02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2\\\", \\n \\\"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c\\\", \\n \\\"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c\\\", \\n \\\"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95\\\", \\n \\\"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21\\\", \\n \\\"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49\\\", \\n \\\"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844\\\", \\n \\\"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef\\\", \\n \\\"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822\\\", \\n \\\"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2\\\", \\n \\\"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838\\\", \\n \\\"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65\\\", \\n \\\"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6\\\", \\n \\\"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1\\\", \\n \\\"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90\\\", \\n \\\"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b\\\", \\n \\\"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce\\\", \\n \\\"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0\\\", \\n \\\"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c\\\", \\n \\\"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a\\\", \\n \\\"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b\\\", \\n \\\"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a\\\", \\n \\\"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124\\\", \\n \\\"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa\\\", \\n \\\"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda\\\", \\n \\\"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94\\\", \\n \\\"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6\\\", \\n \\\"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce\\\", \\n \\\"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6\\\", \\n \\\"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba\\\"\\n ]);\\nlet SigNames = dynamic([\\\"Backdoor:Win32/Leeson\\\", \\\"Trojan:Win32/Kechang\\\", \\\"Backdoor:Win32/Nightimp!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"TrojanSpy:Win32/KeyLogger\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns(domain_has_any = DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(_Im_WebSession(url_has_any = DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hashes) \\n| extend Account = UserName\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hashes)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Known Nylon Typhoon domains and hashes\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"name\":\"c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.4\",\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\n_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n| where isnotempty(DnsResponseCodeName)\\n//| where DnsResponseCodeName =~ \\\"NXDOMAIN\\\"\\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n ) on SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2023-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"name\":\"09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nimAuthentication\\n| where TimeGenerated \u003e timeframe\\n| where EventType == \u0027Logon\u0027\\n and EventResult == \u0027Success\u0027\\n| where isnotempty(SrcGeoCountry)\\n| summarize\\n StartTime = min(TimeGenerated)\\n , EndTime = max(TimeGenerated)\\n , Vendors = make_set(EventVendor, 128)\\n , Products = make_set(EventProduct, 128)\\n , NumOfCountries = dcount(SrcGeoCountry)\\n , Countries = make_set(SrcGeoCountry, 128)\\n by TargetUserId, TargetUsername, TargetUserType\\n| where NumOfCountries \u003e= threshold\\n| where TargetUserType !in (\\\"Application\\\", \\\"Service\\\", \\\"System\\\", \\\"Other\\\", \\\"Machine\\\", \\\"ServicePrincipal\\\")\\n| extend\\n Name = iif(\\n TargetUsername contains \\\"@\\\"\\n , tostring(split(TargetUsername, \u0027@\u0027, 0)[0])\\n , TargetUsername\\n ),\\n UPNSuffix = iif(\\n TargetUsername contains \\\"@\\\"\\n , tostring(split(TargetUsername, \u0027@\u0027, 1)[0])\\n , \\\"\\\"\\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User login from different countries within 3 hours (Uses Authentication Normalization)\",\"description\":\"This query searches for successful user logins from different countries within 3 hours.\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2024-06-28T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed8c9153-6f7a-4602-97b4-48c336b299e1\",\"name\":\"ed8c9153-6f7a-4602-97b4-48c336b299e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let guids = dynamic([\\\"{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\",\\\"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\",\\\"{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\", \\\"{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\", \\\"{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\"]);\\n let mde_data = DeviceRegistryEvents\\n | where ActionType =~ \\\"RegistryValueSet\\\"\\n | where RegistryKey contains \\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Classes\\\\\\\\CLSID\\\"\\n | where RegistryKey has_any (guids)\\n | where RegistryValueData has \\\"System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\";\\n let event_data = SecurityEvent\\n | where EventID == 4657\\n | where ObjectName contains \\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Classes\\\\\\\\CLSID\\\"\\n | where ObjectName has_any (guids)\\n | where NewValue has \\\"System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\"\\n | extend RegistryKey = ObjectName, RegistryValueData = NewValue, DeviceName=Computer, InitiatingProcessFileName = Process, InitiatingProcessAccountName=SubjectUserName, InitiatingProcessAccountDomain = SubjectDomainName;\\n union mde_data, event_data\\n | extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"RegistryKey\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"InitiatingProcessFileName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"InitiatingProcessAccountName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"COM Registry Key Modified to Point to File in Color Profile Folder\",\"description\":\"This query looks for changes to COM registry keys to point to files in C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\.\\n This can be used to enable COM hijacking for persistence.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceRegistryEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"name\":\"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlOriginal\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Crypto Miner User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by crypto miners in proxy logs.\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/677da133-e487-4108-a150-5b926591a92b\",\"name\":\"677da133-e487-4108-a150-5b926591a92b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256s = (iocs | where Type =~ \\\"SHA256\\\"| project IoC);\\nlet ips = (iocs | where Type =~ \\\"IP\\\"| project IoC);\\nlet IPList = dynamic([\\\"192.99.221.77\\\",\\\"83.171.237.173\\\"]);\\nlet ips_list=toscalar(ips | summarize makeset(IoC));\\nlet full_ip_list= array_concat(ips_list, IPList);\\nlet domains = (iocs | where Type =~ \\\"Domain\\\"| project IoC);\\nlet domain_list=toscalar(domains | summarize make_set(IoC));\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = dynamic([\\\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\\\",\\n\\\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\\\",\\n\\\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\\\",\\n\\\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\\\",\\n\\\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\\\",\\n\\\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (domains), \\\"RequestUrl\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=todynamic(domain_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=todynamic(full_ip_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList) or ClientIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(_Im_NetworkSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"SourceIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = SrcIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_NetworkSession(dstipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"DestinationIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = DstIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_WebSession(url_has_any=domains)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(_Im_WebSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (domains)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = Fqdn\\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (domains)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = QueryName\\n| extend IPCustomEntity = SourceIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"[Deprecated] - Midnight Blizzard - Domain, Hash and IP IOCs - May 2021\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d8b5a18-b7db-4c23-84a6-95febaf7e1e4\",\"name\":\"9d8b5a18-b7db-4c23-84a6-95febaf7e1e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Europium_September2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\")\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer \\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress, HostEntity = Computer\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), File = ProcessName, HostEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\"), \\nHostEntity = Computer, AccountName = tostring(split(UserName, @\u0027\\\\\u0027)[1]), AccountDomain = tostring(split(UserName, @\u0027\\\\\u0027)[0])\\n| extend InitiatingProcessAccount = UserName\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountDomain = tostring(split(UserId, \\\"@\\\")[1])\\n| extend InitiatingProcessAccount = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, \\nInitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, HostEntity = Computer, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain\\n| extend InitiatingProcessAccount = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostEntity = Computer, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, IPEntity = IPAddress, HostEntity = Computer, Algorithm = \\\"SHA256\\\", FileHash = tostring(FileHash)\\n| extend AccountName = tostring(split(Account, @\u0027\\\\\u0027)[1]), AccountDomain = tostring(split(Account, @\u0027\\\\\u0027)[0])\\n| extend InitiatingProcessAccount = Account\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, \\nInitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain, \\nAlgorithm = \\\"SHA256\\\", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n| extend InitiatingProcessAccount = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, \\nInitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain, \\nAlgorithm = \\\"SHA256\\\", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n| extend InitiatingProcessAccount = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", dynamic([\\\"\\\", \\\"\\\"])), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| mv-expand Hashes\\n| where Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostEntity = Computer, AccountName = tostring(split(UserName, @\u0027\\\\\u0027)[1]), AccountUPNSuffix = tostring(split(UserName, @\u0027\\\\\u0027)[0]), FileHash = tostring(Hashes[1])\\n| extend InitiatingProcessAccount = UserName\\n)\\n)\\n| extend HostName = tostring(split(HostEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(HostEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(HostEntity, DomainIndex + 1), HostEntity)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"Algorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHash\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Europium - Hash and IP IOCs - September 2022\",\"description\":\"Identifies a match across various data feeds for hashes and IP IOC related to Europium\\n Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"name\":\"f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let known_locations = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | summarize by LocationDetail);\\nlet known_asn = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\nSigninLogs\\n| where TimeGenerated \u003e ago(1d)\\n| where ResultType == 0\\n| where isempty(DeviceDetail.deviceId)\\n| where AuthenticationRequirement == \\\"singleFactorAuthentication\\\"\\n| extend LocationParsed = parse_json(LocationDetails), DeviceParsed = parse_json(DeviceDetail)\\n| extend City = tostring(LocationParsed.city), State = tostring(LocationParsed.state)\\n| extend LocationDetail = strcat(Location, \\\"-\\\", State)\\n| extend DeviceId = tostring(DeviceParsed.deviceId), DeviceName=tostring(DeviceParsed.displayName), OS=tostring(DeviceParsed.operatingSystem), Browser=tostring(DeviceParsed.browser)\\n| where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)\\n| project TimeGenerated, Type, UserId, UserDisplayName, UserPrincipalName, IPAddress, Location, State, City, ResultType, ResultDescription, AppId, AppDisplayName, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, ClientAppUsed, Identity, HomeTenantId, ResourceTenantId, Status, UserAgent, DeviceId, DeviceName, OS, Browser, MfaDetail\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"AppId\",\"columnName\":\"AppId\"},{\"identifier\":\"Name\",\"columnName\":\"AppDisplayName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous Single Factor Signin\",\"description\":\"Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.\\n Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2024-06-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cfc1ae62-db63-4a3e-b88b-dc04030c2257\",\"name\":\"cfc1ae62-db63-4a3e-b88b-dc04030c2257\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"// change the starttime value for a longer period of known OIDs\\nlet starttime = 1d;\\n// change the lookback value for a longer period of lookback for suspicious/abnormal\\nlet lookback = 1h;\\nlet OIDList = SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventSourceName == \u0027AD FS Auditing\u0027\\n| where EventID == 501\\n| where EventData has \u0027/eku\u0027\\n| extend OIDs = extract_all(@\\\"\u003cData\u003e([\\\\d+\\\\.]+)\u003c/Data\u003e\\\", EventData)\\n| mv-expand OIDs\\n| extend OID = tostring(OIDs)\\n| extend OID_Length = strlen(OID)\\n| project TimeGenerated, Computer, EventSourceName, EventID, OID, OID_Length, EventData\\n;\\nOIDList\\n| where TimeGenerated \u003e= ago(lookback)\\n| join kind=leftanti (\\nOIDList\\n| where TimeGenerated between (ago(starttime) .. ago(lookback))\\n| summarize by OID\\n) on OID\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"AD FS Abnormal EKU object identifier attribute\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious object identifiers (OIDs) as part EventID 501 and specifically part of the Enhanced Key Usage attributes.\\nThis query checks to see if you have any new OIDs in the last hour that have not been seen in the previous day. New OIDs should be validated and OIDs that are very long, as indicated\\nby the OID_Length field, could also be an indicator of malicious activity.\\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReferences:\\nhttps://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/\\nhttps://docs.microsoft.com/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging\\n\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\"name\":\"19e01883-15d8-4eb6-a7a5-3276cd668388\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus)\\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status))\\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\",\\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\",\\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\",\\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\",\\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\",\\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\",\\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\",\\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\",\\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\",\\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"cIP\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed attempts from same client IP\",\"description\":\"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, potentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device that is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"name\":\"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details of operations conducted by user soon after elevation of permissions\\n| join (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\\n| extend AddingUserAccountName = tostring(split(AddingUser, \\\"@\\\")[0]), AddingUserAccountUPNSuffix = tostring(split(AddingUser, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddingUser\"},{\"identifier\":\"Name\",\"columnName\":\"AddingUserAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AddingUserAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New PA, PCA, or PCAS added to Azure DevOps\",\"description\":\"In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \\nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of users granted these permissions should be small. Note that permissions can also be granted via Microsoft Entra ID Protection groups and monitoring of these should also be conducted.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"name\":\"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\")\\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\"\\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535))\\n| where Computer != \\\"\\\"\\n| where ipv4_is_private(DestinationIP) == false\\n| extend Reason = coalesce(\\n column_ifexists(\\\"Reason\\\", \\\"\\\"),\\n extract(\\\"reason=(.+?)(;|$)\\\", 1, AdditionalExtensions),\\n \\\"\\\"\\n )\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out.\\n| where Reason !has \\\"aged-out\\\"\\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where Reason !has \\\"tcp-fin\\\"\\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\"\\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\"\\n// Already performed\\n//| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ \u003e= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Palo Alto - possible internal to external port scanning\",\"description\":\"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which results in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication of internal to external port scanning or probing attack.\\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\"lastUpdatedDateUTC\":\"2024-11-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CefAma\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/af435ca1-fb70-4de1-92c1-7435c48482a9\",\"name\":\"af435ca1-fb70-4de1-92c1-7435c48482a9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let admin_asn = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by AutonomousSystemNumber);\\n let admin_locations = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by Location);\\n let admin_devices = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where isnotempty(deviceId)\\n | summarize by deviceId);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where AutonomousSystemNumber !in (admin_asn) and deviceId !in (admin_devices) and Location !in (admin_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentications of Privileged Accounts Outside of Expected Controls\",\"description\":\"Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days.\\n Privileged accounts are a key target for threat actors, monitoring for logins from these accounts that deviate from normal activity can help identify compromised accounts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"name\":\"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nlet ReasontoSubStatus = datatable(SubStatus: string, Reason: string) [\\n \\\"0xc000005e\\\", \\\"There are currently no logon servers available to service the logon request.\\\",\\n \\\"0xc0000064\\\", \\\"User logon with misspelled or bad user account\\\",\\n \\\"0xc000006a\\\", \\\"User logon with misspelled or bad password\\\",\\n \\\"0xc000006d\\\", \\\"Bad user name or password\\\",\\n \\\"0xc000006e\\\", \\\"Unknown user name or bad password\\\",\\n \\\"0xc000006f\\\", \\\"User logon outside authorized hours\\\",\\n \\\"0xc0000070\\\", \\\"User logon from unauthorized workstation\\\",\\n \\\"0xc0000071\\\", \\\"User logon with expired password\\\",\\n \\\"0xc0000072\\\", \\\"User logon to account disabled by administrator\\\",\\n \\\"0xc00000dc\\\", \\\"Indicates the Sam Server was in the wrong state to perform the desired operation\\\",\\n \\\"0xc0000133\\\", \\\"Clocks between DC and other computer too far out of sync\\\",\\n \\\"0xc000015b\\\", \\\"The user has not been granted the requested logon type (aka logon right) at this machine\\\",\\n \\\"0xc000018c\\\", \\\"The logon request failed because the trust relationship between the primary domain and the trusted domain failed\\\",\\n \\\"0xc0000192\\\", \\\"An attempt was made to logon, but the Netlogon service was not started\\\",\\n \\\"0xc0000193\\\", \\\"User logon with expired account\\\",\\n \\\"0xc0000224\\\", \\\"User is required to change password at next logon\\\",\\n \\\"0xc0000225\\\", \\\"Evidently a bug in Windows and not a risk\\\",\\n \\\"0xc0000234\\\", \\\"User logon with account locked\\\",\\n \\\"0xc00002ee\\\", \\\"Failure Reason: An Error occurred during Logon\\\",\\n \\\"0xc0000413\\\", \\\"Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\\\"\\n];\\n(union isfuzzy=true\\n (SecurityEvent\\n | where EventID == 4625\\n | where AccountType =~ \\\"User\\\"\\n | where SubStatus !~ \u00270xc0000064\u0027 and Account !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n // SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n | extend\\n ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId),\\n SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId),\\n SubStatus = tolower(SubStatus)\\n | lookup ReasontoSubStatus on SubStatus\\n | extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by bin(TimeGenerated,10m), EventID,\\n Activity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName,\\n LogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n | where FailedLogonCount \u003e= threshold\\n ),\\n (\\n (WindowsEvent\\n | where EventID == 4625 and not(EventData has \u00270xc0000064\u0027)\\n | extend TargetAccount = strcat(tostring(EventData.TargetDomainName), \\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n | extend TargetUserSid = tostring(EventData.TargetUserSid)\\n | extend AccountType=case(EventData.TargetUserName endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n | where AccountType =~ \\\"User\\\"\\n | extend SubStatus = tostring(EventData.SubStatus)\\n | where SubStatus !~ \u00270xc0000064\u0027 and TargetAccount !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n // SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n | extend\\n ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId),\\n SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"\\\"),\\n SubStatus = tolower(SubStatus)\\n | lookup ReasontoSubStatus on SubStatus\\n | extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n | extend Activity=\\\"4625 - An account failed to log on.\\\"\\n | extend TargetUserName = tostring(EventData.TargetUserName)\\n | extend TargetDomainName = tostring(EventData.TargetDomainName)\\n | extend LogonType = tostring(EventData.LogonType)\\n | extend Status= tostring(EventData.Status)\\n | extend LogonProcessName = tostring(EventData.LogonProcessName)\\n | extend WorkstationName = tostring(EventData.WorkstationName)\\n | extend IpAddress = tostring(EventData.IpAddress)\\n | extend LogonTypeName=case(\\n LogonType == 2, \\\"2 - Interactive\\\",\\n LogonType == 3, \\\"3 - Network\\\",\\n LogonType == 4, \\\"4 - Batch\\\",\\n LogonType == 5, \\\"5 - Service\\\",\\n LogonType == 7, \\\"7 - Unlock\\\",\\n LogonType == 8, \\\"8 - NetworkCleartext\\\",\\n LogonType == 9, \\\"9 - NewCredentials\\\",\\n LogonType == 10, \\\"10 - RemoteInteractive\\\",\\n LogonType == 11, \\\"11 - CachedInteractive\\\",\\n tostring(LogonType)\\n )\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by bin(TimeGenerated,10m), EventID,\\n Activity, Computer, TargetAccount, TargetUserName, TargetDomainName,\\n LogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n | where FailedLogonCount \u003e= threshold\\n )))\\n| summarize arg_max(TimeGenerated, *) by Computer, TargetAccount, TargetUserName, TargetDomainName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"TargetDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts by valid accounts within 10 mins\",\"description\":\"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2de8abd6-a613-450e-95ed-08e503369fb3\",\"name\":\"2de8abd6-a613-450e-95ed-08e503369fb3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let log4jioc = dynamic([\\\"jndi\\\",\\\"ldap\\\",\\\"${::\\\"]);\\nAzureDiagnostics\\n| where ResourceProvider == \\\"MICROSOFT.NETWORK\\\" and Category in (\\\"ApplicationGatewayFirewallLog\\\", \\\"FrontdoorWebApplicationFirewallLog\\\")\\n| extend details_data_s = column_ifexists(\\\"details_data_s\\\", tostring(AdditionalFields.details_data))\\n|where requestUri_s has_any (log4jioc) or details_message_s has_any (log4jioc) or details_data_s has_any (log4jioc)\\n| extend Malicious = iff(isnotempty( details_data_s),details_data_s,iff(isnotempty( requestUri_s),requestUri_s,\\\"\\\"))\\n|parse Malicious with * \u0027${\u0027 MaliciousCommand \u0027}\u0027 * \\n| extend EncodeCmd = iff(MaliciousCommand has \u0027Base64/\u0027, split(split(MaliciousCommand, \\\"Base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend EncodeCmd1 = iff(MaliciousCommand has \u0027base64/\u0027, split(split(MaliciousCommand, \\\"base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend CmdLine = iff( isnotempty(EncodeCmd), EncodeCmd, EncodeCmd1)\\n| extend DecodedCmdLine = base64_decode_tostring(tostring(CmdLine))\\n| extend DecodedCmdLine = iff( isnotempty(DecodedCmdLine), DecodedCmdLine, \\\"Unable to decode/Doesn\u0027t need decoding\\\")\\n| project TimeGenerated, Target=column_ifexists(\\\"hostname_s\\\", tostring(AdditionalFields.hostname)), MaliciousHost = column_ifexists(\\\"clientIp_s\\\", tostring(AdditionalFields.clientIp)) , MaliciousCommand, details_data_s = column_ifexists(\\\"details_data_s\\\", tostring(AdditionalFields.details_data)), DecodedCmdLine, Message,\\nruleSetType_s = column_ifexists(\\\"ruleSetType_s\\\", tostring(AdditionalFields.ruleSetType)), OperationName, SubscriptionId, details_message_s = column_ifexists(\\\"details_message_s\\\", tostring(AdditionalFields.details_message)), \\ndetails_file_s = column_ifexists(\\\"details_message_s\\\", tostring(AdditionalFields.details_file))\\n| extend timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"MaliciousHost\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure WAF matching for Log4j vuln(CVE-2021-44228)\",\"description\":\"This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis.\\n Reference: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"name\":\"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.2\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet BinTime = 1h;\\nlet RunTime = 1h;\\nlet StartTime = 1h; \\nlet sensitivity = 2.5;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet aadFunc = (tableName:string){\\ntable(tableName) \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(EndRunTime))\\n| where AppDisplayName =~ \\\"GitHub.com\\\"\\n| where ResultType != 0\\n| make-series FailedLogins = count() on TimeGenerated from ago(LearningPeriod) to ago(EndRunTime) step BinTime by UserPrincipalName, Type\\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(FailedLogins, sensitivity, -1, \u0027linefit\u0027)\\n| mv-expand FailedLogins to typeof(double), TimeGenerated to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long) \\n| where TimeGenerated \u003e= ago(RunTime)\\n| where Anomalies \u003e 0 and Baseline \u003e 0\\n| join kind=inner (\\n table(tableName) \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | where AppDisplayName =~ \\\"GitHub.com\\\"\\n | where ResultType != 0\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddresses = make_set(IPAddress,100), Locations = make_set(LocationDetails,20), Devices = make_set(DeviceDetail,20) by UserPrincipalName, UserId, AppDisplayName\\n ) on UserPrincipalName\\n| project-away UserPrincipalName1\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\\n| extend IPAddressFirst = tostring(IPAddresses[0])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddressFirst\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute Force Attack against GitHub Account\",\"description\":\"Attackers who are trying to guess your users\u0027 passwords or use brute-force methods to get in. If your organization is using SSO with Microsoft Entra ID, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\"lastUpdatedDateUTC\":\"2024-04-05T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"name\":\"05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated \u003e ago(1d)\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n // This will likely apply to multiple hosts so summarize these data\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, NewProcessName, CommandLine, Computer\\n | extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\nA threat actor may use these policies to deploy files or scripts to all hosts in a domain.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"name\":\"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = dynamic([\\\"CreatePolicy\\\", \\\"CreatePolicyVersion\\\"]);\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName in (EventNameList) or EventName in (createPolicy)\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\");\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName in (createPolicy)\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName, RecipientAccountId, AccountName, AccountUPNSuffix\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, RecipientAccountId, AccountName, AccountUPNSuffix, PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"AccountName\\\", AccountName, \\\"AccountUPNSuffix\\\", AccountUPNSuffix, \\\"RecipientAccountId\\\", RecipientAccountId, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress)\\n| project EventSource, PolicyName, AttachEvent, RecipientAccountId, AccountName, AccountUPNSuffix, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"DefenseEvasion\"],\"displayName\":\"Full Admin policy created and then attached to Roles, Users or Groups\",\"description\":\"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html \\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2020-04-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"name\":\"1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let Tarrask_threats = dynamic([\\\"HackTool:Win64/Tarrask!MS\\\", \\\"HackTool:Win64/Ligolo!MSR\\\", \\\"Behavior:Win32/ScheduledTaskHide.A\\\", \\\"Tarrask\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=rightouter ( SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Tarrask_threats) or ThreatFamilyName in~ (Tarrask_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AV detections related to Tarrask malware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel, the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged-on users etc. \\n This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2559891-383c-4caf-ae67-55a008b9f89e\",\"name\":\"e2559891-383c-4caf-ae67-55a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n // As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n // Taking the first non-empty value based on potential IOC match availability\\n | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, \\\"NO_IP\\\")\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where TI_ipEntity != \\\"NO_IP\\\"\\n // Exclude local addresses, using the ipv4_is_private operator\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\nlet IP_TI_list = toscalar(IP_TI\\n | summarize NIoCs = dcount(TI_ipEntity), IoCs = make_set(TI_ipEntity)\\n | project IoCs = iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs));\\nIP_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind = innerunique (\\n _Im_WebSession (starttime = ago(dt_lookBack), srcipaddr_has_any_prefix = IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated\\n )\\n on $left.TI_ipEntity == $right.SrcIpAddr\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated, *) by IndicatorId, DstIpAddr\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, Url, Type\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The IP {{SrcIpAddr}} of the web request matches an IP IoC\",\"alertDescriptionFormat\":\"The source address {{SrcIpAddr}} of the web request for the URL {{Url}} matches a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence feed for more information about the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the source IP address is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"name\":\"99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let core_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where ResultType == 0\\n | extend domain = tolower(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n let alternative_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where isnotempty(AlternateSignInName)\\n | where ResultType == 0\\n | extend domain = tolower(split(AlternateSignInName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add User\\\"\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n | extend UserAdded = tostring(TargetResources[0].userPrincipalName)\\n | extend UserAddedDomain = case(\\n UserAdded has \\\"#EXT#\\\", tostring(split(tostring(split(UserAdded, \\\"#EXT#\\\")[0]), \\\"_\\\")[1]),\\n UserAdded !has \\\"#EXT#\\\", tostring(split(UserAdded, \\\"@\\\")[1]),\\n UserAdded)\\n | where UserAddedDomain !in (core_domains) and UserAddedDomain !in (alternative_domains)\\n | extend AddedByName = case(\\n InitiatingUserPrincipalName has \\\"#EXT#\\\", tostring(split(tostring(split(InitiatingUserPrincipalName, \\\"#EXT#\\\")[0]), \\\"_\\\")[0]),\\n InitiatingUserPrincipalName !has \\\"#EXT#\\\", tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]),\\n InitiatingUserPrincipalName)\\n | extend AddedByUPNSuffix = case(\\n InitiatingUserPrincipalName has \\\"#EXT#\\\", tostring(split(tostring(split(InitiatingUserPrincipalName, \\\"#EXT#\\\")[0]), \\\"_\\\")[1]),\\n InitiatingUserPrincipalName !has \\\"#EXT#\\\", tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1]),\\n InitiatingUserPrincipalName)\\n | extend UserAddedName = case(\\n UserAdded has \\\"#EXT#\\\", tostring(split(tostring(split(UserAdded, \\\"#EXT#\\\")[0]), \\\"_\\\")[0]),\\n UserAdded !has \\\"#EXT#\\\", tostring(split(UserAdded, \\\"@\\\")[0]),\\n UserAdded)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AddedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AddedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserAdded\"},{\"identifier\":\"Name\",\"columnName\":\"UserAddedName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UserAddedDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account created from non-approved sources\",\"description\":\"This query looks for an account being created from a domain that is not regularly seen in a tenant.\\n Attackers may attempt to add accounts from these sources as a means of establishing persistant access to an environment.\\n Created accounts should be investigated to confirm expected creation.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts\",\"lastUpdatedDateUTC\":\"2024-01-25T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"name\":\"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Define the time range to look back for syslog data (1 hour)\\nlet ioc_lookBack = 14d; // Define the time range to look back for threat intelligence indicators (14 days)\\n// Create a list of top-level domains (TLDs) from the threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where isnotempty(DomainName)\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now()\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n// Fetch the latest active domain indicators from the threat intelligence data within the specified time range\\nlet Domain_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(DomainName)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now()\\n | extend TI_DomainEntity = DomainName;\\n// Join the threat intelligence indicators with syslog data on matching domain entities\\nDomain_Indicators\\n | join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n // Extract domain patterns from syslog messages\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n // Split out the top-level domain (TLD)\\n | extend tld = parts[(array_length(parts)-1)]\\n // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n ) on $left.TI_DomainEntity==$right.domain\\n | where Syslog_TimeGenerated \u003c ExpirationDateTime\\n // Retrieve the latest syslog timestamp for each indicator and domain combination\\n | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated, *) by IndicatorId, domain\\n // Select the desired columns for the final result set\\n | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url, Type, TI_DomainEntity\\n // Extract the hostname from the Computer field\\n | extend HostName = tostring(split(Computer, \u0027.\u0027, 0)[0])\\n // Extract the DNS domain from the Computer field\\n | extend DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\\n // Assign the Syslog_TimeGenerated value to the timestamp field\\n | extend timestamp = Syslog_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"HostIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map Domain entity to Syslog\",\"description\":\"Identifies a match in Syslog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"name\":\"01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.4\",\"severity\":\"Medium\",\"query\":\"let discord=dynamic([\\\"cdn.discordapp.com\\\", \\\"media.discordapp.com\\\"]);\\n _Im_WebSession(url_has_any=discord, eventresult=\u0027Success\u0027)\\n | where Url has \\\"attachments\\\"\\n | extend DiscordServerId = extract(@\\\"\\\\/attachments\\\\/([0-9]+)\\\\/\\\", 1, Url)\\n | summarize dcount(Url), make_set(SrcUsername), make_set(SrcIpAddr), make_set(Url), min(TimeGenerated), max(TimeGenerated), make_set(EventResult) by DiscordServerId\\n | mv-expand set_SrcUsername to typeof(string), set_Url to typeof(string), set_EventResult to typeof(string), set_SrcIpAddr to typeof(string)\\n | summarize by DiscordServerId, dcount_Url, set_SrcUsername, min_TimeGenerated, max_TimeGenerated, set_EventResult, set_SrcIpAddr, set_Url\\n | project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, Result=set_EventResult, SourceUser=set_SrcUsername, SourceIP=set_SrcIpAddr, RequestURL=set_Url\\n | where RequestURL has_any (\\\".bin\\\",\\\".exe\\\",\\\".dll\\\",\\\".bin\\\",\\\".msi\\\")\\n | extend AccountName = tostring(split(SourceUser, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(SourceUser, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUser\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Discord CDN Risky File Download (ASIM Web Session Schema)\",\"description\":\"Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment. \\n Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads.\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/508cef41-2cd8-4d40-a519-b04826a9085f\",\"name\":\"508cef41-2cd8-4d40-a519-b04826a9085f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(Account, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared.\\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"name\":\"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Cloud App Security\",\"displayName\":\"Create incidents based on Microsoft Cloud App Security alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud Apps\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert (MCAS)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9367dff0-941d-44e2-8875-cb48570c7add\",\"name\":\"9367dff0-941d-44e2-8875-cb48570c7add\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog =~ \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has \\\"\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_DLLs\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppInit DLLs Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows or HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library.\\nRef: https://attack.mitre.org/techniques/T1546/010/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89a86f70-615f-4a79-9621-6f68c50f365f\",\"name\":\"89a86f70-615f-4a79-9621-6f68c50f365f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let starttime = 7d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet HistThreshold = 25; \\nlet CurrThreshold = 10; \\nlet HistoricalThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceVendor;\\nlet CurrentHourThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(timeframe)\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceProduct, DeviceVendor;\\nCurrentHourThreats \\n| where TotalEvents \u003c CurrThreshold\\n| join kind = leftanti (HistoricalThreats \\n| where TotalEvents \u003e HistThreshold) on SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"Discovery\",\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Palo Alto Threat signatures from Unusual IP addresses\",\"description\":\"Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. \\nThis detection is also leveraged and required for MDE and PAN Fusion scenario\\nhttps://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall\",\"lastUpdatedDateUTC\":\"2024-11-07T00:00:00Z\",\"createdDateUTC\":\"2022-03-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CefAma\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\"name\":\"aac495a9-feb1-446d-b08e-a1164a539452\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for VMConnection events\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\nThreatIntelligenceIndicator\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| where Action == true\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n| join (\\n GitHubAudit\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to GitHub_CL\",\"description\":\"Identifies a match in GitHub_CL table from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"name\":\"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet last1h = CommonSecurityLog\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where isempty(CommunicationDirection)\\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog\\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection)\\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec)\\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h\\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal \u003e 2*prev6hAvgCumTotal or last1hAvgRatePerSec \u003e 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec \u003e 2*prev6hAvgBurstRatePerSec\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - average attack detection rate increase\",\"description\":\"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\"name\":\"26a3b261-b997-4374-94ea-6c37f67f4f39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n( _Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA1=\u0027 SHA1 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames)\\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (DomainNames) \\n| extend DNSName = Fqdn \\n| extend IPAddress = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (DomainNames)\\n| extend DNSName = QueryName\\n| extend IPAddress = SourceIp\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"[Deprecated] - Known Granite Typhoon domains and hashes\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2019-12-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a356c8bd-c81d-428b-aa36-83be706be034\",\"name\":\"a356c8bd-c81d-428b-aa36-83be706be034\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"// AADJoined or Register Device Registry Keys\\nlet aadJoinRoot = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\CloudDomainJoin\\\\\\\\JoinInfo\\\\\\\\\\\";\\nlet aadRegisteredRoot = \\\"\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\WorkplaceJoin\\\";\\n// Transport Key Registry Key\\nlet keyTransportKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\Cryptography\\\\\\\\Ngc\\\\\\\\KeyTransportKey\\\\\\\\\\\";\\n(union isfuzzy=true\\n(\\n// Access to Object Requested\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadJoinRoot or EventData has aadRegisteredRoot\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadJoinRoot and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274656\u0027\\n | where EventData has keyTransportKey\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName startswith keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, tostring(Process), ProcessName, ProcessId, EventID\\n),\\n// Accessing Object\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where (ObjectName startswith aadJoinRoot or ObjectName contains aadRegisteredRoot) and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend Account = SubjectAccount\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274663\u0027\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName has keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend Account = SubjectAccount\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, Process, ProcessName, ProcessId, EventID\\n| extend HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Microsoft Entra ID Local Device Join Information and Transport Key Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts by the same process to registry keys that provide information about an Microsoft Entra ID joined or registered devices and Transport keys (tkpub / tkpriv).\\n This information can be used to export the Device Certificate (dkpub / dkpriv) and Transport key (tkpub/tkpriv).\\n These set of keys can be used to impersonate existing Microsoft Entra ID joined devices.\\n This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable objects:\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\CloudDomainJoin (Microsoft Entra ID joined devices)\\n HKCU:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\WorkplaceJoin (Microsoft Entra ID registered devices)\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Cryptography\\\\Ngc\\\\KeyTransportKey (Transport Key)\\n Make sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n Reference: https://o365blog.com/post/deviceidentity/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e42e889a-caaf-4dbb-aec6-371b37d64298\",\"name\":\"e42e889a-caaf-4dbb-aec6-371b37d64298\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"Application\\\"\\n | extend targetDisplayName = tostring(TargetResource.displayName),\\n targetId = tostring(TargetResource.id),\\n targetType = tostring(TargetResource.type),\\n keyEvents = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = keyEvents on \\n (\\n where Property.displayName =~ \\\"KeyDescription\\\"\\n | extend new_value_set = parse_json(tostring(Property.newValue)),\\n old_value_set = parse_json(tostring(Property.oldValue))\\n )\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where diff != \\\"[]\\\"\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage =~ \\\"Verify\\\"\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend UserAgent = tostring(AdditionalDetail.value)\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-03-06T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ae10c588-7ff7-486c-9920-ab8b0bdb6ede\",\"name\":\"ae10c588-7ff7-486c-9920-ab8b0bdb6ede\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Mercury_August2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\")\\n| extend IPAddress = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\")\\n| extend AccountName = tostring(split(SourceUserID, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(SourceUserID, \\\"@\\\")[1])\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend IPAddress = IPAddresses, DNSName = Name, Computer\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend IPAddress = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), File = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend AccountNT = UserName, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), IPAddress = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend IPAddress = ClientIP, AccountUPN = UserId, AccountUPNName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessSHA256, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend IPAddress = RemoteIP, FileHash = InitiatingProcessSHA256\\n| extend AccountUPN = InitiatingProcessAccountName, AccountUPNName = tostring(split(InitiatingProcessAccountName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(InitiatingProcessAccountName, \\\"@\\\")[1])\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend IPAddress = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) or DestinationHost has_any (domains) \\n| extend DNSName = DestinationHost, IPAddress = SourceHost\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| where msg_s has_any (IPList)\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" to \\\" TargetIP \\\":\\\" TargetPortInt:int *\\n| parse kind=regex flags=U msg_s with * \\\". Action\\\\\\\\: \\\" Action1a \\\"\\\\\\\\.\\\"\\n| parse msg_s with * \\\". Policy: \\\" Policy \\\". Rule Collection Group: \\\" RuleCollectionGroup \\\".\\\" *\\n| parse msg_s with * \\\" Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule \\n| extend IPAddress = SourceIP\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| where msg_s has_any (domains)\\n| parse msg_s with \\\"DNS Request: \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" - \\\" QueryID:int \\\" \\\" RequestType \\\" \\\" RequestClass \\\" \\\" hostname \\\". \\\" protocol \\\" \\\" details\\n| extend\\n ResponseDuration = extract(\\\"[0-9]*.?[0-9]+s$\\\", 0, msg_s),\\n SourcePort = tostring(SourcePortInt),\\n QueryID = tostring(QueryID)\\n| project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\\n| extend IPAddress = SourceIP\\n),\\n(AZFWApplicationRule\\n| where Fqdn has_any (domains) or Fqdn has_any (IPList)\\n| extend IPAddress = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (domains)\\n| extend DNSName = QueryName, IPAddress = SourceIp\\n),\\n(AZFWNetworkRule\\n| where DestinationIp has_any (IPList)\\n| extend IPAddress = SourceIp\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend Algorithm = \\\"SHA256\\\", FileHash = tostring(FileHash), AccountUPN = SourceUserID, AccountUPNName = tostring(split(SourceUserID, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(SourceUserID, \\\"@\\\")[1])\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend AccountNT = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, AccountNT, IPAddress, CommandLine, FileHash, Algorithm = \\\"SHA256\\\"\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Algorithm = \\\"SHA256\\\", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n| extend AccountUPN = InitiatingProcessAccountName, AccountUPNName = tostring(split(InitiatingProcessAccountName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(InitiatingProcessAccountName, \\\"@\\\")[1])\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Algorithm = \\\"SHA256\\\", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n| extend AccountUPN = InitiatingProcessAccountName, AccountUPNName = tostring(split(InitiatingProcessAccountName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(InitiatingProcessAccountName, \\\"@\\\")[1])\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", dynamic([\\\"\\\", \\\"\\\"])), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| mv-expand Hashes\\n| where Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, AccountNT = UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source), FileHash = tostring(Hashes[1]), Algorithm = tostring(Hashes[0])\\n)\\n)\\n| extend AccountNTName = tostring(split(AccountNT, \\\"\\\\\\\\\\\")[1]), AccountNTDomain = tostring(split(AccountNT, \\\"\\\\\\\\\\\")[0])\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountUPNName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountNT\"},{\"identifier\":\"Name\",\"columnName\":\"AccountNTName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"Algorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHash\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Mercury - Domain, Hash and IP IOCs - August 2022\",\"description\":\"Identifies a match across various data feeds for domains, hashes and IP IOC related to Mercury\\n Reference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/\",\"lastUpdatedDateUTC\":\"2023-12-28T00:00:00Z\",\"createdDateUTC\":\"2022-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7808c05a-3afd-4d13-998a-a59e2297693f\",\"name\":\"7808c05a-3afd-4d13-998a-a59e2297693f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Creating a list of successful sign-in by users in the last 7 days.\\nlet KnownUserCountry = (\\nSigninLogs\\n| where TimeGenerated between (ago(7d) .. ago(1d) ) \\n| where ResultType == 0\\n| summarize KnownCountry = make_set(Location,1048576) by UserPrincipalName\\n);\\n// Identify sign-ins that are no successful but have the auth details indicating a correct password.\\nSigninLogs\\n| where TimeGenerated \u003e= ago(1d)\\n| where ResultType != 0\\n| extend ParseAuth = parse_json(AuthenticationDetails)\\n| extend AuthMethod = tostring(ParseAuth.[0].authenticationMethod),\\n PasswordResult = tostring(ParseAuth.[0].authenticationStepResultDetail),\\n AuthSucceeded = tostring(ParseAuth.[0].succeeded)\\n| where PasswordResult == \\\"Correct Password\\\" or AuthSucceeded == \\\"true\\\"\\n| where AuthMethod == \\\"Password\\\"\\n| extend failureReason = tostring(Status.failureReason)\\n| summarize NewCountry = make_set(Location,1048576), LastObservedTime = max(TimeGenerated), AppName = make_set(AppDisplayName,1048576) by UserPrincipalName, PasswordResult, AuthSucceeded, failureReason\\n// Combining both tables by user\\n| join kind=inner KnownUserCountry on UserPrincipalName\\n// Compare both arrays and identify if the country has been observed in the past.\\n| extend CountryDiff = set_difference(NewCountry,KnownCountry)\\n| extend CountryDiffCount = array_length(CountryDiff)\\n// Count the new column to only alert if there is a difference between both arrays\\n| where CountryDiffCount != 0\\n| extend NewCountryEvent = CountryDiff\\n// Getting UserName and Domain\\n| extend Name = split(UserPrincipalName,\\\"@\\\",0),\\n Domain = split(UserPrincipalName,\\\"@\\\",1)\\n| mv-expand Name,Domain\",\"customDetails\":{\"LastObservedTime\":\"LastObservedTime\",\"AppName\":\"AppName\",\"NewCountryEvent\":\"NewCountryEvent\",\"PasswordResult\":\"PasswordResult\",\"AuthSucceeded\":\"AuthSucceeded\",\"failureReason\":\"failureReason\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"Domain\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"New country signIn with correct password\",\"description\":\"Identifies an interrupted sign-in session from a country the user has not sign-in before in the last 7 days, where the password was correct. Although the session is interrupted by other controls such as multi factor authentication or conditional access policies, the user credentials should be reset due to logs indicating a correct password was observed during sign-in.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2023-05-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\"name\":\"0bd65651-1404-438b-8f63-eecddcec87b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.3\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = ( union isfuzzy=true\\n( Event\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and EventData has \\\"0x3e4\\\" and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, \\\"\\\\\\\\\\\")[0]), AccountNTDomain = tostring(split(Account, \\\"\\\\\\\\\\\")[1])\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 and LogonType == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nWindowsEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where EventData has \u0027wmiprvse.exe\u0027 and EventData has_any (\u0027rundll32\u0027) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, \\\"\\\\\\\\\\\")[0]), AccountNTDomain = tostring(split(Account, \\\"\\\\\\\\\\\")[1])\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 3\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where Account !endswith \\\"$\\\"\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, Image, Computer, UserName\\n| extend timestamp = TimeGenerated\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(UserName, \\\"\\\\\\\\\\\")[0]), AccountNTDomain = tostring(split(UserName, \\\"\\\\\\\\\\\")[1])\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via Remote WMI Execution\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\n Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/22a320c2-e1e5-4c74-a35b-39fc9cdcf859\",\"name\":\"22a320c2-e1e5-4c74-a35b-39fc9cdcf859\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName=~ \\\"Update user\\\" \\n| where Result =~ \\\"success\\\" \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName = tostring(TargetResources_modifiedProperties.displayName), \\nTargetUPN_oldValue = tostring(parse_json(tostring(TargetResources_modifiedProperties.oldValue))[0]), \\nTargetUPN_newValue = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue))[0])\\n| where displayName == \\\"UserPrincipalName\\\" and TargetUPN_oldValue !has \\\"#EXT\\\" and TargetUPN_newValue has \\\"#EXT\\\"\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend InitiatedBy = tostring(iff(isnotempty(InitiatingUserPrincipalName),InitiatingUserPrincipalName, InitiatingAppName))\\n| summarize arg_max(TimeGenerated, *) by CorrelationId\\n| project-reorder TimeGenerated, InitiatedBy, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, TargetUPN_oldValue, TargetUPN_newValue\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n| extend TargetAccountName = tostring(split(TargetUPN_oldValue, \\\"@\\\")[0]), TargetUPNSuffix = tostring(split(TargetUPN_oldValue, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUPN_oldValue\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Suspicious linking of existing user to external User\",\"description\":\" This query will detect when an attempt is made to update an existing user and link it to an guest or external identity. These activities are unusual and such linking of external \\nidentities should be investigated. In some cases you may see internal Entra ID sync accounts (Sync_) do this which may be benign\",\"lastUpdatedDateUTC\":\"2023-12-30T00:00:00Z\",\"createdDateUTC\":\"2022-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"name\":\"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^\u0027]*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Silk Typhoon Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95407904-0131-4918-bc49-ebf282ce149a\",\"name\":\"95407904-0131-4918-bc49-ebf282ce149a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"135.125.147.170:80\\\",\\\"185.244.129.79:63047\\\",\\\"185.244.129.79:80\\\",\\\"45.80.149.108:63047\\\",\\\"45.80.149.108:80\\\",\\\"45.80.149.57:63047\\\",\\\"45.80.149.68:63047\\\",\\\"45.80.149.71:80\\\",\\\"185.244.129.109\\\",\\\"172.96.188.51\\\",\\\"51.83.246.73\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(AZFWNetworkRule\\n| where isnotempty(DestinationIp)\\n| where DestinationIp has_any (IPList) \\n| extend DestinationIP = DestinationIp \\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (IPList) \\n| extend DestinationIP = Fqdn \\n| extend IPCustomEntity = SourceIp\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Known Plaid Rain IP\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWNetworkRule\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acc4c247-aaf7-494b-b5da-17f18863878a\",\"name\":\"acc4c247-aaf7-494b-b5da-17f18863878a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OperationName in (\\\"Invite external user\\\", \\\"Bulk invite users - started (bulk)\\\", \\\"Invite external user with reset invitation status\\\")\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatedBy = iff(isnotempty(InitiatingUserPrincipalName), InitiatingUserPrincipalName, InitiatingAppName)\\n// Uncomment the following line to filter events where the inviting user was a guest user\\n//| where InitiatedBy has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend InvitedUser = tostring(TargetResource.userPrincipalName)\\n )\\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\\n| where UserToCompare has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend\\n parsedUser = replace_string(tolower(iff(UserToCompare startswith \\\"live.com#\\\", tostring(split(UserToCompare, \\\"#\\\")[1]), tostring(split(UserToCompare, \\\"#EXT#\\\")[0]))), \\\"@\\\", \\\"_\\\"),\\n InvitationTime = TimeGenerated\\n| join (\\n (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where UserType != \\\"Member\\\"\\n | where AppId has_any // This web may contain a list of these apps: https://msshells.net/\\n (\\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\",// Azure Active Directory PowerShell\\n \\\"04b07795-8ddb-461a-bbee-02f9e1bf7b46\\\",// Microsoft Azure CLI\\n \\\"1950a258-227b-4e31-a9cf-717495945fc2\\\",// Microsoft Azure PowerShell\\n \\\"a0c73c16-a7e3-4564-9a95-2bdf47383716\\\",// Microsoft Exchange Online Remote PowerShell\\n \\\"fb78d390-0c51-40cd-8e17-fdbfab77341b\\\",// Microsoft Exchange REST API Based Powershell\\n \\\"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\\\",// Microsoft Intune PowerShell\\n \\\"9bc3ab49-b65d-410a-85ad-de819febfddc\\\",// Microsoft SharePoint Online Management Shell\\n \\\"12128f48-ec9e-42f0-b203-ea49fb6af367\\\",// MS Teams Powershell Cmdlets\\n \\\"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\\\",// Power BI PowerShell\\n \\\"31359c7f-bd7e-475c-86db-fdb8c937548e\\\",// PnP Management Shell\\n \\\"90f610bf-206d-4950-b61d-37fa6fd1b224\\\",// Aadrm Admin Powershell\\n \\\"14d82eec-204b-4c2f-b7e8-296a70dab67e\\\",// Microsoft Graph PowerShell\\n \\\"9cee029c-6210-4654-90bb-17e6e9d36617\\\" // Power Platform CLI - pac\\\"\\n )\\n | summarize arg_min(TimeGenerated, *) by UserPrincipalName\\n | extend\\n parsedUser = replace_string(UserPrincipalName, \\\"@\\\", \\\"_\\\"),\\n SigninTime = TimeGenerated\\n )\\n on parsedUser\\n| project InvitationTime, InitiatedBy, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\\n| extend InvitedUserName = tostring(split(InvitedUser,\u0027@\u0027,0)[0]), InvitedUserUPNSuffix = tostring(split(InvitedUser,\u0027@\u0027,1)[0]), \\n InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InvitedUser\"},{\"identifier\":\"Name\",\"columnName\":\"InvitedUserName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InvitedUserUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"External guest invitation followed by Microsoft Entra ID PowerShell signin\",\"description\":\"By default guests have capability to invite more external guest users, guests also can do suspicious Microsoft Entra ID enumeration. This detection look at guest users, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\\nRef : \u0027https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c094384d-7ea7-4091-83be-18706ecca981\",\"name\":\"c094384d-7ea7-4091-83be-18706ecca981\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.5\",\"severity\":\"Low\",\"query\":\"let minersDomains=dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\"]);\\n_Im_Dns(domain_has_any=minersDomains)\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2024-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25a7f951-54b7-4cf5-9862-ebc04306c590\",\"name\":\"25a7f951-54b7-4cf5-9862-ebc04306c590\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let known_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | summarize by InitiatingUserPrincipalName);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppId = tostring(InitiatedBy.app.appId)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend CAPolicyName = tostring(TargetResources[0].displayName)\\n | where InitiatingUserPrincipalName !in (known_users)\\n | extend NewPolicyValues = TargetResources[0].modifiedProperties[0].newValue\\n | extend OldPolicyValues = TargetResources[0].modifiedProperties[0].oldValue\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, OperationName, CAPolicyName, InitiatingAppId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, NewPolicyValues, OldPolicyValues\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"AppId\",\"columnName\":\"InitiatingAppId\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Conditional Access Policy Modified by New User\",\"description\":\"Detects a Conditional Access Policy being modified by a user who has not modified a policy in the last 14 days.\\n A threat actor may try to modify policies to weaken the security controls in place.\\n Investigate any change to ensure they are approved.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"name\":\"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n// Look for specific Directory Service Changes and parse data\\n| where EventID == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where changes relate to Exchange OAB\\n| extend ObjectClass = column_ifexists(\\\"ObjectClass\\\", \\\"\\\")\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// Look for InternalHostName or ExternalHostName properties being changed\\n| extend AttributeLDAPDisplayName = column_ifexists(\\\"AttributeLDAPDisplayName\\\", \\\"\\\")\\n| where AttributeLDAPDisplayName in~ (\\\"msExchExternalHostName\\\", \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| extend AttributeValue = column_ifexists(\\\"AttributeValue\\\", \\\"\\\")\\n| where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| extend ObjectDN = column_ifexists(\\\"ObjectDN\\\", \\\"\\\")\\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| extend timestamp = LastSeen\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(Account, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange OAB Virtual Directory Attribute Containing Potential Webshell\",\"description\":\"This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services where the new objects contain potential webshell objects.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"name\":\"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P3D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some columns to make output clearer\\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some things to make the output clearer\\n| project-rename TimeDeleted = TimeGenerated,DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\\n| extend timestamp = TimeCreated\\n| extend CreatingUserAccountName = tostring(split(CreatingUser, \\\"@\\\")[0]), CreatingUserAccountUPNSuffix = tostring(split(CreatingUser, \\\"@\\\")[1])\\n| extend DeletingUserAccountName = tostring(split(DeletingUser, \\\"@\\\")[0]), DeletingUserAccountUPNSuffix = tostring(split(DeletingUser, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatingUser\"},{\"identifier\":\"Name\",\"columnName\":\"CreatingUserAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"CreatingUserAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeletingUser\"},{\"identifier\":\"Name\",\"columnName\":\"DeletingUserAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"DeletingUserAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CreatingIP\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletingIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Azure DevOps Pipeline Created and Deleted on the Same Day\",\"description\":\"An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, or to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \\nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines created and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"name\":\"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend EnforceLogin = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\")\\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\")\\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", \\\"\\\")\\n| where EnforceLogin == \u0027false\u0027 or EnforceLoginDomain == \u0027false\u0027 or GuestAlerts == \u0027false\u0027\\n| extend SettingChanged = case(EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"All settings changed\\\",\\n EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027, \\\"Enforced Logons and Restricted Domains Changed\\\",\\n EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"Enforced Domains Changed\\\",\\n EnforceLoginDomain == \u0027false\u0027, \\\"Enfored Domains Changed\\\",\\n GuestAlerts == \u0027false\u0027, \\\"Guest Join Alerts Changed\\\",\\n EnforceLogin == \u0027false\u0027, \\\"Enforced Logins Changed\\\",\\n \\\"No Changes\\\")\\n| extend AccountName = tostring(split(User, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(User, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"External User Access Enabled\",\"description\":\"This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"name\":\"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.6\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\" \\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\"\\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend AccountName = iff(UserId contains \u0027@\u0027, tostring(split(UserId, \u0027@\u0027)[0]), UserId)\\n| extend AccountUPNSuffix = iff(UserId contains \u0027@\u0027, tostring(split(UserId, \u0027@\u0027)[1]), \u0027\u0027)\\n| extend AccountName = iff(UserId contains \u0027\\\\\\\\\u0027, tostring(split(UserId, \u0027\\\\\\\\\u0027)[1]), AccountName)\\n| extend AccountNTDomain = iff(UserId contains \u0027\\\\\\\\\u0027, tostring(split(UserId, \u0027\\\\\\\\\u0027)[0]), \u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Exchange AuditLog Disabled\",\"description\":\"Identifies when the exchange audit logging has been disabled which may be an adversary attempt to evade detection or avoid other defenses.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"name\":\"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet binaryTypes = dynamic([\u0027zip\u0027, \u0027octet-stream\u0027, \u0027java-archive\u0027, \u0027rar\u0027, \u0027tar\u0027, \u0027x-7z-compressed\u0027, \u0027x-msdownload\u0027, \u0027portable-executable\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedMimeType = tostring(todynamic(MsgParts)[0][\u0027detectedMime\u0027])\\n| where attachedMimeType has_any (binaryTypes)\\n| project SrcUserUpn, AccountCustomEntity = tostring(parse_json(DstUserUpn)[0]), attachedMimeType, MsgHeaderSubject\\n| extend Name = tostring(split(AccountCustomEntity, \\\"@\\\")[0]), UPNSuffix = tostring(split(AccountCustomEntity, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Binary file in attachment\",\"description\":\"Detects when email received with binary file as attachment.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"name\":\"ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"// Add the environments expected username format regex below before deploying\\nlet user_regex = \\\"\\\";\\nAuditLogs\\n| where OperationName =~ \\\"Add user\\\"\\n| where Result =~ \\\"success\\\"\\n| extend userAgent = tostring(AdditionalDetails[0].value)\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend InitiatedBy = tostring(iff(isnotempty(InitiatingUserPrincipalName),InitiatingUserPrincipalName, InitiatingAppName))\\n| extend AddedUser = tostring(TargetResources[0].userPrincipalName)\\n| where AddedUser matches regex user_regex\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n| extend TargetAccountName = tostring(split(AddedUser, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(AddedUser, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Account Created Using Incorrect Naming Format\",\"description\":\"This query looks for accounts being created where the name does not match a defined pattern.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n The user_regex field in the query needs to be populated with the expected pattern for the environment before deployment.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2023-12-30T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"name\":\"34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\n IdentityInfo\\n | where TimeGenerated \u003e ago(starttime)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | mv-expand AssignedRoles\\n | where AssignedRoles contains \u0027Admin\u0027 or GroupMembership has \\\"Admin\\\"\\n | summarize Roles = make_list(AssignedRoles) by AccountUPN = tolower(AccountUPN)\\n | join kind=inner (\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultType != 0\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n ) on $left.AccountUPN == $right.UserPrincipalName\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, Roles = tostring(Roles)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\n allSignins\\n | make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1h by UserPrincipalName, Roles\\n | extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n | mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n // Filtering low count events per baselinethreshold\\n | where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n | extend AnomalyHour = TimeGenerated\\n | project UserPrincipalName, Roles, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, Roles, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Privileged Accounts - Sign in Failure Spikes\",\"description\":\" Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1399664f-9434-497c-9cde-42e4d74ae20e\",\"name\":\"1399664f-9434-497c-9cde-42e4d74ae20e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Impossible travel activity\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| project TimeGenerated,Account,IpAddress,CompromisedEntity,Description,ProviderName,ResourceId\\n| join kind=inner\\n(\\nOfficeActivity\\n| where Operation =~ \\\"Add-MailboxPermission\\\"\\n| extend value = tostring(parse_json(Parameters)[3].Value)\\n| where value contains \\\"FullAccess\\\"\\n| where ResultStatus == \\\"True\\\"\\n| project Parameters,TimeGenerated,value,RecordType,Operation,OrganizationId,UserType,UserKey,OfficeWorkload,ResultStatus,OfficeObjectId,UserId,ClientIP,ExternalAccess,OriginatingServer,OrganizationName,TenantId,ElevationTime,SourceSystem,OfficeId,OfficeTenantId,Type,SourceRecordId\\n) on $left.Account == $right.UserId\\n| join kind=inner\\n(\\nAuditLogs\\n| where ActivityDisplayName =~ \\\"Add eligible member to role in PIM requested (timebound)\\\"\\n| where AADOperationType =~ \\\"CreateRequestEligibleRole\\\"\\n| where TargetResources has_any (\\\"-PRIV\\\", \\\"Administrator\\\", \\\"Security\\\")\\n| extend BuiltinRole = tostring(parse_json(TargetResources[0].displayName))\\n| extend CustomGroup = tostring(parse_json(TargetResources[3].displayName))\\n| extend TargetAccount = tostring(parse_json(TargetResources[2].displayName))\\n| extend Initiatedby = Identity\\n| project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResourceId, Id\\n| sort by TimeGenerated desc\\n) on $left.UserId == $right.Initiatedby\\n| extend AccountName = tostring(split(Initiatedby, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(Initiatedby, \\\"@\\\")[1])\\n| project AADOperationType, ActivityDisplayName,AccountName, AccountUPNSuffix, Id,ResourceId,IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Detecting Impossible travel with mailbox permission tampering \u0026 Privilege Escalation attempt\",\"description\":\"This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group.\\nEnsure this impossible travel incident with increase of privileges is legitimate in your environment.\",\"lastUpdatedDateUTC\":\"2024-11-20T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\"name\":\"12dcea64-bec2-41c9-9df2-9f28461b1295\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where NewProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service Control Services and Schedule Control Services\\n| union (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| extend timestamp = TimeGenerated\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(Account, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"name\":\"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.4\",\"severity\":\"Medium\",\"query\":\"// Set threshold value for deviation\\nlet threshold = 25;\\n// Set the time range for the query\\nlet timeRange = 24h;\\n// Set the authentication window duration\\nlet authenticationWindow = 20m;\\n// Define a reusable function \u0027aadFunc\u0027 that takes a table name as input\\nlet aadFunc = (tableName: string) {\\n // Query the specified table\\n table(tableName)\\n // Filter data within the last 24 hours\\n | where TimeGenerated \u003e ago(1d)\\n // Filter records related to \\\"Azure Portal\\\" applications\\n | where AppDisplayName has \\\"Azure Portal\\\"\\n // Extract and transform some fields\\n | extend\\n DeviceDetail = todynamic(DeviceDetail),\\n LocationDetails = todynamic(LocationDetails)\\n | extend\\n OS = tostring(DeviceDetail.operatingSystem),\\n Browser = tostring(DeviceDetail.browser),\\n State = tostring(LocationDetails.state),\\n City = tostring(LocationDetails.city),\\n Region = tostring(LocationDetails.countryOrRegion)\\n // Categorize records as Success or Failure based on ResultType\\n | extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n // Sort and identify sessions\\n | sort by UserPrincipalName asc, TimeGenerated asc\\n | extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName != prev(UserPrincipalName) or prev(FailureOrSuccess) == \\\"Success\\\")\\n // Summarize data\\n | summarize FailureOrSuccessCount = count() by FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, authenticationWindow), ResultType, UserPrincipalName, SessionStartedUtc\\n | summarize FailureCountBeforeSuccess = sumif(FailureOrSuccessCount, FailureOrSuccess == \\\"Failure\\\"), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), makelist(FailureOrSuccess), IPAddress = make_set(IPAddress, 15), make_set(Browser, 15), make_set(City, 15), make_set(State, 15), make_set(Region, 15), make_set(ResultType, 15) by SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, Type\\n // Filter records where \\\"Success\\\" occurs in the middle of a session\\n | where array_index_of(list_FailureOrSuccess, \\\"Success\\\") != 0\\n | where array_index_of(list_FailureOrSuccess, \\\"Success\\\") == array_length(list_FailureOrSuccess) - 1\\n // Remove unnecessary columns from the output\\n | project-away SessionStartedUtc, list_FailureOrSuccess\\n // Join with another table and calculate deviation\\n | join kind=inner (\\n table(tableName)\\n | where TimeGenerated \u003e ago(7d)\\n | where AppDisplayName has \\\"Azure Portal\\\"\\n | extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n | summarize avgFailures = avg(todouble(FailureOrSuccess == \\\"Failure\\\")) by UserPrincipalName\\n ) on UserPrincipalName\\n | extend Deviation = abs(FailureCountBeforeSuccess - avgFailures) / avgFailures\\n // Filter records based on deviation and failure count criteria\\n | where Deviation \u003e threshold and FailureCountBeforeSuccess \u003e= 10\\n // Expand the IPAddress array\\n | mv-expand IPAddress\\n | extend IPAddress = tostring(IPAddress)\\n | extend timestamp = StartTime\\n};\\n// Call \u0027aadFunc\u0027 with different table names and union the results\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n// Additional transformation - Split UserPrincipalName\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against Azure Portal\",\"description\":\"Detects Azure Portal brute force attacks by monitoring for multiple authentication failures and a successful login within a 20-minute window. Default settings: 10 failures, 25 deviations.\\nRef: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2019-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"name\":\"2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\\n//let adfsuser = \u0027adfsadmin\u0027;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe+lookback)\\n | where EventSourceName == \u0027AD FS Auditing\u0027\\n | distinct Computer\\n);\\nSecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // A token of type \u0027http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation\u0027\\n // for relying party \u0027-\u0027 was successfully authenticated.\\n | where EventID == 412\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | extend InstanceId = tostring(EventData[0])\\n| join kind=inner\\n(\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // Events to identify caller identity from event 412\\n | where EventID == 501\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | where tostring(EventData[1]) contains \u0027identity/claims/name\u0027\\n | extend InstanceId = tostring(EventData[0])\\n | extend ClaimsName = tostring(EventData[2])\\n // Filter on the use of a specific AD FS user account\\n //| where ClaimsName contains adfsuser\\n)\\non $left.InstanceId == $right.InstanceId\\n| join kind=inner\\n(\\n SecurityEvent\\n | where EventID == 5156\\n | where Computer in~ (ADFS_Servers)\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend DestPort = column_ifexists(\\\"DestPort\\\", \\\"\\\"),\\n Direction = column_ifexists(\\\"Direction\\\", \\\"\\\"),\\n Application = column_ifexists(\\\"Application\\\", \\\"\\\"),\\n DestAddress = column_ifexists(\\\"DestAddress\\\", \\\"\\\"),\\n SourceAddress = column_ifexists(\\\"SourceAddress\\\", \\\"\\\"),\\n SourcePort = column_ifexists(\\\"SourcePort\\\", \\\"\\\")\\n // Look for inbound connections from endpoints on port 80\\n | where DestPort == 80 and Direction == \u0027%%14592\u0027 and Application == \u0027System\u0027\\n | where DestAddress !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027)\\n)\\non $left.Computer == $right.Computer\\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(ClaimsName, @\u0027\\\\\u0027)[1]), AccountNTDomain = tostring(split(ClaimsName, @\u0027\\\\\u0027)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ClaimsName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceAddress\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote Auth Sync Connection\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious authentication events on an AD FS server. The results then get correlated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates. In order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReferences:\\nhttps://docs.microsoft.com/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging\\nhttps://twitter.com/OTR_Community/status/1387038995016732672\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\"name\":\"957cb240-f45d-4491-9ba5-93430a3c08be\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.5\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\", \\\"Set-TransportRule\\\")\\nand not(UserId has_any (\u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\u0027, \u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)\u0027, \u0027NT AUTHORITY\\\\\\\\SYSTEM (w3wp)\u0027, \u0027devilfish-applicationaccount\u0027) and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend ClientIPOnly = tostring(extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?\u0027, dynamic([\\\"IPAddress\\\"]), ClientIP)[0])\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"AppId\",\"columnName\":\"AppId\"}]}],\"tactics\":[\"Persistence\",\"Collection\"],\"displayName\":\"Rare and potentially high-risk Office operations\",\"description\":\"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\"lastUpdatedDateUTC\":\"2024-03-18T00:00:00Z\",\"createdDateUTC\":\"2019-02-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"name\":\"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName has (\\\"Certificates and secrets management\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"Application\\\"\\n | extend targetDisplayName = tostring(TargetResource.displayName),\\n targetId = tostring(TargetResource.id),\\n targetType = tostring(TargetResource.type),\\n keyEvents = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = keyEvents on \\n (\\n where Property.displayName =~ \\\"KeyDescription\\\"\\n | extend new_value_set = parse_json(tostring(Property.newValue)),\\n old_value_set = parse_json(tostring(Property.oldValue))\\n )\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage =~ \\\"Verify\\\"\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend InitiatingUserAgent = tostring(AdditionalDetail.value)\\n )\\n| project-away new_value_set, old_value_set, TargetResource, Property, AdditionalDetail\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, InitiatingUserAgent, \\ntargetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend Name = split(InitiatingUserPrincipalName, \\\"@\\\")[0], UPNSuffix = split(InitiatingUserPrincipalName, \\\"@\\\")[1]\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"targetDisplayName\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-01-06T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\"name\":\"62085097-d113-459f-9ea7-30216f2ee6af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let starttime = 3d;\\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated \u003e= ago(starttime)\\n| where EventID in (4722,4723) | where TargetUserName !endswith \\\"$\\\"\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\\nlet userEnable = SecEvents\\n| extend EventID4722Time = TimeGenerated\\n// 4722: User Account Enabled\\n| where EventID == 4722\\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\\nlet userPwdSet = SecEvents\\n// 4723: Attempt made by user to set password\\n| where EventID == 4723\\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\\n| extend PasswordSetAttemptDelta_Min = datetime_diff(\u0027minute\u0027, Time_Event4723, Time_Event4722)\\n| where PasswordSetAttemptDelta_Min \u003e 2880 or isempty(PasswordSetAttemptDelta_Min)\\n| project-away TargetAccount1, TargetSid1\\n| extend Reason = @\\\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\\\"\\n| order by Time_Event4722 asc\\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\\n| extend Computer = coalesce(Computer_4723, Computer_4722)\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(TargetAccount, \\\"\\\\\\\\\\\")[1]), AccountNTDomain = tostring(split(TargetAccount, \\\"\\\\\\\\\\\")[0])\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD user enabled and password not set within 48 hours\",\"description\":\"Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which\\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur\\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\\nIt is recommended that this time period is adjusted per your internal company policy.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce02935c-cc67-4b77-9b96-93d9947e119a\",\"name\":\"ce02935c-cc67-4b77-9b96-93d9947e119a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"acrobatrelay.com\\\", \\\"finconsult.cc\\\", \\\"realmetaldns.com\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where DNSName in~ (DomainNames) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n), \\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession (url_has_any=DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n| where isnotempty(DNSName) \\n| where DNSName in~ (DomainNames) \\n| extend IPAddress = RemoteIp \\n), \\n( \\n DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) \\n| where RemoteUrl has_any (DomainNames) \\n| extend IPAddress = RemoteIP \\n| extend Computer = DeviceName \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n) \\n) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Denim Tsunami C2 Domains July 2022\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\"name\":\"5436f471-b03d-41cb-b333-65891f887c43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Informational\",\"query\":\"GitHubRepo\\n| where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Link\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\",\"PrivilegeEscalation\",\"DefenseEvasion\",\"CredentialAccess\",\"LateralMovement\"],\"displayName\":\"GitHub Security Vulnerability in Repository\",\"description\":\"This alerts when there is a new security vulnerability in a GitHub repository.\",\"lastUpdatedDateUTC\":\"2024-07-24T00:00:00Z\",\"createdDateUTC\":\"2020-06-10T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"name\":\"2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| where ObjectClass == \\\"computer\\\" and AttributeLDAPDisplayName == \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserName, SubjectDomainName, SubjectUserSid, SubjectLogonId, ObjectDN, AttributeLDAPDisplayName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"SubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Possible Resource-Based Constrained Delegation Abuse\",\"description\":\"This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. \\nThis query checks for event id 5136 that the Object Class field is \\\"computer\\\" and the LDAP Display Name is \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\" which is an indicator of Resource-based constrained delegation.\\nRef: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"name\":\"8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\" or OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-apply Property = modifiedProperties on \\n (\\n where Property.displayName =~ \\\"LiveType\\\"\\n | extend targetDisplayName = tostring(Property.displayName),\\n NewDomainValue = tostring(Property.newValue)\\n )\\n| extend Federated = iif(OperationName =~ \\\"Set domain authentication\\\", iif(NewDomainValue has \\\"Federated\\\", True, False), True)\\n| where Federated == True\\n| mv-expand AdditionalDetails\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend UserAgent = tostring(AdditionalDetail.value)\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, AADOperationType, targetDisplayName, Result, UserAgent, CorrelationId, TenantId, AADTenantId\\n| extend Name = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"NRT Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"name\":\"dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\",\\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\",\\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\",\\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\",\\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\",\\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage),\\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage),\\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage),\\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NRT Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used.\\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"SyslogAma\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b904747-1336-4363-8d84-df2710bfe5e7\",\"name\":\"0b904747-1336-4363-8d84-df2710bfe5e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n // Filter out indicators without relevant IP address fields\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated \u003e= ago(ioc_lookBack)\\n // Select the IP entity based on availability of different IP fields\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime \u003e now();\\n// Perform a join between IP indicators and AzureDiagnostics logs to identify potential malicious activity\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\", \\\"AzureFirewallNetworkRuleLog\\\")\\n | parse kind=regex flags=U msg_s with Protocol \u0027request from \u0027 SourceHost \u0027to \u0027 DestinationHost @\u0027\\\\.? Action: \u0027 Firewall_Action @\u0027\\\\.\u0027 Rest_msg\\n | extend SourceAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, SourceHost)\\n | extend DestinationAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, DestinationHost)\\n | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, \\\"\\\")\\n | where isnotempty(RemoteIP) // Filter out traffic involving public addresses only\\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\\n )\\n on $left.TI_ipEntity == $right.RemoteIP\\n // Filter out logs that occurred after the expiration of the corresponding indicator\\n | where AzureFirewall_TimeGenerated \u003c ExpirationDateTime\\n // Group the results by IndicatorId and RemoteIP, and keep the log entry with the latest timestamp\\n | summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP\\n // Select the desired output fields\\n | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\\n AzureFirewall_TimeGenerated, TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol,\\n NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n // Rename the timestamp field\\n | extend timestamp = AzureFirewall_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"TI_ipEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to AzureFirewall\",\"description\":\"Identifies a match in AzureFirewall (NetworkRule \u0026 ApplicationRule Logs) from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2199398-8942-4b8c-91a9-b0a707c5d147\",\"name\":\"b2199398-8942-4b8c-91a9-b0a707c5d147\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/HiveRansomwareJuly2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\\n| where Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes)\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = tostring(Hashes[1])\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"[Deprecated] - Hive Ransomware IOC - July 2022\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\"name\":\"173f8699-6af5-484a-8b06-8c47ba89b380\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Low\",\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName, 1000) by UserId\\n| where array_length(DeletedTeams) \u003e max_delete_count\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple Teams deleted by a single user\",\"description\":\"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Microsoft Sentinel.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68c0b6bb-6bd9-4ef4-9011-08998c8ef90f\",\"name\":\"68c0b6bb-6bd9-4ef4-9011-08998c8ef90f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Threshold = 3;\\nAzureDiagnostics\\n| where Category == \\\"ApplicationGatewayFirewallLog\\\"\\n| where action_s == \\\"Matched\\\"\\n| project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s\\n| join kind = inner(\\nAzureDiagnostics\\n| where Category == \\\"ApplicationGatewayFirewallLog\\\"\\n| where action_s == \\\"Blocked\\\"\\n| parse Message with MessageText \u0027Total Inbound Score: \u0027 TotalInboundScore \u0027 - SQLI=\u0027 SQLI_Score \u0027,XSS=\u0027 XSS_Score \u0027,RFI=\u0027 RFI_Score \u0027,LFI=\u0027 LFI_Score \u0027,RCE=\u0027 RCE_Score \u0027,PHPI=\u0027 PHPI_Score \u0027,HTTP=\u0027 HTTP_Score \u0027,SESS=\u0027 SESS_Score \u0027): \u0027 Blocked_Reason \u0027; individual paranoia level scores:\u0027 Paranoia_Score\\n| where Blocked_Reason contains \\\"SQL Injection Attack\\\" and toint(SQLI_Score) \u003e=10 and toint(TotalInboundScore) \u003e= 15) on transactionId_g\\n| extend Uri = strcat(hostname_s,requestUri_s)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g), Message = make_set(Message), Detail_Message = make_set(details_message_s), Detail_Data = make_set(details_data_s), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s, SQLI_Score, TotalInboundScore\\n| where Total_TransactionId \u003e= Threshold\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Uri\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"clientIp_s\"}]}],\"tactics\":[\"DefenseEvasion\",\"Execution\",\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Application Gateway WAF - SQLi Detection\",\"description\":\"Identifies a match for SQL Injection attack in the Application gateway WAF logs. The Threshold value in the query can be changed as per your infrastructure\u0027s requirement.\\n References: https://owasp.org/Top10/A03_2021-Injection/\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/52aec824-96c1-4a03-8e44-bb70532e6cea\",\"name\":\"52aec824-96c1-4a03-8e44-bb70532e6cea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 5136 and EventData contains \\\"\u003cData Name=\\\\\\\"ObjectDN\\\\\\\"\u003eCN=AdminSDHolder,CN=System\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend Name = tostring(split(SubjectAccount, \\\"\\\\\\\\\\\")[1]), NTDomain = tostring(split(SubjectAccount, \\\"\\\\\\\\\\\")[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AdminSDHolder Modifications\",\"description\":\"This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence. \\nAdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory.\\nThis query searches for the event id 5136 where the Object DN is AdminSDHolder.\\nRef: https://attack.stealthbits.com/adminsdholder-modification-ad-persistence\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-12-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"name\":\"b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet DOMAIN_TI=ThreatIntelligenceIndicator\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now();\\nlet DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName) \\n | project Domains=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), Domains) ));\\nDOMAIN_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession(starttime=ago(dt_lookBack), url_has_any= DOMAIN_TI_list )\\n //Extract domain patterns from syslog message\\n | extend domain = tostring(parse_url(Url)[\\\"Host\\\"])\\n | where isnotempty(domain)\\n | extend tld = tostring(split(domain, \u0027.\u0027)[-1])\\n | extend Event_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Event_TimeGenerated \u003c ExpirationDateTime\\n| summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain\\n| project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url\",\"customDetails\":{\"EventTime\":\"Event_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map Domain entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the target URL hostname is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https:/aka.ms/AboutASIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"name\":\"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where isnotempty(FileHashValue)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now();\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHashValue, FileHashType\\n| extend HostName = tostring(split(DeviceName, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(DeviceName, \u0027.\u0027), 1, -1), \u0027.\u0027))\\n| extend Name = tostring(split(SourceUserName, \u0027@\u0027, 0)[0]), UPNSuffix = tostring(split(SourceUserName, \u0027@\u0027, 1)[0])\\n| extend timestamp = CommonSecurityLog_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUserName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map File Hash to CommonSecurityLog Event\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\"name\":\"2fc5d810-c9cc-491a-b564-841427ae0e50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| where isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n))\\n)\\non $left.EmailSenderAddress == $right.TargetUserName\\n| where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, TargetUserName\\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\\n| extend timestamp = SecurityEvent_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"TI map Email entity to SecurityEvent\",\"description\":\"Identifies a match in SecurityEvent table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3edb7215-250b-40c0-8b46-79093949242d\",\"name\":\"3edb7215-250b-40c0-8b46-79093949242d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| where Severity_s == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2022-12-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"name\":\"6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.3\",\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nimAuthentication\\n| where EventType== \u0027Logon\u0027 and EventResult== \u0027Failure\u0027\\n// reason: creds \\n| where EventResultDetails in (\u0027No such user or password\u0027, \u0027Incorrect password\u0027)\\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\\n , Users = make_set(TargetUserId,100) \\n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\\n| where UserCount \u003e FailureThreshold\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcDvcIpAddr\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack (Uses Authentication Normalization)\",\"description\":\"This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2023-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6988c32-4f3b-4a45-8313-b46b33061a74\",\"name\":\"b6988c32-4f3b-4a45-8313-b46b33061a74\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"Application\\\"\\n | extend targetDisplayName = tostring(TargetResource.displayName),\\n targetId = tostring(TargetResource.id),\\n targetType = tostring(TargetResource.type),\\n keyEvents = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = keyEvents on \\n (\\n where Property.displayName =~ \\\"KeyDescription\\\"\\n | extend new_value_set = parse_json(tostring(Property.newValue)),\\n old_value_set = parse_json(tostring(Property.oldValue))\\n )\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\"\\n | mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend UserAgent = tostring(AdditionalDetail.value)\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-03-06T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/55073036-bb86-47d3-a85a-b113ac3d9396\",\"name\":\"55073036-bb86-47d3-a85a-b113ac3d9396\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let admins=(IdentityInfo\\n | where AssignedRoles contains \\\"admin\\\" or GroupMembership has \\\"Admin\\\"\\n | summarize by tolower(AccountUPN));\\n let known_asns = (\\n SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admins)\\n | where AutonomousSystemNumber !in (known_asns)\\n | project-reorder TimeGenerated, UserPrincipalName, UserAgent, IPAddress, AutonomousSystemNumber\\n | extend AccountName = tostring(split(UserPrincipalName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Privileged User Logon from new ASN\",\"description\":\"Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days.\\n Monitor these logons to ensure they are legitimate and identify if there are any similar sign ins.\",\"lastUpdatedDateUTC\":\"2023-12-28T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\"name\":\"23005e87-2d3a-482b-b03d-edbebd1ae151\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated \u003e ago(14d)\\n| where sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| where TimeGenerated \u003e ago(1d)\\n| where Computer in (exchange_servers)\\n| where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(csUserName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(csUserName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"csUserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"cIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Silk Typhoon Suspicious Exchange Request\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by Silk Typhoon actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2023-12-28T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"name\":\"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.8\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet AuditEvents = materialize(AuditLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated);\\nlet AuditUrls = AuditEvents | distinct Url = tolower(Url) | summarize make_list(Url);\\nThreatIntelligenceIndicator\\n| where isnotempty(Url)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| where tolower(Url) in (AuditUrls)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n| where Description !contains_cs \\\"State: inactive;\\\" and Description !contains_cs \\\"State: falsepos;\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (AuditEvents) on Url\\n| where Audit_TimeGenerated \u003c ExpirationDateTime\\n| summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url\\n| project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nOperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend AccountName = tostring(split(userPrincipalName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(userPrincipalName, \\\"@\\\")[1])\\n| extend HostName = tostring(split(TargetResourceDisplayName, \\\".\\\")[0]), DomainIndex = toint(indexof(TargetResourceDisplayName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(TargetResourceDisplayName, DomainIndex + 1), TargetResourceDisplayName)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetResourceDisplayName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map URL Entity to AuditLogs\",\"description\":\"This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in AuditLogs.\",\"lastUpdatedDateUTC\":\"2024-09-12T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2e8fd50-8d66-11ec-b909-0242ac120002\",\"name\":\"d2e8fd50-8d66-11ec-b909-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID in (4624,4625) and LogonType in (10) and IpAddress in (\\\"::1\\\",\\\"127.0.0.1\\\")\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, TargetUserName, TargetLogonId, LogonType, IpAddress\\n | extend Name=tostring(split(TargetUserName, \\\"@\\\")[0]), UPNSuffix=tostring(split(TargetUserName, \\\"@\\\")[1])\\n | extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential Remote Desktop Tunneling\",\"description\":\"This query detects remote desktop authentication attempts with a localhost source address, which can indicate a tunneled login.\\nRef: https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\"name\":\"707494a5-8e44-486b-90f8-155d1797a8eb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend targetResourceName = tostring(TargetResource.displayName),\\n targetResourceID = tostring(TargetResource.id),\\n targetResourceType = tostring(TargetResource.type),\\n targetModifiedProp = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = targetModifiedProp on \\n (\\n where Property.displayName =~ \\\"ConsentContext.IsAdminConsent\\\"\\n | extend isAdminConsent = trim(@\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| mv-apply Property = targetModifiedProp on \\n (\\n where Property.displayName =~ \\\"ConsentAction.Permissions\\\"\\n | extend Consent_Permissions = trim(@\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| mv-apply Property = targetModifiedProp on \\n (\\n where Property.displayName =~ \\\"TargetId.ServicePrincipalNames\\\"\\n | extend Consent_ServicePrincipalNames = tostring(extract_all(@\\\"([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\\\",trim(@\u0027\\\"\u0027,tostring(Property.newValue)))[0])\\n )\\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend targetResourceName = tostring(TargetResource.displayName),\\n targetResourceID = tostring(TargetResource.id),\\n targetModifiedProp = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = targetModifiedProp on \\n (\\n where Property.displayName =~ \\\"KeyDescription\\\"\\n | extend Credential_KeyDescription = trim(@\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| mv-apply Property = targetModifiedProp on \\n (\\n where Property.displayName =~ \\\"Included Updated Properties\\\"\\n | extend UpdatedProperties = trim(@\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| mv-apply Property = targetModifiedProp on \\n (\\n where Property.displayName =~ \\\"TargetId.ServicePrincipalNames\\\"\\n | extend Credential_ServicePrincipalNames = tostring(extract_all(@\\\"([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\\\",trim(@\u0027\\\"\u0027,tostring(Property.newValue)))[0])\\n )\\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent \u003c TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| extend timestamp = TimeConsent, Name = tostring(split(Credential_InitiatingUserOrApp,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Credential_InitiatingUserOrApp,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"Consent_InitiatingIpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential added after admin consented to Application\",\"description\":\"This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-02-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f68a5046-b7eb-4f69-9519-1e99708bb9e0\",\"name\":\"f68a5046-b7eb-4f69-9519-1e99708bb9e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"DeviceFileEvents\\n | where ActionType =~ \\\"FileCreated\\\"\\n | where FolderPath has \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\\\\\\\\\" \\n | where FileName endswith \\\".exe\\\" or FileName endswith \\\".dll\\\"\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"PE file dropped in Color Profile Folder\",\"description\":\"This query looks for writes of PE files to C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\.\\n This is a common directory used by malware, as well as some legitimate programs, and writes of PE files to the folder should be monitored.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/983a6922-894d-413c-9f04-d7add0ecc307\",\"name\":\"983a6922-894d-413c-9f04-d7add0ecc307\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.4\",\"severity\":\"Medium\",\"query\":\"let referencestarttime = 10d;\\nlet referenceendtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \\n {_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027, starttime=stime, endtime=etime)\\n | where DnsQueryTypeName in (\\\"A\\\", \\\"AAAA\\\")\\n | where ipv4_is_match(\\\"127.0.0.1\\\", SrcIpAddr) == False\\n | where DnsQuery !contains \\\"/\\\" and DnsQuery contains \\\".\\\"};\\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold\\n // Filter out previously seen IPs\\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold ) on SrcIpAddr\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected (ASIM DNS Schema)\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"name\":\"84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has_all (\\\"member to role\\\", \\\"add\\\")\\n | where Result =~ \\\"Success\\\"\\n | extend type_ = tostring(TargetResources[0].type)\\n | where type_ =~ \\\"ServicePrincipal\\\"\\n | where isnotempty(TargetResources)\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend InitiatedBy = tostring(iff(isnotempty(InitiatingUserPrincipalName),InitiatingUserPrincipalName, InitiatingAppName))\\n | extend ServicePrincipalName = tostring(TargetResources[0].displayName)\\n | extend ServicePrincipalId = tostring(TargetResources[0].id)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | extend displayName = tostring(TargetResources_0_modifiedProperties.displayName), newValue = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\\n | where displayName == \\\"Role.DisplayName\\\" and newValue contains \\\"admin\\\"\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | extend TargetRole = newValue\\n | project-reorder TimeGenerated, ServicePrincipalName, ServicePrincipalId, InitiatedBy, TargetRole, InitiatingIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipalName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"ServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned Privileged Role\",\"description\":\"Detects a privileged role being added to a Service Principal.\\n Ensure that any assignment to a Service Principal is valid and appropriate - Service Principals should not be assigned to very highly privileged roles such as Global Admin.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b443f22-9be9-4c35-ac70-a94757748439\",\"name\":\"3b443f22-9be9-4c35-ac70-a94757748439\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nDeviceProcessEvents\\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\\n| extend DvcId = DeviceId\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend InitiatingProcessAccount = strcat(InitiatingProcessAccountDomain, \\\"\\\\\\\\\\\", InitiatingProcessAccountName)\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\\n| extend timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccount\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"InitiatingProcessAccountDomain\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\"name\":\"50574fac-f8d1-4395-81c7-78a463ff0c52\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\\n| extend Status = todynamic(Status)\\n| where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\\n| order by TimeGenerated desc\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Microsoft Entra ID PowerShell accessing non-Entra ID resources\",\"description\":\"This will alert when a user or application signs in using Microsoft Entra ID PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\\nFor capabilities and expected behavior of the Microsoft Entra ID PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor further information on Microsoft Entra ID Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\"lastUpdatedDateUTC\":\"2024-04-05T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c1e9381-79dd-4ddf-9570-b73a1dc59fe0\",\"name\":\"9c1e9381-79dd-4ddf-9570-b73a1dc59fe0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let LookBack = 1h;\\nlet Data = (\\nSigninLogs\\n| where TimeGenerated \u003e= ago(LookBack)\\n| where parse_json(NetworkLocationDetails)[0].networkType != \\\"trustedNamedLocation\\\" // Excludes known tagged networks\\n// Counts the number of sign in events in the last hour every 15 minutes by IP\\n| make-series EventCounts = count() on TimeGenerated from ago(LookBack) to now() step 15m by IPAddress \\n);\\nlet AnomalyAlert = (\\nData\\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(EventCounts,1.5,-1,\u0027linefit\u0027)\\n| mv-expand EventCounts,TimeGenerated,Anomalies to typeof(double),Baseline to typeof(long),Score to typeof(double)\\n| where Anomalies \u003e 0\\n);\\nAnomalyAlert\\n| join kind = inner (SigninLogs\\n| where TimeGenerated between (ago(LookBack) .. now())\\n| where parse_json(NetworkLocationDetails)[0].networkType != \\\"trustedNamedLocation\\\"\\n| extend PasswordResult = tostring(parse_json(AuthenticationDetails).authenticationStepResultDetail)\\n| summarize UserCount = dcount(UserPrincipalName), UserList = make_set(UserPrincipalName), AppName = make_set(AppDisplayName), PasswordResult = make_list(PasswordResult) by IPAddress) on IPAddress\\n| where PasswordResult has \\\"Correct Password\\\"\\n| where UserCount \u003e 1 // looks for events targeting more than one user.\",\"customDetails\":{\"Score\":\"Score\",\"Baseline\":\"Baseline\",\"UserCount\":\"UserCount\",\"AppName\":\"AppName\",\"PasswordResult\":\"PasswordResult\",\"UserList\":\"UserList\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomaly Sign In Event from an IP\",\"description\":\"Identifies sign-in anomalies from an IP in the last hour, targeting multiple users where the password is correct after multiple attempts\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2023-05-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"name\":\"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.7\",\"severity\":\"Medium\",\"query\":\"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent = (union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * \u0027TicketEncryptionType\\\"\u003e\u0027 TicketEncryptionType \\\"\u003c\\\" *\\n| where TicketEncryptionType == \u00270x17\u0027\\n| parse EventData with * \u0027TicketOptions\\\"\u003e\u0027 TicketOptions \\\"\u003c\\\" *\\n| where TicketOptions == \u00270x40810000\u0027\\n| parse EventData with * \u0027Status\\\"\u003e\u0027 Status \\\"\u003c\\\" *\\n| where Status == \u00270x0\u0027\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\"\\n| parse EventData with * \u0027TargetUserName\\\"\u003e\u0027 TargetUserName \\\"\u003c\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * \u0027IpAddress\\\"\u003e::ffff:\u0027 ClientIPAddress \\\"\u003c\\\" *\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769 and EventData has \u00270x17\u0027 and EventData has \u00270x40810000\u0027 and EventData has \u0027krbtgt\u0027\\n| extend TicketEncryptionType = tostring(EventData.TicketEncryptionType)\\n| where TicketEncryptionType == \u00270x17\u0027\\n| extend TicketOptions = tostring(EventData.TicketOptions)\\n| where TicketOptions == \u00270x40810000\u0027\\n| extend Status = tostring(EventData.Status)\\n| where Status == \u00270x0\u0027\\n| extend ServiceName = tostring(EventData.ServiceName)\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| extend ClientIPAddress = tostring(EventData.IpAddress)\\n));\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName)\\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h \u003c prev23hThreshold;\\nlet Kerbevent1h =\\nKerbevent\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName)\\nby Computer, TargetUserName, TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h\\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, TargetDomainName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h \u003e prev1hThreshold\\n| project StartTime = min_TimeGenerated, EndTime = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions,\\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend TargetAccount = strcat(TargetDomainName, \\\"\\\\\\\\\\\", TargetUserName)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"TargetDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Kerberoasting\",\"description\":\"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment.\\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment.\\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains a hash of the Service account. This can then be used for offline cracking.\\nThis hunting query looks for accounts that are generating excessive requests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number of request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\"name\":\"ac891683-53c3-4f86-86b4-c361708e2b2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"// Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)[\u0027foo@bar.com\u0027, \u0027test@foo.com\u0027];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist = datatable(OperationNamePart:string)[\u0027Security.\u0027,\u0027Project.\u0027,\u0027AuditLog.\u0027,\u0027Extension.\u0027];\\n// Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)[\u0027Group.UpdateGroupMembership.Add\u0027,\u0027Library.ServiceConnectionExecuted\u0027,\u0027Pipelines.PipelineModified\u0027,\\n\u0027Release.ReleasePipelineModified\u0027, \u0027Git.RefUpdatePoliciesBypassed\u0027];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"Execution\",\"Impact\"],\"displayName\":\"Azure DevOps Personal Access Token (PAT) misuse\",\"description\":\"This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=preview-page\\nUse this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"name\":\"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.11\",\"severity\":\"Medium\",\"query\":\"let riskScoreCutoff = 3; //Adjust this score threshold based on volume of results. Activities identified as the most abnormal receive the highest scores (on a scale of 0-10)\\nlet logonDiff = 10m; \\nlet aadFunc = (tableName:string)\\n{ \\ntable(tableName)\\n| where ResultType == \\\"0\\\"\\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\") // To remove false-positives, add more Apps to this array\\n// ---------- Fix for SuccessBlock to also consider IPv6\\n| extend SuccessIPv6Block = strcat(split(IPAddress, \\\":\\\")[0], \\\":\\\", split(IPAddress, \\\":\\\")[1], \\\":\\\", split(IPAddress, \\\":\\\")[2], \\\":\\\", split(IPAddress, \\\":\\\")[3])\\n| extend SuccessIPv4Block = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1])\\n// ------------------\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, SuccessLocation = Location, AppDisplayName, SuccessIPBlock = iff(IPAddress contains \\\":\\\", strcat(split(IPAddress, \\\":\\\")[0], \\\":\\\", split(IPAddress, \\\":\\\")[1]), strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1])), Type\\n| join kind= inner (\\n table(tableName)\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\")\\n | where ResultDescription !~ \\\"Other\\\"\\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, FailedLocation = Location, AppDisplayName, ResultType, ResultDescription, Type \\n) on UserPrincipalName, AppDisplayName\\n| where SuccessLogonTime \u003c FailedLogonTime and FailedLogonTime - SuccessLogonTime \u003c= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, SuccessLocation, AppDisplayName, FailedIPAddress, FailedLocation, ResultType, ResultDescription, Type\\n| extend timestamp = SuccessLogonTime\\n| extend UserPrincipalName = tolower(UserPrincipalName)};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\\n// UEBA context below - make sure you have these 2 datatypes, otherwise the query will not work. If so, comment all that is below.\\n| join kind=leftouter (\\n IdentityInfo\\n | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\\n | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled\\n | summarize\\n Tags = make_set(Tags, 1000),\\n GroupMembership = make_set(GroupMembership, 1000),\\n AssignedRoles = make_set(AssignedRoles, 1000),\\n UserType = make_set(UserType, 1000),\\n UserAccountControl = make_set(UserType, 1000)\\n by AccountUPN\\n | extend UserPrincipalName=tolower(AccountUPN)\\n) on UserPrincipalName\\n//Below it will be joined with BehaviorAnalytics table to the Failed IP Addresses\\n| join kind=leftouter (\\n BehaviorAnalytics\\n | where ActivityType in (\\\"FailedLogOn\\\", \\\"LogOn\\\")\\n | where isnotempty(SourceIPAddress)\\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress, UserName\\n | project-rename FailedIPAddress = SourceIPAddress, Name = UserName\\n | summarize\\n MaxInvestigationScore = max(InvestigationPriority) // Only retrieve maximum Investigation Property score for both FailedIP and User\\n by FailedIPAddress, Name)\\non FailedIPAddress, Name // Joining on both IP and User so as to only return context associated with same user\\n| extend UEBARiskScore = MaxInvestigationScore\\n| project-away *1 // removing duplicate columns post outer join from output\\n| where UEBARiskScore \u003e riskScoreCutoff\\n| sort by UEBARiskScore desc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuccessIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Successful logon from IP and failure from a different IP\",\"description\":\"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP (may indicate a malicious attempt at password guessing with known account). \\nUEBA added for context to gather all asoociated information assocaited with IP addressed initiating Faile Logon and affected user. \\nPlease note, Failed logons from known IP ranges can be benign depending on the conditional access policies. In case of noisy behavior, consider tuning the source IP ranges after careful consideration\",\"lastUpdatedDateUTC\":\"2024-08-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"name\":\"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous SSH Login Detection\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/188db479-d50a-4a9c-a041-644bae347d1f\",\"name\":\"188db479-d50a-4a9c-a041-644bae347d1f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n// Filtering alerts based on Microsoft product names and Relevent alert names\\n | where ProductName in ( \\\"Microsoft Cloud App Security\\\",\\\"Azure Active Directory Identity Protection\\\")\\n |where AlertName in (\\\"Multiple failed user log on attempts to an app\\\",\\\"Password Spray\\\")\\n// Parsing and extending the \u0027Entities\u0027 column as JSON objects\\n | extend Entities = parse_json(Entities) \\n// Exploring IP entities within the alert entities\\n | mv-apply Entity = Entities on \\n ( \\n where Entity.Type == \u0027ip\u0027 \\n | extend EntityIp = tostring(Entity.Address) \\n ) \\n// Exploring account entities within the alert entities\\n | mv-apply Entity = Entities on \\n ( \\n where Entity.Type == \u0027account\u0027 \\n | extend AccountObjectId = tostring(Entity.AadUserId)\\n )\\n// Filtering out alerts with missing IP or account information\\n | where isnotempty(EntityIp) and isnotempty(AccountObjectId)\\n// Summarizing relevant fields for further analysis\\n | summarize \\n by \\n AlertName,\\n ProductName,\\n ProviderName,\\n AlertSeverity,\\n EntityIp,\\n Tactics,\\n Techniques,\\n AlertTime= bin(TimeGenerated, 1min),\\n AccountObjectId,\\n AlertTimeGenerated=TimeGenerated\\n// Joining with IdentityInfo to obtain additional account details\\n | join kind=inner (\\n IdentityInfo\\n | where TimeGenerated \u003e= ago(1d)\\n | distinct AccountObjectId, AccountUPN=tolower(AccountUPN)\\n )\\n on AccountObjectId \\n |extend Name = tostring(split(AccountUPN,\u0027@\u0027)[0]), UPNSuffix =tostring(split(AccountUPN,\u0027@\u0027)[1])\\n// Joining with AWSCloudTrail data to correlate AWS console logins\\n | join kind=inner (\\n AWSCloudTrail\\n | where EventName == \\\"ConsoleLogin\\\"\\n | extend CTUPN= tolower(tostring(tolower(split(UserIdentityArn, \\\"/\\\", 2)[0])))\\n | extend ActionType= tostring(parse_json(ResponseElements).ConsoleLogin) \\n | where ActionType == \\\"Success\\\"\\n | extend AWSTime= bin(TimeGenerated, 1min)\\n | project\\n EventName,\\n EventSource,\\n EventTypeName,\\n RecipientAccountId,\\n ResponseElements,\\n SessionMfaAuthenticated,\\n SourceIpAddress,\\n TimeGenerated,\\n UserAgent,\\n UserIdentityArn,\\n UserIdentityType,\\n CTUPN,\\n AWSTime,\\n UserIdentityUserName\\n )\\n on $left.EntityIp == $right.SourceIpAddress \\n// Filtering login event after the Alert generation time\\n | where AlertTimeGenerated between ((AWSTime - 1h)..(AWSTime + 1h))\\n// Calculating the time difference between alert generation and AWS login\\n | extend timediff = datetime_diff(\u0027minute\u0027, AlertTimeGenerated, TimeGenerated) \\n// Filtering alerts with a time difference of up to 60 minutes\\n | where timediff \u003c= 60\",\"customDetails\":{\"AWSUser\":\"UserIdentityArn\",\"UserAgent\":\"UserAgent\",\"AWSUserUPN\":\"CTUPN\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Successful AWS Console Login from IP Address Observed Conducting Password Spray\",\"description\":\"This query aims to detect instances of successful AWS console login events followed by multiple failed app logons alerts generated by Microsoft Cloud App Security or password spray alerts generated by Defender Products.\\n Specifically, it focuses on scenarios where the successful login takes place within a 60-minute timeframe of the high-severity alert. \\n The login is considered relevant if it originates from an IP address associated with potential attackers.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2023-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b51fe620-62ad-4ed2-9d40-5c97c0a8231f\",\"name\":\"b51fe620-62ad-4ed2-9d40-5c97c0a8231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n// Filtering alerts based on Microsoft product names\\n | where ProductName in (\\\"Microsoft 365 Defender\\\", \\\"Azure Active Directory\\\", \\\"Microsoft Defender Advanced Threat Protection\\\", \\\"Microsoft Cloud App Security\\\",\\\"Azure Active Directory Identity Protection\\\", \\\"Microsoft Defender ATP\\\")\\n// Narrowing down alerts to specific tactics\\n | where Tactics in(\\\"CredentialAccess\\\", \\\"InitialAccess\\\")\\n// Focusing on high-severity alerts\\n | where AlertSeverity == \\\"High\\\"\\n// Parsing and extending the \u0027Entities\u0027 column as JSON objects\\n | extend Entities = parse_json(Entities) \\n// Exploring IP entities within the alert entities\\n | mv-apply Entity = Entities on \\n ( \\n where Entity.Type == \u0027ip\u0027 \\n | extend EntityIp = tostring(Entity.Address) \\n ) \\n// Exploring account entities within the alert entities\\n | mv-apply Entity = Entities on \\n ( \\n where Entity.Type == \u0027account\u0027 \\n | extend AccountObjectId = tostring(Entity.AadUserId)\\n )\\n// Filtering out alerts with missing IP or account information\\n | where isnotempty(EntityIp) and isnotempty(AccountObjectId)\\n// Summarizing relevant fields for further analysis\\n | summarize \\n by \\n AlertName,\\n ProductName,\\n ProviderName,\\n AlertSeverity,\\n EntityIp,\\n Tactics,\\n Techniques,\\n AlertTime= bin(TimeGenerated, 1min),\\n AccountObjectId,\\n AlertTimeGenerated=TimeGenerated\\n// Joining with IdentityInfo to obtain additional account details\\n | join kind=inner (\\n IdentityInfo\\n | where TimeGenerated \u003e= ago(1d)\\n | distinct AccountObjectId, AccountUPN=tolower(AccountUPN)\\n )\\n on AccountObjectId \\n |extend Name = tostring(split(AccountUPN,\u0027@\u0027)[0]), UPNSuffix =tostring(split(AccountUPN,\u0027@\u0027)[1])\\n// Joining with AWSCloudTrail data to correlate AWS console logins\\n | join kind=inner (\\n AWSCloudTrail\\n | where EventName == \\\"ConsoleLogin\\\"\\n | extend CTUPN= tolower(tostring(tolower(split(UserIdentityArn, \\\"/\\\", 2)[0])))\\n | extend ActionType= tostring(parse_json(ResponseElements).ConsoleLogin) \\n | where ActionType == \\\"Success\\\"\\n | extend AWSTime= bin(TimeGenerated, 1min)\\n | project\\n EventName,\\n EventSource,\\n EventTypeName,\\n RecipientAccountId,\\n ResponseElements,\\n SessionMfaAuthenticated,\\n SourceIpAddress,\\n TimeGenerated,\\n UserAgent,\\n UserIdentityArn,\\n UserIdentityType,\\n CTUPN,\\n AWSTime,\\n UserIdentityUserName\\n )\\n on $left.EntityIp == $right.SourceIpAddress \\n// Filtering login event after the Alert generation time\\n | where AlertTimeGenerated \u003e= AWSTime\\n// Calculating the time difference between alert generation and AWS login\\n | extend timediff = datetime_diff(\u0027minute\u0027, AlertTimeGenerated, TimeGenerated) \\n// Filtering alerts with a time difference of up to 60 minutes\\n | where timediff between ((-60)..(60))\",\"customDetails\":{\"AWSUSerUPN\":\"CTUPN\",\"AzureUserUPN\":\"AccountUPN\",\"ComonIp\":\"SourceIpAddress\",\"UserAgent\":\"UserAgent\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Suspicious AWS console logins by credential access alerts\",\"description\":\"This query aims to detect instances of successful AWS console logins that align with high-severity credential access or Initial Access alerts generated by Defender Products.\\n Specifically, it focuses on scenarios where the successful login takes place within a 60-minute timeframe of the high-severity alert. The login is considered relevant if it originates from an IP address associated with potential attackers.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2023-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\"name\":\"cf3ede88-a429-493b-9108-3e46d3c741f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Low\",\"query\":\"let timeRange = 2h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeRange)\\n| where EventID in (4624, 4625)\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 10 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by bin(TimeGenerated, 10m), Account, IpAddress, Computer, Outcome\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by TimeGenerated asc, Account, IpAddress, Computer, Outcome, OutcomeCount\\n| serialize\\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), make_list(Outcome, 128), make_set(Computer, 128), make_set(IpAddress, 128) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome\\n// where the number of failures before the success is above the threshold\\n| where FailureCountBeforeSuccess \u003e= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mv-expand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, NTDomain = split(Account, \u0027\\\\\\\\\u0027, 0)[0], Name = split(Account, \u0027\\\\\\\\\u0027, 1)[0], HostName = tostring(split(Computer, \u0027.\u0027, 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, \u0027.\u0027), 1, -1), \u0027.\u0027))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SecurityEvent - Multiple authentication failures followed by a success\",\"description\":\"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication within a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or possible mis-configuration of a service account within an environment.\\nThe lookback is set to 2h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum of 5 failures followed by a success for an account within 1 hour to surface an alert.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"name\":\"bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"// https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html \\nAWSGuardDuty \\n// Parse the finding\\n// https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-format.html \\n// Example: \\\"ThreatPurpose:ResourceTypeAffected/ThreatFamilyName.DetectionMechanism!Artifact\\\"\\n| extend findingTokens = split(ActivityType, \\\":\\\")\\n| extend ThreatPurpose=findingTokens[0], findingTokens=split(findingTokens[1], \\\"/\\\")\\n| extend ResourceTypeAffected=findingTokens[0], findingTokens= split(findingTokens[1], \\\".\\\")\\n| extend ThreatFamilyName=findingTokens[0], findingTokens=split(findingTokens[1], \\\"!\\\")\\n| extend DetectionMechanism=findingTokens[0], Artifact=findingTokens[1]\\n// Assign severity level\\n// https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html#guardduty_findings-severity\\n| extend Severity = \\n case (\\n Severity \u003e= 7.0, \\\"High\\\",\\n Severity between (4.0 .. 6.9), \\\"Medium\\\",\\n Severity between (1.0 .. 3.9), \\\"Low\\\",\\n \\\"Unknown\\\"\\n )\\n// Pull out any available resource details we can extract entities from. These may not exist in the alert.\\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_Resource.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_AccessKeyDetails.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_RdsDbUserDetails.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_KubernetesDetails.html \\n| extend AccessKeyDetails=ResourceDetails.accessKeyDetails\\n| extend RdsDbUserDetails=ResourceDetails.rdsDbUserDetails\\n| extend KubernetesDetails=ResourceDetails.kubernetesDetails\\n// Pull out any available action details we can extract entities from. These may not exist in the alert.\\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_Action.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_AwsApiCallAction.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_KubernetesApiCallAction.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_NetworkConnectionAction.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_RdsLoginAttemptAction.html \\n| extend ServiceAction = \\n case(\\n isnotempty(ServiceDetails.action.awsApiCallAction), ServiceDetails.action.awsApiCallAction,\\n isnotempty(ServiceDetails.action.kubernetesApiCallAction), ServiceDetails.action.kubernetesApiCallAction,\\n isnotempty(ServiceDetails.action.networkConnectionAction), ServiceDetails.action.networkConnectionAction,\\n isnotempty(ServiceDetails.action.rdsLoginAttemptAction), ServiceDetails.action.rdsLoginAttemptAction,\\n dynamic(null)\\n )\\n// The IPv4 remote address of the connection\\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_RemoteIpDetails.html \\n// or\\n// The IP of the Kubernetes API caller and the IPs of any proxies or load balancers between the caller and the API endpoint \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_KubernetesApiCallAction.html \\n| extend RemoteIpAddress = \\n coalesce(\\n tostring(ServiceAction.remoteIpDetails.ipAddressV4),\\n tostring(parse_json(ServiceAction.sourceIPs)[0])\\n )\\n// The IPv4 local address of the connection\\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_LocalIpDetails.html \\n| extend LocalIpAddress = ServiceAction.localIpDetails.ipAddressV4\\n// The AWS account ID of the remote API caller.\\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_AwsApiCallAction.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_RemoteAccountDetails.html \\n| extend RemoteAWSAccountId = ServiceAction.remoteAccountDetails.accountId\\n// The IAM access key details (user information) of a user that engaged in the activity that prompted GuardDuty to generate a finding\\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_AccessKeyDetails.html \\n| extend AccountUpn = \\n case(\\n AccessKeyDetails.userType == \\\"IAMUser\\\", AccessKeyDetails.userName,\\n AccessKeyDetails.userType == \\\"AssumedRole\\\", split(AccessKeyDetails.principalId, \\\":\\\", 1)[0],\\n isnotempty(RdsDbUserDetails.user), RdsDbUserDetails.user,\\n isnotempty(KubernetesDetails.kubernetesUserDetails.username), KubernetesDetails.kubernetesUserDetails.username,\\n \\\"\\\"\\n )\\n| extend AccountName = split(AccountUpn, \\\"@\\\", 0)[0]\\n| extend UPNSuffix = split(AccountUpn, \\\"@\\\", 1)[0]\\n// Clean up the output\\n| extend GuardDutyDetails =\\n bag_pack( \\n \\\"DetectorId\\\", ServiceDetails.detectorId,\\n \\\"Partition\\\", Partition,\\n \\\"Region\\\", Region\\n )\\n| extend FindingLink = \\n iff(\\n isnotempty(Region) and isnotempty(Id),\\n strcat(\\\"https://\\\", Region, \\\".console.aws.amazon.com/guardduty/home?region=\\\", Region, \\\"#/findings?fId=\\\", Id),\\n \\\"\\\"\\n )\\n| extend FindingLinkDescription = \\n iff(\\n isnotempty(FindingLink),\\n strcat(\\\"Link to GuardDuty finding (AWS): \\\", FindingLink),\\n \\\"\\\"\\n )\\n| project-rename \\n FindingArn=Arn,\\n FindingId=Id,\\n AWSAccountId=AccountId\\n| project-away \\n ActivityType, \\n findingTokens,\\n Partition,\\n Region, \\n SchemaVersion,\\n TimeGenerated,\\n Type\",\"customDetails\":{\"ThreatPurpose\":\"ThreatPurpose\",\"ResourceTypeAffected\":\"ResourceTypeAffected\",\"ThreatFamilyName\":\"ThreatFamilyName\",\"DetectionMechanism\":\"DetectionMechanism\",\"Artifact\":\"Artifact\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"RemoteAWSAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"RemoteIpAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"LocalIpAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"FindingLink\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"{{Title}}\",\"alertDescriptionFormat\":\"{{Description}}\",\"alertTacticsColumnName\":\"ThreatPurpose\",\"alertSeverityColumnName\":\"Severity\"},\"displayName\":\"AWS Guard Duty Alert\",\"description\":\"Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.\",\"lastUpdatedDateUTC\":\"2024-03-27T00:00:00Z\",\"createdDateUTC\":\"2021-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\"name\":\"de58ee9e-b229-4252-8537-41a4c2f4045e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| extend file_ext = extract(@\u0027.*(\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| extend Filename = extract(@\u0027.*\\\\/*\\\\/(.*\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, SrcIpAddr, Identities, Filename\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Identities\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request to blocklisted file type\",\"description\":\"Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"name\":\"88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue =~ \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId has \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid), AccountName = tostring(claimsJson.name), Name = tostring(split(Caller,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Caller,\u0027@\u0027,1)[0])\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Microsoft Entra ID Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Microsoft Entra ID Hybrid Health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-premises AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"name\":\"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet SecurityAlerts = SecurityAlert\\n| where TimeGenerated \u003e ago(dt_lookBack)\\n| extend domain = todynamic(dynamic_to_json(extract_all(@\\\"(((xn--)?[a-z0-9\\\\-]+\\\\.)+([a-z]+|(xn--[a-z0-9]+)))\\\", dynamic([1]), tolower(Entities))))\\n| where isnotempty(domain)\\n| mv-expand domain\\n| extend domain = tostring(domain)\\n| extend EntitiesDynamicArray = parse_json(Entities)\\n| mv-apply EntitiesDynamicArray on\\n (summarize\\n HostName = take_anyif(tostring(EntitiesDynamicArray.HostName), EntitiesDynamicArray.Type == \\\"host\\\"),\\n IP_addr = take_anyif(tostring(EntitiesDynamicArray.Address), EntitiesDynamicArray.Type == \\\"ip\\\")\\n )\\n| extend Alert_TimeGenerated = TimeGenerated\\n| extend Alert_Description = Description;\\nlet AlertDomains = SecurityAlerts\\n| distinct domain\\n| summarize make_list(domain);\\nlet Domain_Indicators = materialize(ThreatIntelligenceIndicator\\n| where isnotempty(DomainName)\\n| where TimeGenerated \u003e= ago(ioc_lookBack)\\n| extend TI_DomainEntity = tolower(DomainName)\\n| where TI_DomainEntity in (AlertDomains)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime \u003e now()\\n| where Description !contains_cs \\\"State: inactive;\\\" and Description !contains_cs \\\"State: falsepos;\\\");\\nDomain_Indicators\\n// Using innerunique to keep performance fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (SecurityAlerts) on $left.TI_DomainEntity == $right.domain\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities, Type, TI_DomainEntity\\n| extend timestamp = Alert_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IP_addr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map Domain entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"name\":\"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.4\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has \\\"TVqQAAMAAAAEAAA\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName));\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64-encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"name\":\"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Medium\",\"query\":\"// Define a threshold for significant deviations\\nlet threshold = 25;\\n// Define the name for the SharePoint File Operation record type\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\n// Define an array of SharePoint operations of interest\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\n// Define the start and end time for the analysis period\\nlet starttime = 14d;\\nlet endtime = 1d;\\n// Define a baseline of normal user behavior\\nlet userBaseline = OfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize Count = count() by UserId, Operation, Site_Url, ClientIP\\n| summarize AvgCount = avg(Count) by UserId, Operation, Site_Url, ClientIP;\\n// Get recent user activity\\nlet recentUserActivity = OfficeActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), RecentCount = count() by UserId, UserType, Operation, Site_Url, ClientIP, OfficeObjectId, OfficeWorkload, UserAgent;\\n// Join the baseline and recent activity, and calculate the deviation\\nlet UserBehaviorAnalysis = userBaseline | join kind=inner (recentUserActivity) on UserId, Operation, Site_Url, ClientIP\\n| extend Deviation = abs(RecentCount - AvgCount) / AvgCount;\\n// Filter for significant deviations\\nUserBehaviorAnalysis\\n| where Deviation \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, UserId, UserType, Operation, ClientIP, Site_Url, OfficeObjectId, OfficeWorkload, UserAgent, Deviation, Count=RecentCount\\n| order by Count desc, ClientIP asc, Operation asc, UserId asc\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Site_Url\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via previously unseen IPs\",\"description\":\"Identifies anomalies using user behavior by setting a threshold for significant changes in file upload/download activities from new IP addresses. It establishes a baseline of typical behavior, compares it to recent activity, and flags deviations exceeding a default threshold of 25.\",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\"name\":\"23de46ea-c425-4a77-b456-511ae4855d69\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations above which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\n// Add or remove operation names below as per your requirements. For operations lists, please refer to https://learn.microsoft.com/en-us/Azure/role-based-access-control/resource-provider-operations#all\\nlet SensitiveOperationList = dynamic([\\\"microsoft.compute/snapshots/write\\\", \\\"microsoft.network/networksecuritygroups/write\\\", \\\"microsoft.storage/storageaccounts/listkeys/action\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \\\"listkeys/action\\\"\\n| where ActivityStatusValue =~ \\\"Success\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue, bin(TimeGenerated,1d)\\n| where count_ \u003e= alertOperationThreshold\\n// Returns all the records from the right side that don\u0027t have matches from the left\\n| join kind = rightanti (\\nSensitiveActivity\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_list(TimeGenerated), ActivityStatusValue = make_list(ActivityStatusValue), CorrelationIds = make_list(CorrelationId), ResourceGroups = make_list(ResourceGroup), ResourceIds = make_list(_ResourceId), ActivityCountByCallerIPAddress = count()\\nby CallerIpAddress, Caller, OperationNameValue\\n| where ActivityCountByCallerIPAddress \u003e= alertOperationThreshold\\n) on CallerIpAddress, Caller, OperationNameValue\\n| extend Name = tostring(split(Caller,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Caller,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Rare subscription-level operations in Azure\",\"description\":\"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. For example, this monitors for the operation name \u0027Create or Update Snapshot\u0027, which is used for creating backups but could be misused by attackers to dump hashes or extract sensitive information from the disk.\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\"name\":\"1218175f-c534-421c-8070-5dcaabf28067\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let threshold = 3;\\nZoomLogs\\n| where Event =~ \\\"chat_message.sent\\\"\\n| extend Channel = tostring(parse_json(ChatEvents).Channel)\\n| extend Message = tostring(parse_json(ChatEvents).Message)\\n| where Message matches regex \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\"\\n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\\n| extend ChannelCount = arraylength(Channels)\\n| where ChannelCount \u003e threshold\\n| extend AccountName = tostring(split(User, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(User, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"tactics\":[\"Reconnaissance\"],\"displayName\":\"Suspicious link sharing pattern\",\"description\":\"Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time.\\nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"name\":\"0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName =~ \\\"Update role setting in PIM\\\"\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, OperationName, ResultReason, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, InitiatingAccountName, InitiatingAccountUPNSuffix\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Changes to PIM Settings\",\"description\":\"PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.\\n Monitor these changes to ensure they are being made legitimately and don\u0027t confer more privileges than expected or reduce the security of a PIM elevation.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"name\":\"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where NetworkBytes \u003e msgszthreshold\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple large emails to the same recipient\",\"description\":\"Detects when multiple emails with large size where sent to the same recipient.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"name\":\"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"Event\\n| where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription startswith \\\"An unhandled exception occurred in a UM worker process\\\" or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Silk Typhoon Suspicious UM Service Error\",\"description\":\"This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eda260eb-f4a1-4379-ad98-452604da9b3e\",\"name\":\"eda260eb-f4a1-4379-ad98-452604da9b3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let eventsThreshold = 20;\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName\\n| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has \\\"login.microsoftonline.com/consumers/oauth2/v2.0/token\\\"), graph=(RequestURL has \\\"graph.microsoft.com/v1.0/me/drive/\\\"), SourceIP, SourceHostName)\\n| summarize Events=count() by SourceIP, SourceHostName\\n| where Events \u003e= eventsThreshold\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive request URL sequence\",\"description\":\"CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths.\\nThis detecton will alert when over 20 sequences are observed in a single day.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"name\":\"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.5\",\"severity\":\"Low\",\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = \u0027FileUploaded\u0027;\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic([\u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027]);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated \u003e= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl, 100000), UserId = make_set(UserId, 100000) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount \u003e threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId\\n| extend SiteUrlUserFolder = tolower(split(Site_Url, \u0027/\u0027)[-2])\\n| extend UserIdUserFolderFormat = tolower(replace_regex(UserId, \u0027@|\\\\\\\\.\u0027, \u0027_\u0027))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has \u0027/personal/\u0027 and SiteUrlUserFolder != UserIdUserFolderFormat, true , false )\\n| summarize TimeGenerated = make_list(TimeGenerated, 100000), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated),\\nUserAgents = make_list(UserAgent, 100000), OfficeIds = make_list(OfficeId, 100000), SourceRelativeUrls = make_list(SourceRelativeUrl, 100000), FileNames = make_list(SourceFileName, 100000)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Site_Url\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileNames\"}]}],\"tactics\":[\"CommandAndControl\",\"LateralMovement\"],\"displayName\":\"New executable via Office FileUploaded Operation\",\"description\":\"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes \u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027 file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (SharePoint)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\"name\":\"643c2025-9604-47c5-833f-7b4b9378a1f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5;\\n//Make a list of IPs with AAD signin failures above our threshold\\nlet aadFunc = (tableName:string){\\nlet Suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\nSuspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet Suspicious_signins =\\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, RecipientAccountId, AccountName, AccountUPNSuffix, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to AWS Console\",\"description\":\"Identifies a list of IP addresses with a minimum number (defualt of 5) of failed logon attempts to Microsoft Entra ID.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2023-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"name\":\"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName),\\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\\n| where applicationCount \u003e= threshold\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Attempts to sign in to disabled accounts\",\"description\":\"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2024-01-06T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\"name\":\"09551db0-e147-4a0c-9e7b-918f88847605\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic([\u0027codevexillium.org\u0027, \u0027angeldonationblog.com\u0027, \u0027investbooking.de\u0027, \u0027krakenfolio.com\u0027]);\\nlet SHA256Hash = dynamic([\u002758a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495\u0027,\u0027e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e\u0027,\u00273d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9\u0027, \u00270a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4\u0027, \u002796d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe\u0027,\u0027dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c\u0027, \u002746efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a\u0027, \u002795e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008\u0027, \u00279d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5\u0027, \u00279fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3\u0027, \u0027ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720\u0027, \u0027edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee\u0027, \u002733665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998\u0027, \u00273ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c\u0027, \u0027b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c\u0027, \u002753f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5\u0027, \u002799c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777\u0027, \u0027f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef\u0027, \u00272cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da\u0027, \u0027079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447\u0027]);\\nlet SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(_Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend Type = \\\"imDns\\\", IPAddress = SrcIpAddr, Computer=Dvc\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hash)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| where EventID == 4688\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n( WindowsEvent\\n| where EventID == 4688\\n| where EventData has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\") and EventData has_any (tokens, \\\"Debug\\\\\\\\Browse\\\",\\\"is64bitoperatingsystem\\\" ) \\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames)\\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (DomainNames)\\n| extend DNSName = Fqdn \\n| extend IPAddress = SourceIp\\n),\\n(AZFWDnsQuery\\n| where QueryName has_any (DomainNames)\\n| extend DNSName = QueryName\\n| extend IPAddress = SourceIp\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"[Deprecated] - Known Diamond Sleet Comebacker and Klackring malware hashes\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft\u0027s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2149d9bb-8298-444c-8f99-f7bf0274dd05\",\"name\":\"2149d9bb-8298-444c-8f99-f7bf0274dd05\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SEABORGIUMIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet DomainNames = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n),\\n(_Im_WebSession (url_has_any=DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames)\\n| extend IPAddress = RemoteIP\\n| extend Computer = DeviceName\\n),\\n(EmailUrlInfo\\n| where Url has_any (DomainNames)\\n| join (EmailEvents\\n| where EmailDirection == \\\"Inbound\\\" ) on NetworkMessageId\\n| extend IPAddress = SenderIPv4\\n| extend Account = RecipientEmailAddress\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames)\\n| extend DNSName = DestinationHost\\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend AccountName = tostring(split(Account, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(Account, \\\"@\\\")[1])\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(Account, \\\"@\\\")[1])\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Star Blizzard C2 Domains August 2022\",\"description\":\"Identifies a match across various data feeds for domains related to an actor tracked by Microsoft as Star Blizzard.\",\"lastUpdatedDateUTC\":\"2024-06-25T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"EmailUrlInfo\",\"EmailEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82eb796-d1eb-43c8-a813-325ce3417cef\",\"name\":\"d82eb796-d1eb-43c8-a813-325ce3417cef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"union isfuzzy=true\\n (DeviceFileEvents\\n | where ActionType == \\\"FileCreated\\\"\\n | where FileName endswith \\\".h0lyenc\\\" or FolderPath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\"\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)\\n by\\n AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain,\\n DeviceName,\\n Type,\\n InitiatingProcessId,\\n FileName,\\n FolderPath,\\n EventType = ActionType,\\n Commandline = InitiatingProcessCommandLine,\\n InitiatingProcessFileName,\\n InitiatingProcessSHA256,\\n FileHashCustomEntity = SHA256,\\n AlgorithmCustomEntity = \\\"SHA256\\\"\\n | extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, \u0027.\u0027))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\\n ),\\n (imFileEvent\\n | where EventType == \\\"FileCreated\\\"\\n | where TargetFilePath endswith \\\".h0lyenc\\\" or TargetFilePath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\"\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)\\n by\\n ActorUsername,\\n DvcHostname,\\n DvcDomain,\\n DvcId,\\n Type,\\n EventType,\\n FileHashCustomEntity = TargetFileSHA256,\\n Hash,\\n TargetFilePath,\\n Commandline = ActingProcessCommandLine,\\n AlgorithmCustomEntity = \\\"SHA256\\\"\\n | extend AccountName = tostring(split(ActorUsername, @\u0027\\\\\u0027)[1]), AccountDomain = tostring(split(ActorUsername, @\u0027\\\\\u0027)[0])\\n | extend HostName = DvcHostname, HostNameDomain = DvcDomain\\n | extend DeviceName = strcat(DvcHostname, \\\".\\\", DvcDomain )\\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 File Extension Rename\",\"description\":\"Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"name\":\"cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let lookback = 7d; \\nlet timeframe = 1h; \\nlet GlobalAdminsRemoved = AuditLogs \\n| where TimeGenerated \u003e ago(timeframe) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Unassign\\\", \\\"RemoveEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Remove member from role\\\", \\\"Remove eligible member from role\\\") \\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend Target = tostring(TargetResource.userPrincipalName),\\n props = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = props on \\n (\\n where Property.displayName =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = trim(\u0027\\\"\u0027,tostring(Property.oldValue))\\n )\\n| where RoleName =~ \\\"Global Administrator\\\" // Add other Privileged role if applicable\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend Initiator = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| summarize RemovedGlobalAdminTime = max(TimeGenerated), TargetAdmins = make_set(Target,100) by OperationName, RoleName, Initiator, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIpAddress, Result; \\nlet GlobalAdminsAdded = AuditLogs \\n| where TimeGenerated \u003e ago(lookback) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\") and Result == \\\"success\\\" \\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend Target = tostring(TargetResource.userPrincipalName),\\n props = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = props on \\n (\\n where Property.displayName =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where RoleName =~ \\\"Global Administrator\\\" // Add other Privileged role if applicable\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend Initiator = iif(isnotempty(InitiatingAppName), InitiatingAppName, tostring(InitiatedBy.user.userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| summarize AddedGlobalAdminTime = max(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result;\\nGlobalAdminsAdded \\n| join kind= inner GlobalAdminsRemoved on $left.Target == $right.Initiator \\n| where AddedGlobalAdminTime \u003c RemovedGlobalAdminTime \\n| extend NoofAdminsRemoved = array_length(TargetAdmins) \\n| where NoofAdminsRemoved \u003e 1\\n| project AddedGlobalAdminTime, Initiator, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIpAddress, Target, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved\\n| extend TargetName = tostring(split(Target,\u0027@\u0027,0)[0]), TargetUPNSuffix = tostring(split(Target,\u0027@\u0027,1)[0])\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Target\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple admin membership removals from newly created admin.\",\"description\":\"This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \\n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/011c84d8-85f0-4370-b864-24c13455aa94\",\"name\":\"011c84d8-85f0-4370-b864-24c13455aa94\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| extend Extprop = parse_json(ExtendedProperties)\\n| mv-expand todynamic(Entities)\\n| extend HostName = iff(isnotempty(tostring(Extprop[\\\"Compromised Host\\\"])), tolower(tostring(Extprop[\\\"Compromised Host\\\"])), tolower(tostring(parse_json(Entities).HostName)))\\n| where isnotempty(HostName)\\n| mv-expand todynamic(split(HostName, \u0027,\u0027))\\n| extend DnsDomain = iff(isnotempty(tostring(Extprop[\\\"Machine Domain\\\"])), tostring(Extprop[\\\"Machine Domain\\\"]), tostring(parse_json(Entities).DnsDomain))\\n| extend UserName = iff(isnotempty(tostring(Extprop[\\\"User Name\\\"])), tostring(Extprop[\\\"User Name\\\"]), iff(tostring(parse_json(Entities).Type) == \u0027account\u0027, tostring(parse_json(Entities).Name), \u0027\u0027))\\n| extend NTDomain = iff(isnotempty(tostring(Extprop[\\\"User Domain\\\"])), tostring(Extprop[\\\"User Domain\\\"]), tostring(parse_json(Entities).NTDomain))\\n| extend IpAddress = iff(tostring(parse_json(Entities).Type) == \u0027ip\u0027, tostring(parse_json(Entities).Address), tostring(parse_json(Extprop).[\\\"IpAddress\\\"]))\\n| summarize timestamp = arg_max(TimeGenerated, *) by AlertName, tostring(HostName)\\n| project timestamp, AlertName, UserName, NTDomain, tostring(HostName), DnsDomain, IpAddress\\n| join kind=inner\\n(\\nCoreAzureBackup\\n| where State =~ \\\"Deleted\\\"\\n| where OperationName =~ \\\"BackupItem\\\"\\n| extend data = split(BackupItemUniqueId, \\\";\\\")\\n| extend AzureLocation = data[0], VaultId=data[1], HostName=tolower(tostring(data[2])), DrivesBackedUp=data[3]\\n| project timestamp = TimeGenerated, AzureLocation, VaultId, HostName, DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\\n)\\non HostName\\n| project timestamp, AlertName, HostName, DnsDomain, UserName, NTDomain, _ResourceId, IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Detect CoreBackUp Deletion Activity from related Security Alerts\",\"description\":\"The query identifies any efforts by an attacker to delete backup containers, while also searching for any security alerts that may be linked to the same activity, in order to uncover additional information about the attacker\u0027s actions.\u0027 \\nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.\",\"lastUpdatedDateUTC\":\"2023-11-23T00:00:00Z\",\"createdDateUTC\":\"2021-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftDefenderForCloudTenantBased\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"name\":\"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let s_threshold = 30;\\nlet l_threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString,100),\\nIPAddress = make_set(IPAddress,100), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName,100), ResultDescription = make_set(ResultDescription,50),\\nBrowser = make_set(Browser,20), OS = make_set(OS,20), SigninCount = count() by UserPrincipalName, Type\\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount \u003e s_threshold and LocationCount \u003e= l_threshold\\n| extend Location = tostring(Location), IPAddress = tostring(IPAddress), AppDisplayName = tostring(AppDisplayName), ResultDescription = tostring(ResultDescription), Browser = tostring(Browser), OS = tostring(OS)\\n| extend Name = tostring(split(UserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(UserPrincipalName,\u0027@\u0027,1)[0])};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Distributed Password cracking attempts in Microsoft Entra ID\",\"description\":\"Identifies distributed password cracking attempts from the Microsoft Entra ID SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\"lastUpdatedDateUTC\":\"2024-01-06T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\"name\":\"f2dd4a3a-ebac-4994-9499-1a859938c947\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false\\n| extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where ipv4_is_private(DestinationIP) == false\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where ipv4_is_private(DestinationIP) == false\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false | extend DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIPMax\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly for data size transferred to public internet\",\"description\":\"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2024-04-11T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"name\":\"e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"Event\\n | where EventLog =~ \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n | parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" *\\n | where ParentImage has \\\"svchost.exe\\\" and Image has \\\"rundll32.exe\\\" and CommandLine has \\\"{c08afd90-f2a1-11d1-8455-00a0c91f3880}\\\"\\n | parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\\n | extend HostName = iif(Computer has \u0027.\u0027,substring(Computer,0,indexof(Computer,\u0027.\u0027)),Computer) , DnsDomain = iif(Computer has \u0027.\u0027,substring(Computer,indexof(Computer,\u0027.\u0027)+1),\u0027\u0027)\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Detecting Macro Invoking ShellBrowserWindow COM Objects\",\"description\":\"This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.\",\"lastUpdatedDateUTC\":\"2024-11-18T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\"name\":\"69a45b05-71f5-45ca-8944-2e038747fb39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.8\",\"severity\":\"Medium\",\"query\":\"let endtime = 1d;\\n// Function to resolve hostname to IP address using DNS logs or a lookup table (example syntax)\\nlet rdpConnections =\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend\\nFirstHop = bin(TimeGenerated, 1m),\\nFirstComputer = toupper(Computer),\\nFirstRemoteIPAddress = IpAddress,\\nAccount = tolower(Account)\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 // Labeling the first RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName), \\\"\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend\\nFirstHop = bin(TimeGenerated, 1m),\\nFirstComputer = toupper(Computer),\\nFirstRemoteIPAddress = IpAddress,\\nAccount = tolower(Account)\\n))\\n| join kind=inner (\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend\\nSecondHop = bin(TimeGenerated, 1m),\\nSecondComputer = toupper(Computer),\\nSecondRemoteIPAddress = IpAddress,\\nAccount = tolower(Account)\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10 // Labeling the second RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName), \\\"\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend\\nSecondHop = bin(TimeGenerated, 1m),\\nSecondComputer = toupper(Computer),\\nSecondRemoteIPAddress = IpAddress,\\nAccount = tolower(Account)\\n))\\n)\\non Account\\n| distinct\\nAccount,\\nFirstHop,\\nFirstComputer,\\nFirstRemoteIPAddress,\\nSecondHop,\\nSecondComputer,\\nSecondRemoteIPAddress,\\nAccountType,\\nActivity,\\nLogonTypeName,\\nProcessName;\\n// Resolve hostnames to IP addresses device network Ip\u0027s\\nlet listOfFirstComputer = rdpConnections | distinct FirstComputer;\\nlet listOfSecondComputer = rdpConnections | distinct SecondComputer;\\nlet resolvedIPs =\\nDeviceNetworkInfo\\n| where TimeGenerated \u003e= ago(endtime)\\n| where isnotempty(ConnectedNetworks) and NetworkAdapterStatus == \\\"Up\\\"\\n| extend ClientIP = tostring(parse_json(IPAddresses[0]).IPAddress)\\n| where isnotempty(ClientIP)\\n| where DeviceName in~ (listOfFirstComputer) or DeviceName in~ (listOfSecondComputer)\\n| summarize arg_max(TimeGenerated, ClientIP) by Computer= DeviceName\\n| project Computer=toupper(Computer), ResolvedIP = ClientIP;\\n// Join resolved IPs with the RDP connections\\nrdpConnections\\n| join kind=inner (resolvedIPs) on $left.FirstComputer == $right.Computer\\n| join kind=inner (resolvedIPs) on $left.SecondComputer == $right.Computer\\n// | where ResolvedIP != ResolvedIP1\\n| distinct\\nAccount,\\nFirstHop,\\nFirstComputer,\\nFirstComputerIP = ResolvedIP,\\nFirstRemoteIPAddress,\\nSecondHop,\\nSecondComputer,\\nSecondComputerIP = ResolvedIP1,\\nSecondRemoteIPAddress,\\nAccountType,\\nActivity,\\nLogonTypeName,\\nProcessName\\n// Ensure the first connection is before the second connection\\n// Identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match\\n// Ensure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers\\n| where FirstComputer != SecondComputer\\nand FirstRemoteIPAddress != SecondRemoteIPAddress\\nand SecondHop \u003e FirstHop\\n// Ensure the second hop occurs within 30 minutes of the first hop\\n| where SecondHop \u003c= FirstHop + 30m\\n| where SecondRemoteIPAddress == FirstComputerIP\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop)\\nby\\nAccount,\\nFirstComputer,\\nFirstComputerIP,\\nFirstRemoteIPAddress,\\nSecondHop,\\nSecondComputer,\\nSecondComputerIP,\\nSecondRemoteIPAddress,\\nAccountType,\\nActivity,\\nLogonTypeName,\\nProcessName\\n| extend\\nAccountName = tostring(split(Account, @\\\"\\\")[1]),\\nAccountNTDomain = tostring(split(Account, @\\\"\\\")[0])\\n| extend\\nHostName1 = tostring(split(FirstComputer, \\\".\\\")[0]),\\nDomainIndex = toint(indexof(FirstComputer, \u0027.\u0027))\\n| extend HostNameDomain1 = iff(DomainIndex != -1, substring(FirstComputer, DomainIndex + 1), FirstComputer)\\n| extend\\nHostName2 = tostring(split(SecondComputer, \\\".\\\")[0]),\\nDomainIndex = toint(indexof(SecondComputer, \u0027.\u0027))\\n| extend HostNameDomain2 = iff(DomainIndex != -1, substring(SecondComputer, DomainIndex + 1), SecondComputer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"FirstComputer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName1\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain1\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SecondComputer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName2\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain2\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FirstIPAddress\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"RDP Nesting\",\"description\":\"Query detects potential lateral movement within a network by identifying when an RDP connection (EventID 4624, LogonType 10) is made to an initial system, followed by a subsequent RDP connection from that system to another, using the same account within a 60-minute window.\\n To reduce false positives, it excludes scenarios where the same account has made 5 or more connections to the same set of computers in the previous 7 days. This approach focuses on highlighting unusual RDP behaviour that suggests lateral movement, which is often associated with attacker tactics during a network breach.\",\"lastUpdatedDateUTC\":\"2024-09-27T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"name\":\"694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let queryperiod = 14d;\\nlet queryfrequency = 2h;\\nlet security_info_actions = dynamic([\\\"User registered security info\\\", \\\"User changed default security info\\\", \\\"User deleted security info\\\", \\\"Admin updated security info\\\", \\\"User reviewed security info\\\", \\\"Admin deleted security info\\\", \\\"Admin registered security info\\\"]);\\nlet VIPUsers = (\\n IdentityInfo\\n | where TimeGenerated \u003e ago(queryperiod)\\n | mv-expand AssignedRoles\\n | where AssignedRoles contains \u0027Admin\u0027\\n | summarize by AccountUPN);\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName in (security_info_actions)\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName)\\n )\\n| where TargetUserPrincipalName in~ (VIPUsers)\\n// Uncomment the line below if you are experiencing high volumes of Target entities. If this is uncommented, the Target column will not be mapped to an entity.\\n//| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result\\n// Comment out this line below, if line above is used.\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8) by InitiatingAppName, InitiatingAppServicePrincipalId, \\nInitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIpAddress, TargetUserPrincipalName, Result\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1]), \\nTargetName = iff(tostring(TargetUserPrincipalName) has \\\"[\\\", \\\"\\\", tostring(split(TargetUserPrincipalName,\u0027@\u0027,0)[0])), TargetUPNSuffix = iff(tostring(TargetUserPrincipalName) has \\\"[\\\", \\\"\\\", tostring(split(TargetUserPrincipalName,\u0027@\u0027,1)[0]))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Methods Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"name\":\"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b185ac23-dc27-4573-8192-1134c7a95f4f\",\"name\":\"b185ac23-dc27-4573-8192-1134c7a95f4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"Dynamics365Activity\\n| extend Message = tostring(split(OriginalObjectId, \u0027 \u0027)[0])\\n| where Message =~ \u0027IsDataEncryptionActive\u0027\\n| project-reorder TimeGenerated, Message, UserId, ClientIP, InstanceUrl, UserAgent\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Dynamics Encryption Settings Changed\",\"description\":\"This query looks for changes to the Data Encryption settings for Dynamics 365.\\nReference: https://docs.microsoft.com/microsoft-365/compliance/office-365-encryption-in-microsoft-dynamics-365\",\"lastUpdatedDateUTC\":\"2022-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Dynamics365\",\"dataTypes\":[\"Dynamics365Activity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"name\":\"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, \u0027/\u0027)[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, \u0027@\u0027, 1)[0]), \\\"\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"LateralMovement\"],\"displayName\":\"Changes to Amazon VPC settings\",\"description\":\"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"name\":\"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// Look for agents being added to a pool of a OS type not seen with that pool before\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, OsDescription),\\n// Look for users addeing agents to a pool that they have not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New Agent Added to Pool by New User or Added to a New OS Type\",\"description\":\"As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \\nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have not added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a configurable allow list to allow for certain users to be excluded from the logic.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\"name\":\"f948a32f-226c-4116-bddd-d95e91d97eb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nlet threshold = 5;\\nlet o365_attack_regex = \\\"contacts.read|user.read|mail.read|notes.read.all|mailboxsettings.readwrite|Files.ReadWrite.All|mail.send|files.read|files.read.all\\\";\\nlet o365_attack = dynamic([\\\"contacts.read\\\", \\\"user.read\\\", \\\"mail.read\\\", \\\"notes.read.all\\\", \\\"mailboxsettings.readwrite\\\", \\\"Files.ReadWrite.All\\\", \\\"mail.send\\\", \\\"files.read\\\", \\\"files.read.all\\\"]);\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend AppDisplayName = tostring(TargetResource.displayName),\\n AppClientId = tostring(TargetResource.id),\\n props = TargetResource.modifiedProperties\\n )\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\"))) // NOTE: a MATCH from this list will cause the alert to NOT fire - please modify for your environment!\\n| mv-apply ConsentFull = props on \\n (\\n where ConsentFull.displayName =~ \\\"ConsentAction.Permissions\\\"\\n )\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\", CreatedDateTime\\\" * \\\"]\\\" *\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| where ConsentFull has_any (o365_attack) \\n| extend GrantScopeCount = countof(tolower(GrantScope1), o365_attack_regex, \u0027regex\u0027)\\n| where GrantScopeCount \u003e threshold\\n| extend GrantInitiatedByAppName = tostring(InitiatedBy.app.displayName)\\n| extend GrantInitiatedByAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend GrantInitiatedByUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend GrantInitiatedByAadUserId = tostring(InitiatedBy.user.id)\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(GrantInitiatedByUserPrincipalName), GrantInitiatedByUserPrincipalName, GrantInitiatedByAppName)\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend GrantUserAgent = AdditionalDetail.value\\n )\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantInitiatedByUserPrincipalName, GrantInitiatedByAadUserId, GrantInitiatedByAppName, GrantInitiatedByAppServicePrincipalId, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n | where TimeGenerated \u003e ago(joinLookback)\\n | where LoggedByService =~ \\\"Core Directory\\\"\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName =~ \\\"Add service principal\\\"\\n | mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend props = TargetResource.modifiedProperties,\\n AppClientId = tostring(TargetResource.id)\\n )\\n | mv-apply Property = props on \\n (\\n where Property.displayName =~ \\\"AppAddress\\\" and Property.newValue has \\\"AddressType\\\"\\n | extend AppReplyURLs = trim(\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n | distinct AppClientId, tostring(AppReplyURLs)\\n) on AppClientId\\n| join kind = innerunique (AuditLogs\\n | where TimeGenerated \u003e ago(joinLookback)\\n | where LoggedByService =~ \\\"Core Directory\\\"\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n | mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\" and array_length(TargetResource.modifiedProperties) \u003e 0 and isnotnull(TargetResource.displayName)\\n | extend GrantAuthentication = tostring(TargetResource.displayName)\\n )\\n | extend GrantOperation = OperationName\\n | project GrantAuthentication, GrantOperation, CorrelationId\\n ) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantInitiatedByUserPrincipalName, GrantInitiatedByAadUserId, GrantInitiatedByAppName, GrantInitiatedByAppServicePrincipalId, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend Name = tostring(split(GrantInitiatedByUserPrincipalName,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(GrantInitiatedByUserPrincipalName,\u0027@\u0027,1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GrantInitiatedByUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"GrantInitiatedByAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"GrantInitiatedByAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"GrantIpAddress\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AppDisplayName\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to O365 Attack Toolkit\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\"name\":\"157c0cfc-d76d-463b-8755-c781608cdc1a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| where ipv4_is_private(SourceIP) == false\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n table(tableName)\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\")\\n) on $left.SourceIP == $right.IPAddress\\n| extend AccountName = tostring(split(Account, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(Account, \\\"@\\\")[1])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco - firewall block but success logon to Microsoft Entra ID\",\"description\":\"Correlate IPs blocked by a Cisco firewall appliance with successful Microsoft Entra ID signins.\\nBecause the IP was blocked by the firewall, that same IP logging on successfully to Entra ID is potentially suspect and could indicate credential compromise for the user account.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"name\":\"6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// Add non-approved user principal names or apps to the list below to search for their account creation/deletion activity\\n// ex: dynamic([\\\"UPN1\\\", \\\"upn123\\\"])\\nlet nonapproved_users = dynamic([]);\\nlet nonapproved_apps = dynamic([]);\\nAuditLogs\\n| where OperationName =~ \\\"Add user\\\" or OperationName =~ \\\"Delete user\\\"\\n| where Result =~ \\\"success\\\"\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| where InitiatingUserPrincipalName has_any (nonapproved_users) or InitiatingAppName has_any (nonapproved_apps)\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account created or deleted by non-approved user\",\"description\":\"Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\"name\":\"f845881e-2500-44dc-8ed7-b372af3e1e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog\\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) \u003c= short_uaLength or string_size(csUserAgent) \u003e= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount \u003c c_threshold\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(csUserName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(csUserName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"csUserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"cIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous User Agent connection attempt\",\"description\":\"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\"lastUpdatedDateUTC\":\"2023-12-28T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"name\":\"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.6\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent\\n| where EventID == 4688\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Computer, SubjectAccount = Account, SubjectUserName, SubjectDomainName, SubjectUserSid, Process, ProcessId, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n),\\n(WindowsEvent\\n| where EventID == 4688 and EventData has \u0027rundll32.exe\u0027 and EventData has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, SubjectAccount, SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserSid = tostring(EventData.SubjectUserSid), Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n)\\n)\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"SubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Midnight Blizzard - suspicious rundll32.exe execution of vbscript\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2024-01-22T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"name\":\"fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.6\",\"severity\":\"Low\",\"query\":\"let querystarttime = 2d;\\nlet queryendtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\nlet LocalNetworks=dynamic([\\\"169.254.0.0/16\\\",\\\"127.0.0.0/8\\\"]);\\n_Im_NetworkSession(starttime=ago(querystarttime), endtime=ago(queryendtime))\\n| where not(ipv4_is_private(DstIpAddr))\\n| where not (ipv4_is_in_any_range(DstIpAddr, LocalNetworks))\\n| project \\n TimeGenerated\\n , SrcIpAddr\\n , SrcPortNumber\\n , DstIpAddr\\n , DstPortNumber\\n , DstBytes\\n , SrcBytes\\n| sort by \\n SrcIpAddr asc\\n , TimeGenerated asc\\n , DstIpAddr asc\\n , DstPortNumber asc\\n| serialize\\n| extend \\n nextTimeGenerated = next(TimeGenerated, 1)\\n , nextSrcIpAddr = next(SrcIpAddr, 1)\\n| extend \\n TimeDeltainSeconds = datetime_diff(\u0027second\u0027, nextTimeGenerated, TimeGenerated)\\n| where SrcIpAddr == nextSrcIpAddr\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| project\\n TimeGenerated\\n , TimeDeltainSeconds\\n , SrcIpAddr\\n , SrcPortNumber\\n , DstIpAddr\\n , DstPortNumber\\n , DstBytes\\n , SrcBytes\\n| summarize\\n count()\\n , sum(DstBytes)\\n , sum(SrcBytes)\\n , make_list(TimeDeltainSeconds) \\n by TimeDeltainSeconds\\n , bin(TimeGenerated, 1h)\\n , SrcIpAddr\\n , DstIpAddr\\n , DstPortNumber\\n| summarize\\n (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds)\\n , TotalEvents=sum(count_)\\n , TotalSrcBytes = sum(sum_SrcBytes)\\n , TotalDstBytes = sum(sum_DstBytes)\\n by bin(TimeGenerated, 1h)\\n , SrcIpAddr\\n , DstIpAddr\\n , DstPortNumber\\n| where TotalEvents \u003e TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\",\"customDetails\":{\"DstPortNumber\":\"DstPortNumber\",\"FrequencyCount\":\"TotalSrcBytes\",\"FrequencyTime\":\"MostFrequentTimeDeltaCount\",\"TotalDstBytes\":\"TotalDstBytes\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}}\",\"alertDescriptionFormat\":\"Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/). The recurring frequency, reported as FrequencyTime in the custom details, and the total transferred volume reported as TotalDstBytes in the custom details, can help to determine the significance of this incident.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential beaconing activity (ASIM Network Session schema)\",\"description\":\"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. \\nSuch potential outbound beaconing patterns to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](https://medium.com/@HuntOperator/detect-beaconing-with-flare-elastic-stack-and-intrusion-detection-systems-110dc74e0c56).\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"AzureNSG\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoAsaAma\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"AIVectraStream\",\"dataTypes\":[\"VectraStream\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoMeraki\",\"dataTypes\":[\"Syslog\",\"CiscoMerakiNativePoller\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fed0668-6d43-4c78-87e6-510f96f12145\",\"name\":\"2fed0668-6d43-4c78-87e6-510f96f12145\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"//Finding MDO Security alerts and extracting the Entities user, Domain, Ip, and URL.\\nlet Alert_List= dynamic([\\n\\\"Phishing link click observed in Network Traffic\\\",\\n\\\"Phish delivered due to an IP allow policy\\\",\\n\\\"A potentially malicious URL click was detected\\\",\\n\\\"High Risk Sign-in Observed in Network Traffic\\\",\\n\\\"A user clicked through to a potentially malicious URL\\\",\\n\\\"Suspicious network connection to AitM phishing site\\\",\\n\\\"Messages containing malicious entity not removed after delivery\\\",\\n\\\"Email messages containing malicious URL removed after delivery\\\",\\n\\\"Email reported by user as malware or phish\\\",\\n\\\"Phish delivered due to an ETR override\\\",\\n\\\"Phish not zapped because ZAP is disabled\\\"]);\\nSecurityAlert\\n|where ProviderName in~ (\\\"Office 365 Advanced Threat Protection\\\", \\\"OATP\\\")\\n| where AlertName in~ (Alert_List)\\n//extracting Alert Entities\\n | extend Entities = parse_json(Entities)\\n| mv-apply Entity = Entities on\\n(\\nwhere Entity.Type == \u0027account\u0027\\n| extend EntityUPN = iff(isempty(Entity.UserPrincipalName), tostring(strcat(Entity.Name, \\\"@\\\", tostring (Entity.UPNSuffix))), tostring(Entity.UserPrincipalName))\\n)\\n| mv-apply Entity = Entities on\\n(\\nwhere Entity.Type == \u0027url\u0027\\n| extend EntityUrl = tostring(Entity.Url)\\n)\\n| summarize AccountUpn=tolower(tostring(take_any(EntityUPN))),Url=tostring(tolower(take_any(EntityUrl))),AlertTime= min(TimeGenerated)by SystemAlertId, ProductName\\n// filtering 3pnetwork devices\\n| join kind= inner (CommonSecurityLog\\n| where DeviceVendor has_any (\\\"Palo Alto Networks\\\", \\\"Fortinet\\\", \\\"Check Point\\\", \\\"Zscaler\\\")\\n| where DeviceAction != \\\"Block\\\"\\n| where DeviceProduct startswith \\\"FortiGate\\\" or DeviceProduct startswith \\\"PAN\\\" or DeviceProduct startswith \\\"VPN\\\" or DeviceProduct startswith \\\"FireWall\\\" or DeviceProduct startswith \\\"NSSWeblog\\\" or DeviceProduct startswith \\\"URL\\\"\\n| where isnotempty(RequestURL)\\n| where isnotempty(SourceUserName)\\n| extend SourceUserName = tolower(SourceUserName)\\n| project\\n3plogTime=TimeGenerated,\\nDeviceVendor,\\nDeviceProduct,\\nActivity,\\nDestinationHostName,\\nDestinationIP,\\nRequestURL=tostring(tolower(RequestURL)),\\nMaliciousIP,\\nName = tostring(split(SourceUserName,\\\"@\\\")[0]),\\nUPNSuffix =tostring(split(SourceUserName,\\\"@\\\")[1]),\\nSourceUserName,\\nIndicatorThreatType,\\nThreatSeverity,AdditionalExtensions,\\nThreatConfidence)on $left.Url == $right.RequestURL and $left.AccountUpn == $right.SourceUserName\\n// Applied the condition where alert trigger 1st and then the 3p Network activity execution\\n| where AlertTime between ((3plogTime - 1h) .. (3plogTime + 1h))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUserName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DestinationHostName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Phishing link click observed in Network Traffic\",\"description\":\"The purpose of this content is to identify successful phishing links accessed by users. Once a user clicks on a phishing link, we observe successful network activity originating from non-Microsoft network devices. These devices may include Palo Alto Networks, Fortinet, Check Point, and Zscaler devices.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2023-05-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9d2eebc-5dcb-4888-8165-900db44443ab\",\"name\":\"b9d2eebc-5dcb-4888-8165-900db44443ab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"// Enter a reference list of hostnames for your DC servers\\n//let DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\nSecurityEvent\\n//| where Computer in (DCServersList)\\n| where EventID == 4662 and ObjectServer == \u0027DS\u0027\\n| where AccountType != \u0027Machine\u0027\\n| where Properties has \u00271131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes\\n or Properties has \u00271131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes-All\\n or Properties has \u002789e95b76-444d-4c62-991a-0facbeda640c\u0027 //DS-Replication-Get-Changes-In-Filtered-Set\\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\\n| join kind=leftouter\\n(\\n SecurityEvent\\n //| where Computer in (DCServersList)\\n | where EventID == 4624 and LogonType == 3\\n | where AccountType != \u0027Machine\u0027\\n | project TargetLogonId, IpAddress\\n)\\non $left.SubjectLogonId == $right.TargetLogonId\\n| project-reorder TimeGenerated, Computer, Account, IpAddress\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, \\\"\\\\\\\\\\\")[0]), AccountNTDomain = tostring(split(Account, \\\"\\\\\\\\\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Non Domain Controller Active Directory Replication\",\"description\":\"This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\\nA domain user with privileged permissions to use directory replication services is rare.\",\"lastUpdatedDateUTC\":\"2024-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-05-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/276d5190-38de-4eb2-9933-b3b72f4a5737\",\"name\":\"276d5190-38de-4eb2-9933-b3b72f4a5737\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P2D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// In User \u0026 Groups and in Applications, the following \\\"AccessType\\\" values in columns PremodifiedInboundSettings and ModifiedInboundSettings are interpreted accordingly\\n// When Access Type in premodified inbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified inbound settings value was 2 that means that the initial access was blocked.\\n// When Access Type in modified inbound settings value is 1 that means that now access is allowed. When Access Type in modified inbound settings value is 2 that means that now access is blocked.\\nAuditLogs\\n| where OperationName has \\\"Update a partner cross-tenant access setting\\\"\\n| mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type =~ \\\"Policy\\\"\\n | extend Properties = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = Properties on\\n (\\n where Property.displayName =~ \\\"b2bDirectConnectInbound\\\"\\n | extend PremodifiedInboundSettings = trim(\u0027\\\"\u0027,tostring(Property.oldValue)),\\n ModifiedInboundSettings = trim(@\u0027\\\"\u0027,tostring(Property.newValue))\\n )\\n| where PremodifiedInboundSettings != ModifiedInboundSettings\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Cross-tenant Access Settings Organization Inbound Direct Settings Changed\",\"description\":\"Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Direct Settings are changed for \\\"Users \u0026 Groups\\\" and for \\\"Applications\\\".\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/86a036b2-3686-42eb-b417-909fc0867771\",\"name\":\"86a036b2-3686-42eb-b417-909fc0867771\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue =~ \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId has \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/delete\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid), AccountName = tostring(claimsJson.name), Name = tostring(split(Caller,\u0027@\u0027,0)[0]), UPNSuffix = tostring(split(Caller,\u0027@\u0027,1)[0])\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Microsoft Entra ID Hybrid Health AD FS Service Delete\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Microsoft Entra ID Hybrid Health AD FS service instance in a tenant.\\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\\nThe health AD FS service can then be deleted after it is no longer needed via HTTP requests to Azure.\\nMore information is available in this blog https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"name\":\"feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"let VIPUsers = (IdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| summarize by tolower(AccountUPN));\\nAuditLogs\\n| where TimeGenerated \u003e ago(2h)\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName =~ \\\"User registered security info\\\"\\n| where LoggedByService =~ \\\"Authentication Methods\\\"\\n| extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n| where tolower(TargetUserPrincipalName) in (VIPUsers)\\n| extend TargetAadUserId = tostring(TargetResources[0].id)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend TargetAccountName = tostring(split(TargetUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \\\"@\\\")[1])\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"TargetAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Method Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"name\":\"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| join kind=rightanti (\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, \u0027.\u0027))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| project-away DomainIndex\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Silk Typhoon New UM Service Child Process\",\"description\":\"This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"name\":\"09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.3\",\"severity\":\"Medium\",\"query\":\"let default_file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]); // Update this list as per your requirement\\nlet custom_file_ext_blocklist=toscalar(_GetWatchlist(\u0027RiskyFileTypes\u0027)\\n | extend Extension=column_ifexists(\\\"Extension\\\", \\\"\\\")\\n | where isnotempty(Extension)\\n | summarize make_set(Extension)); // If you have an extensive list, you can also create a Watchlist that includes the file extensions you want to detect\\nlet file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);\\n_Im_WebSession(starttime=ago(10min), url_has_any=file_ext_blocklist, eventresult=\u0027Success\u0027)\\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\\\"Path\\\"]), \u0027/\u0027)[-1])\\n| extend requestedFileExtension=extract(@\u0027(\\\\.\\\\w+)$\u0027, 1, requestedFileName, typeof(string))\\n| where requestedFileExtension in (file_ext_blocklist)\\n| summarize\\n EventStartTime=min(TimeGenerated),\\n EventEndTime=max(TimeGenerated),\\n EventCount=count()\\n by SrcIpAddr, SrcUsername, SrcHostname, requestedFileName, Url\\n| extend\\n Name = iif(SrcUsername contains \\\"@\\\", tostring(split(SrcUsername, \u0027@\u0027, 0)[0]), SrcUsername),\\n UPNSuffix = iif(SrcUsername contains \\\"@\\\", tostring(split(SrcUsername, \u0027@\u0027, 1)[0]), \\\"\\\")\",\"customDetails\":{\"requestedFileExt\":\"requestedFileExtension\",\"Username\":\"SrcUsername\",\"SrcHostname\":\"SrcHostname\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"requestedFileName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUsername\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Client {{SrcIpAddr}} accessed a URL with potentially harmful extension {{requestedFileExtension}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} accessed the URL {{Url}} that has the extension {{requestedFileExtension}}. Downloading a file with this extension may be harmful and may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"A client made a web request to a potentially harmful file (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/74ed028d-e392-40b7-baef-e69627bf89d1\",\"name\":\"74ed028d-e392-40b7-baef-e69627bf89d1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action its unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"name\":\"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where ObjectServer == \u0027DS\u0027\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend AccountName = SubjectUserName, AccountDomain = SubjectDomainName\\n| extend timestamp = TimeGenerated, DeviceName = Computer\\n),\\n( WindowsEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where EventData has_all(\u0027Object Access\u0027, \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027,\u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027) \\n| extend ObjectServer = tostring(EventData.ObjectServer)\\n| where ObjectServer == \u0027DS\u0027\\n| extend OperationType = tostring(EventData.OperationType)\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| extend Properties = tostring(EventData.Properties)\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend AccountName = tostring(EventData.SubjectUserName), AccountDomain = tostring(EventData.SubjectDomainName)\\n| extend timestamp = TimeGenerated, DeviceName = Computer\\n),\\n(DeviceEvents\\n| where ActionType =~ \\\"LdapSearch\\\"\\n| where AdditionalFields.AttributeList contains \\\"thumbnailPhoto\\\"\\n| where AdditionalFields.DistinguishedName contains \\\"CN=ADFS,CN=Microsoft,CN=Program Data\\\" // Filter results to show only hits related to the ADFS AD container\\n| extend timestamp = TimeGenerated, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain\\n)\\n)\\n| extend Account = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS DKM Master Key Export\",\"description\":\"Identifies an export of the ADFS DKM Master Key from Active Directory.\\nReferences: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\\nTo understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:\\nhttps://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469\\nhttps://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339\\n\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}}]}", "isContentBase64": false } }, - "Get-AzSentinelAlertRuleTemplate+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8?api-version=2021-09-01-preview+2": { + "Get-AzSentinelAlertRuleTemplate+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "169" ], - "x-ms-client-request-id": [ "20109495-8ebf-42a5-ad49-66ec6d5ba426" ], + "x-ms-unique-id": [ "12" ], + "x-ms-client-request-id": [ "1812b88a-c1dd-481b-afca-6969153e7dca" ], "CommandName": [ "Get-AzSentinelAlertRuleTemplate" ], "FullCommandName": [ "Get-AzSentinelAlertRuleTemplate_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -145,21 +157,25 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11988" ], - "x-ms-request-id": [ "55d09391-80ea-4771-ac13-33afa8f5f9aa" ], - "x-ms-correlation-request-id": [ "55d09391-80ea-4771-ac13-33afa8f5f9aa" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160657Z:55d09391-80ea-4771-ac13-33afa8f5f9aa" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/bd5ff278-0ee9-4ca4-8253-d05f9440dae4" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "66860973-747e-4d71-a7d1-691bf7a74892" ], + "x-ms-correlation-request-id": [ "66860973-747e-4d71-a7d1-691bf7a74892" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074412Z:66860973-747e-4d71-a7d1-691bf7a74892" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:06:57 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 92F02193EF3548BC85500B9C96792EBE Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:11Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:11 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "2408" ], + "Content-Length": [ "2395" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Microsoft Entra ID Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2023-11-02T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAutomationRule.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAutomationRule.Recording.json index 377d2e1c52ab..7f28cf721d06 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAutomationRule.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAutomationRule.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelAutomationRule+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAutomationRule+[NoContext]+List+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/automationRules?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/automationRules?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "170" ], - "x-ms-client-request-id": [ "dc3ac4b0-f074-4faa-9d8e-bca5902409b5" ], + "x-ms-unique-id": [ "13" ], + "x-ms-client-request-id": [ "7161d7db-0e4e-43b8-9eff-72dddf628168" ], "CommandName": [ "Get-AzSentinelAutomationRule" ], "FullCommandName": [ "Get-AzSentinelAutomationRule_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,37 +22,40 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "180d1e29-97ce-44fa-8a6d-b47ab9835792" ], - "x-ms-correlation-request-id": [ "180d1e29-97ce-44fa-8a6d-b47ab9835792" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160659Z:180d1e29-97ce-44fa-8a6d-b47ab9835792" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/390cf4df-a319-4684-b88c-9e177ff02bf8" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "eddf7727-6378-4521-94a9-bb895ac6c390" ], + "x-ms-correlation-request-id": [ "eddf7727-6378-4521-94a9-bb895ac6c390" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074413Z:eddf7727-6378-4521-94a9-bb895ac6c390" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:06:59 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 13A51DA93F6A4E1A9CBB745DAE063D11 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:13Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:12 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "6468" ], + "Content-Length": [ "6398" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AutomationRules/83662309-d398-4ec5-b6e7-d70c75bb78ac\",\"name\":\"83662309-d398-4ec5-b6e7-d70c75bb78ac\",\"etag\":\"\\\"250093dd-0000-0100-0000-62fbbbc20000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRulewp8nv3\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-08-16T15:46:10Z\",\"createdTimeUtc\":\"2022-08-16T15:46:10Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AutomationRules/6e8b42ff-dab7-481f-b764-f853700cc536\",\"name\":\"6e8b42ff-dab7-481f-b764-f853700cc536\",\"etag\":\"\\\"25005be1-0000-0100-0000-62fbbbdf0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"RemoveAutomationRule57nxry\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-08-16T15:46:39Z\",\"createdTimeUtc\":\"2022-08-16T15:46:39Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AutomationRules/ab65a956-23b7-44a0-8a32-cb8d62d389d8\",\"name\":\"ab65a956-23b7-44a0-8a32-cb8d62d389d8\",\"etag\":\"\\\"250021e5-0000-0100-0000-62fbbbfe0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"RemoveViaIdAutomationRule7s6m8t\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-08-16T15:47:10Z\",\"createdTimeUtc\":\"2022-08-16T15:47:10Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AutomationRules/904a62c7-a082-4674-a749-8dfae3498a35\",\"name\":\"904a62c7-a082-4674-a749-8dfae3498a35\",\"etag\":\"\\\"25003fe8-0000-0100-0000-62fbbc1e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRulefrz5oc\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-08-16T15:47:42Z\",\"createdTimeUtc\":\"2022-08-16T15:47:42Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AutomationRules/409ddeff-88f2-48de-8459-d9170cd1530b\",\"name\":\"409ddeff-88f2-48de-8459-d9170cd1530b\",\"etag\":\"\\\"25008deb-0000-0100-0000-62fbbc480000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateViaIdAutomationRulef8mk3y\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-08-16T15:48:24Z\",\"createdTimeUtc\":\"2022-08-16T15:48:24Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AutomationRules/d8a6f299-eab8-4ef3-ae91-e1c18cb4f997\",\"name\":\"d8a6f299-eab8-4ef3-ae91-e1c18cb4f997\",\"etag\":\"\\\"1600151c-0000-0100-0000-69c38e270000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRuleuva9py\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"72f988bf-86f1-41af-91ab-2d7cd011db47\"}}],\"lastModifiedTimeUtc\":\"2026-03-25T07:26:31Z\",\"createdTimeUtc\":\"2026-03-25T07:26:31Z\",\"lastModifiedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"},\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AutomationRules/513cdba0-0f4e-4c45-80b8-9ef28a66af2d\",\"name\":\"513cdba0-0f4e-4c45-80b8-9ef28a66af2d\",\"etag\":\"\\\"16003c1c-0000-0100-0000-69c38e2f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"RemoveAutomationRuley4paeg\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"72f988bf-86f1-41af-91ab-2d7cd011db47\"}}],\"lastModifiedTimeUtc\":\"2026-03-25T07:26:39Z\",\"createdTimeUtc\":\"2026-03-25T07:26:39Z\",\"lastModifiedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"},\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AutomationRules/ac54957e-9b2d-40fa-89aa-ccb79edb3289\",\"name\":\"ac54957e-9b2d-40fa-89aa-ccb79edb3289\",\"etag\":\"\\\"1600621c-0000-0100-0000-69c38e370000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"RemoveViaIdAutomationRule4e6a0t\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"72f988bf-86f1-41af-91ab-2d7cd011db47\"}}],\"lastModifiedTimeUtc\":\"2026-03-25T07:26:47Z\",\"createdTimeUtc\":\"2026-03-25T07:26:47Z\",\"lastModifiedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"},\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AutomationRules/f7430574-25fa-4e8f-81ba-eb37a11f70db\",\"name\":\"f7430574-25fa-4e8f-81ba-eb37a11f70db\",\"etag\":\"\\\"1600811c-0000-0100-0000-69c38e400000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRulet3on5c\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"72f988bf-86f1-41af-91ab-2d7cd011db47\"}}],\"lastModifiedTimeUtc\":\"2026-03-25T07:26:56Z\",\"createdTimeUtc\":\"2026-03-25T07:26:56Z\",\"lastModifiedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"},\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AutomationRules/ce6a522b-7974-42a1-8c0d-598efe68d70f\",\"name\":\"ce6a522b-7974-42a1-8c0d-598efe68d70f\",\"etag\":\"\\\"1600971c-0000-0100-0000-69c38e480000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateViaIdAutomationRulemin70r\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"72f988bf-86f1-41af-91ab-2d7cd011db47\"}}],\"lastModifiedTimeUtc\":\"2026-03-25T07:27:04Z\",\"createdTimeUtc\":\"2026-03-25T07:27:04Z\",\"lastModifiedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"},\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"}}}]}", "isContentBase64": false } }, - "Get-AzSentinelAutomationRule+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/83662309-d398-4ec5-b6e7-d70c75bb78ac?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAutomationRule+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/automationRules/d8a6f299-eab8-4ef3-ae91-e1c18cb4f997?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/83662309-d398-4ec5-b6e7-d70c75bb78ac?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/automationRules/d8a6f299-eab8-4ef3-ae91-e1c18cb4f997?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "171" ], - "x-ms-client-request-id": [ "dc4b15ec-d225-4e94-92ef-fb2d0641bfc7" ], + "x-ms-unique-id": [ "14" ], + "x-ms-client-request-id": [ "7f3b19b1-96a6-4ce7-9ea4-b5fcb5ad4025" ], "CommandName": [ "Get-AzSentinelAutomationRule" ], "FullCommandName": [ "Get-AzSentinelAutomationRule_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,37 +66,40 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "e1424f45-4ab1-4a29-8723-1e391f1dc9fd" ], - "x-ms-correlation-request-id": [ "e1424f45-4ab1-4a29-8723-1e391f1dc9fd" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160659Z:e1424f45-4ab1-4a29-8723-1e391f1dc9fd" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/2500d3d3-fd2b-44fb-af5a-11da6251bf08" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "24cabcc2-eb0a-4de3-8a34-a80099713143" ], + "x-ms-correlation-request-id": [ "24cabcc2-eb0a-4de3-8a34-a80099713143" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074413Z:24cabcc2-eb0a-4de3-8a34-a80099713143" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:06:59 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 0D015C34CE544B27AA8A8A9628C2F56E Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:13Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:13 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1286" ], + "Content-Length": [ "1272" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AutomationRules/83662309-d398-4ec5-b6e7-d70c75bb78ac\",\"name\":\"83662309-d398-4ec5-b6e7-d70c75bb78ac\",\"etag\":\"\\\"250093dd-0000-0100-0000-62fbbbc20000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRulewp8nv3\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-08-16T15:46:10Z\",\"createdTimeUtc\":\"2022-08-16T15:46:10Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AutomationRules/d8a6f299-eab8-4ef3-ae91-e1c18cb4f997\",\"name\":\"d8a6f299-eab8-4ef3-ae91-e1c18cb4f997\",\"etag\":\"\\\"1600151c-0000-0100-0000-69c38e270000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRuleuva9py\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"72f988bf-86f1-41af-91ab-2d7cd011db47\"}}],\"lastModifiedTimeUtc\":\"2026-03-25T07:26:31Z\",\"createdTimeUtc\":\"2026-03-25T07:26:31Z\",\"lastModifiedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"},\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"}}}", "isContentBase64": false } }, - "Get-AzSentinelAutomationRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/83662309-d398-4ec5-b6e7-d70c75bb78ac?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAutomationRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/automationRules/d8a6f299-eab8-4ef3-ae91-e1c18cb4f997?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/83662309-d398-4ec5-b6e7-d70c75bb78ac?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/automationRules/d8a6f299-eab8-4ef3-ae91-e1c18cb4f997?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "172" ], - "x-ms-client-request-id": [ "ac1cd412-7f15-4a1c-95e8-0f97acb6615d" ], + "x-ms-unique-id": [ "15" ], + "x-ms-client-request-id": [ "6891bbeb-8b5f-4d08-9794-3f79c26809b4" ], "CommandName": [ "Get-AzSentinelAutomationRule" ], "FullCommandName": [ "Get-AzSentinelAutomationRule_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -104,37 +110,40 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], - "x-ms-request-id": [ "c93d478e-c24d-4a3c-9157-e4527d2c476e" ], - "x-ms-correlation-request-id": [ "c93d478e-c24d-4a3c-9157-e4527d2c476e" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160659Z:c93d478e-c24d-4a3c-9157-e4527d2c476e" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/7cb9eac3-3f47-4381-9d4f-10329b8f5a6a" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "c408564f-6c14-4610-bc8d-2e68ce8bdbf9" ], + "x-ms-correlation-request-id": [ "c408564f-6c14-4610-bc8d-2e68ce8bdbf9" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074414Z:c408564f-6c14-4610-bc8d-2e68ce8bdbf9" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:06:59 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 6CD1C59C72804C0DBDCDA1531AC6643D Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:14Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:14 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1286" ], + "Content-Length": [ "1272" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AutomationRules/83662309-d398-4ec5-b6e7-d70c75bb78ac\",\"name\":\"83662309-d398-4ec5-b6e7-d70c75bb78ac\",\"etag\":\"\\\"250093dd-0000-0100-0000-62fbbbc20000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRulewp8nv3\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-08-16T15:46:10Z\",\"createdTimeUtc\":\"2022-08-16T15:46:10Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AutomationRules/d8a6f299-eab8-4ef3-ae91-e1c18cb4f997\",\"name\":\"d8a6f299-eab8-4ef3-ae91-e1c18cb4f997\",\"etag\":\"\\\"1600151c-0000-0100-0000-69c38e270000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRuleuva9py\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"72f988bf-86f1-41af-91ab-2d7cd011db47\"}}],\"lastModifiedTimeUtc\":\"2026-03-25T07:26:31Z\",\"createdTimeUtc\":\"2026-03-25T07:26:31Z\",\"lastModifiedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"},\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"}}}", "isContentBase64": false } }, - "Get-AzSentinelAutomationRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/83662309-d398-4ec5-b6e7-d70c75bb78ac?api-version=2021-09-01-preview+2": { + "Get-AzSentinelAutomationRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/automationRules/d8a6f299-eab8-4ef3-ae91-e1c18cb4f997?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/83662309-d398-4ec5-b6e7-d70c75bb78ac?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/automationRules/d8a6f299-eab8-4ef3-ae91-e1c18cb4f997?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "173" ], - "x-ms-client-request-id": [ "543f96e3-02c1-41e3-b91f-a3c3ff380a23" ], + "x-ms-unique-id": [ "16" ], + "x-ms-client-request-id": [ "a0bc1479-8064-4c4a-856d-8233122d12c4" ], "CommandName": [ "Get-AzSentinelAutomationRule" ], "FullCommandName": [ "Get-AzSentinelAutomationRule_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -145,21 +154,24 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "496" ], - "x-ms-request-id": [ "79d2c7b5-2a97-400d-9164-e541e7e02f30" ], - "x-ms-correlation-request-id": [ "79d2c7b5-2a97-400d-9164-e541e7e02f30" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160700Z:79d2c7b5-2a97-400d-9164-e541e7e02f30" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/25f9b82a-1046-41cd-bce1-20d7434e15d4" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "63982849-b798-49ac-824f-2e5e5ca4ea69" ], + "x-ms-correlation-request-id": [ "63982849-b798-49ac-824f-2e5e5ca4ea69" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074414Z:63982849-b798-49ac-824f-2e5e5ca4ea69" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:06:59 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 85E268CADB4F47329DE64F371A06676A Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:14Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:14 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1286" ], + "Content-Length": [ "1272" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AutomationRules/83662309-d398-4ec5-b6e7-d70c75bb78ac\",\"name\":\"83662309-d398-4ec5-b6e7-d70c75bb78ac\",\"etag\":\"\\\"250093dd-0000-0100-0000-62fbbbc20000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRulewp8nv3\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-08-16T15:46:10Z\",\"createdTimeUtc\":\"2022-08-16T15:46:10Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AutomationRules/d8a6f299-eab8-4ef3-ae91-e1c18cb4f997\",\"name\":\"d8a6f299-eab8-4ef3-ae91-e1c18cb4f997\",\"etag\":\"\\\"1600151c-0000-0100-0000-69c38e270000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRuleuva9py\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"72f988bf-86f1-41af-91ab-2d7cd011db47\"}}],\"lastModifiedTimeUtc\":\"2026-03-25T07:26:31Z\",\"createdTimeUtc\":\"2026-03-25T07:26:31Z\",\"lastModifiedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"},\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelBookmark.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelBookmark.Recording.json index 804ce46ed545..96d9cedd2d03 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelBookmark.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelBookmark.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelBookmark+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks?api-version=2021-09-01-preview+1": { + "Get-AzSentinelBookmark+[NoContext]+List+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "174" ], - "x-ms-client-request-id": [ "a5661d2e-bab0-4a03-8f01-b15406bf9c8f" ], + "x-ms-unique-id": [ "17" ], + "x-ms-client-request-id": [ "5bc3fc59-676c-4087-98c1-d0ab1bfd3e64" ], "CommandName": [ "Get-AzSentinelbookmark" ], "FullCommandName": [ "Get-AzSentinelBookmark_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,37 +22,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11987" ], - "x-ms-request-id": [ "123ed641-d054-405d-bf06-d674d5838eca" ], - "x-ms-correlation-request-id": [ "123ed641-d054-405d-bf06-d674d5838eca" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160700Z:123ed641-d054-405d-bf06-d674d5838eca" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/1b800a52-8d5b-4fca-a44f-40e20606eb76" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "38a25193-2168-461d-979a-d7affc5ea333" ], + "x-ms-correlation-request-id": [ "38a25193-2168-461d-979a-d7affc5ea333" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074416Z:38a25193-2168-461d-979a-d7affc5ea333" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:00 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 4780506B98DB487894ED50D4BA1FAB7B Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:15Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:15 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "43838" ], + "Content-Length": [ "43676" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af\",\"name\":\"52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af\",\"etag\":\"\\\"3c00458a-0000-0100-0000-62fbbc670000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmarkzl3she\",\"created\":\"2022-08-16T15:48:55.7948149+00:00\",\"updated\":\"2022-08-16T15:48:55.7948149+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/08b39573-4a73-4ac3-a733-8cd78a538c72\",\"name\":\"08b39573-4a73-4ac3-a733-8cd78a538c72\",\"etag\":\"\\\"3c00488a-0000-0100-0000-62fbbc870000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Removebookmark2tw3fg\",\"created\":\"2022-08-16T15:49:27.7269514+00:00\",\"updated\":\"2022-08-16T15:49:27.7269514+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/373872c1-6eda-475c-a5ec-f0bfbd39fdf6\",\"name\":\"373872c1-6eda-475c-a5ec-f0bfbd39fdf6\",\"etag\":\"\\\"3c004e8a-0000-0100-0000-62fbbca70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdbookmark1daqtg\",\"created\":\"2022-08-16T15:49:58.9862689+00:00\",\"updated\":\"2022-08-16T15:49:58.9862689+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/4a1c3550-81e9-42ae-8302-a2234a8d3168\",\"name\":\"4a1c3550-81e9-42ae-8302-a2234a8d3168\",\"etag\":\"\\\"3c005b8a-0000-0100-0000-62fbbcc60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Updatebookmarkd4t6g3\",\"created\":\"2022-08-16T15:50:30.6003748+00:00\",\"updated\":\"2022-08-16T15:50:30.6003748+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/f568e39a-6323-41ca-ac8e-d240ea7d80f6\",\"name\":\"f568e39a-6323-41ca-ac8e-d240ea7d80f6\",\"etag\":\"\\\"3c00708a-0000-0100-0000-62fbbce50000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateViaIdbookmarkepkaci\",\"created\":\"2022-08-16T15:51:01.2534922+00:00\",\"updated\":\"2022-08-16T15:51:01.2534922+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/378719c3-1c49-43c4-b5c6-21b943f2139e\",\"name\":\"378719c3-1c49-43c4-b5c6-21b943f2139e\",\"etag\":\"\\\"3c009d8a-0000-0100-0000-62fbbd030000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Expandbookmarkvclw27\",\"created\":\"2022-08-16T15:51:31.9243187+00:00\",\"updated\":\"2022-08-16T15:51:31.9243187+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/a1dded2a-ff31-44d4-b554-c43992597473\",\"name\":\"a1dded2a-ff31-44d4-b554-c43992597473\",\"etag\":\"\\\"3c00d78a-0000-0100-0000-62fbbd240000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"GetbookmarkRelationBookmarkNamex1qm5r\",\"created\":\"2022-08-16T15:52:04.1929102+00:00\",\"updated\":\"2022-08-16T15:52:04.1929102+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"title\":\"GetbookmarkRelationIncidentName75xtbo\",\"relationName\":\"01c3e510-2a6e-4d12-8289-7e039cd8af1e\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/b3693620-4305-45cb-97f3-a6894f82288e\",\"name\":\"b3693620-4305-45cb-97f3-a6894f82288e\",\"etag\":\"\\\"3c00eb8a-0000-0100-0000-62fbbd560000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemovebookmarkRelationBookmarkNamedz07r4\",\"created\":\"2022-08-16T15:52:53.5670701+00:00\",\"updated\":\"2022-08-16T15:52:53.5670701+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"fba327a0-b301-4d1c-918c-23aec8e03323\",\"title\":\"RemovebookmarkRelationIncidentNamebfrwvc\",\"relationName\":\"ef983c5e-fe25-44b2-ad14-f37a30558d24\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/72eeef12-d9c9-43e4-9f0c-8b117465ccb9\",\"name\":\"72eeef12-d9c9-43e4-9f0c-8b117465ccb9\",\"etag\":\"\\\"3c00f68a-0000-0100-0000-62fbbd690000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdbookmarkRelationBookmarkNamewn153e\",\"created\":\"2022-08-16T15:53:13.2108641+00:00\",\"updated\":\"2022-08-16T15:53:13.2108641+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"62ce8785-21b2-4262-be4d-5208b35d255a\",\"title\":\"RemoveViaIdbookmarkRelationIncidentName5g6qnd\",\"relationName\":\"c77c1bd8-ffc8-4467-a549-e9114f8913d8\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/a6be05a8-9ad5-44c4-89c5-a9df845dca7e\",\"name\":\"a6be05a8-9ad5-44c4-89c5-a9df845dca7e\",\"etag\":\"\\\"3c00148b-0000-0100-0000-62fbbd8a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdatebookmarkRelationBookmarkNamedven41\",\"created\":\"2022-08-16T15:53:45.3603597+00:00\",\"updated\":\"2022-08-16T15:53:45.3603597+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"6f90c814-29fb-4d2d-8188-360a8df4a559\",\"title\":\"UpdatebookmarkRelationIncidentNamedejagn\",\"relationName\":\"17cbbab8-7829-4e80-8775-f71ebcd2ceea\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/327d3f42-a5d6-4bc8-99bc-93cf7b2942c7\",\"name\":\"327d3f42-a5d6-4bc8-99bc-93cf7b2942c7\",\"etag\":\"\\\"3c003a8b-0000-0100-0000-62fbbda80000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateViaIdbookmarkRelationBookmarkNameconrl0\",\"created\":\"2022-08-16T15:54:16.1711242+00:00\",\"updated\":\"2022-08-16T15:54:16.1711242+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"68e94645-a3b4-4595-9bfe-0d5370f5c8dd\",\"title\":\"UpdateViaIdbookmarkRelationIncidentNamel2rnui\",\"relationName\":\"5c7863c4-3fba-4c60-87f0-88e5c33a5df8\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/40c54fdc-490c-4164-901e-b95ca08e0a88\",\"name\":\"40c54fdc-490c-4164-901e-b95ca08e0a88\",\"etag\":\"\\\"3c00618c-0000-0100-0000-62fbbfc70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"GetincidentRelationBookmarkNameu4dakt\",\"created\":\"2022-08-16T16:03:18.3793809+00:00\",\"updated\":\"2022-08-16T16:03:18.3793809+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T04:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-08-15T04:00:00+00:00\",\"queryEndTime\":\"2022-08-16T04:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"524da4fb-3888-4446-9e92-12183ac2eaab\",\"title\":\"GetincidentRelationIncidentName8sjnvu\",\"relationName\":\"d8e7ac2f-7b68-4110-a408-6dda491cd5d0\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/47097af5-9e05-4584-9e64-99622ff06010\",\"name\":\"47097af5-9e05-4584-9e64-99622ff06010\",\"etag\":\"\\\"3c006e8c-0000-0100-0000-62fbbfe70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveincidentRelationBookmarkNamea597s0\",\"created\":\"2022-08-16T16:03:50.4826287+00:00\",\"updated\":\"2022-08-16T16:03:50.4826287+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T04:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-08-15T04:00:00+00:00\",\"queryEndTime\":\"2022-08-16T04:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"bd3104a8-2b2d-4934-bef4-5fc4c04ef055\",\"title\":\"RemoveincidentRelationIncidentNamecz4ioj\",\"relationName\":\"f05d7fb2-c166-4ecb-aa6b-b97479976971\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/8b4c7333-a754-463f-abd4-0b5b023fb24c\",\"name\":\"8b4c7333-a754-463f-abd4-0b5b023fb24c\",\"etag\":\"\\\"3c007c8c-0000-0100-0000-62fbc0060000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdincidentRelationBookmarkNamewtphg4\",\"created\":\"2022-08-16T16:04:22.2932502+00:00\",\"updated\":\"2022-08-16T16:04:22.2932502+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T04:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-08-15T04:00:00+00:00\",\"queryEndTime\":\"2022-08-16T04:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"b2ae0920-7287-4d85-a609-bf6c7e651630\",\"title\":\"RemoveViaIdincidentRelationIncidentNameg1b6wx\",\"relationName\":\"95c1d6e0-5c11-4329-b715-f24c959f7b04\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/16d92023-404a-4ccb-8e88-9c0522e53419\",\"name\":\"16d92023-404a-4ccb-8e88-9c0522e53419\",\"etag\":\"\\\"3c00808c-0000-0100-0000-62fbc0260000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateincidentRelationBookmarkName9ayfhe\",\"created\":\"2022-08-16T16:04:54.1199731+00:00\",\"updated\":\"2022-08-16T16:04:54.1199731+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T04:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-08-15T04:00:00+00:00\",\"queryEndTime\":\"2022-08-16T04:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"20c587be-2ccb-4fd4-aea6-cce3754722dd\",\"title\":\"UpdateincidentRelationIncidentNamegz4803\",\"relationName\":\"f56dcb87-d5c9-4996-9916-6502828a3ae2\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/00406d21-02f5-485c-a859-19a592ab3f1b\",\"name\":\"00406d21-02f5-485c-a859-19a592ab3f1b\",\"etag\":\"\\\"3c00898c-0000-0100-0000-62fbc0450000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateViaIdincidentRelationBookmarkName635lxu\",\"created\":\"2022-08-16T16:05:24.7436939+00:00\",\"updated\":\"2022-08-16T16:05:24.7436939+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T04:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-08-15T04:00:00+00:00\",\"queryEndTime\":\"2022-08-16T04:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"e6be0e56-c636-4b4b-9793-6f3c0f345a46\",\"title\":\"UpdateViaIdincidentRelationIncidentNames9xv50\",\"relationName\":\"903fe51d-b375-49c3-bf17-02b25fab1aa4\",\"severity\":\"Informational\"}}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/a55092cc-24ce-41d4-a016-60c3e5797351\",\"name\":\"a55092cc-24ce-41d4-a016-60c3e5797351\",\"etag\":\"\\\"3c00452a-0000-0100-0000-69c38f6d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateViaIdincidentRelationBookmarkName10mhan\",\"created\":\"2026-03-25T07:31:56.8381419+00:00\",\"updated\":\"2026-03-25T07:31:56.8381419+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2026-03-24T07:00:00+00:00\",\"queryEndTime\":\"2026-03-25T07:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"325fdf3f-6dc0-47d2-87b7-cd3a7342672c\",\"title\":\"UpdateViaIdincidentRelationIncidentName4phdfw\",\"relationName\":\"9bbb3889-b1ec-4a18-99b0-abface90c56d\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/192e1c76-76b2-4c5b-b177-ae3989058ff5\",\"name\":\"192e1c76-76b2-4c5b-b177-ae3989058ff5\",\"etag\":\"\\\"3c003e29-0000-0100-0000-69c38f650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateincidentRelationBookmarkName13j7ac\",\"created\":\"2026-03-25T07:31:48.3190892+00:00\",\"updated\":\"2026-03-25T07:31:48.3190892+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2026-03-24T07:00:00+00:00\",\"queryEndTime\":\"2026-03-25T07:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"9e73b493-03a2-4837-9f25-61a39c8841b8\",\"title\":\"UpdateincidentRelationIncidentNamepxyd1a\",\"relationName\":\"6695e672-3f17-446a-a3ea-f7625b45f1bd\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/51635f0a-9319-4e6a-b3d9-45bcdfee1f69\",\"name\":\"51635f0a-9319-4e6a-b3d9-45bcdfee1f69\",\"etag\":\"\\\"3c002828-0000-0100-0000-69c38f5d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdincidentRelationBookmarkNameq65xz2\",\"created\":\"2026-03-25T07:31:40.3720245+00:00\",\"updated\":\"2026-03-25T07:31:40.3720245+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2026-03-24T07:00:00+00:00\",\"queryEndTime\":\"2026-03-25T07:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"edfd97a6-4cb0-4eb8-aa7d-4df47259f318\",\"title\":\"RemoveViaIdincidentRelationIncidentNametqy1nd\",\"relationName\":\"35c38929-6ba9-4b43-a927-697e4b15978b\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/f46786d6-fcca-42f4-a955-ac942e480594\",\"name\":\"f46786d6-fcca-42f4-a955-ac942e480594\",\"etag\":\"\\\"3c00c026-0000-0100-0000-69c38f540000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveincidentRelationBookmarkNamequm8ws\",\"created\":\"2026-03-25T07:31:31.7275983+00:00\",\"updated\":\"2026-03-25T07:31:31.7275983+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2026-03-24T07:00:00+00:00\",\"queryEndTime\":\"2026-03-25T07:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"1a71316d-53cd-4e3e-b964-5089a315a6a7\",\"title\":\"RemoveincidentRelationIncidentNameqeb7h3\",\"relationName\":\"3a03c37e-24a2-4bb8-b680-8b51b0462387\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/fd69298f-7839-41cf-85aa-4a0a182790c4\",\"name\":\"fd69298f-7839-41cf-85aa-4a0a182790c4\",\"etag\":\"\\\"3c001226-0000-0100-0000-69c38f4d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"GetincidentRelationBookmarkNamen4atph\",\"created\":\"2026-03-25T07:31:23.9333039+00:00\",\"updated\":\"2026-03-25T07:31:23.9333039+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2026-03-24T07:00:00+00:00\",\"queryEndTime\":\"2026-03-25T07:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"da7f7404-2a4a-4811-9f0e-fa20649928fa\",\"title\":\"GetincidentRelationIncidentNamesywphe\",\"relationName\":\"7fb245aa-38d5-4660-ad34-72817ce63eed\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/dc4bf602-cf6f-46e9-b4b6-c43af689a81f\",\"name\":\"dc4bf602-cf6f-46e9-b4b6-c43af689a81f\",\"etag\":\"\\\"3c009b05-0000-0100-0000-69c38ea40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateViaIdbookmarkRelationBookmarkNamelhfak8\",\"created\":\"2026-03-25T07:28:35.7710745+00:00\",\"updated\":\"2026-03-25T07:28:35.7710745+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2026-03-24T07:00:00+00:00\",\"queryEndTime\":\"2026-03-25T07:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"e0a2f9cf-074f-41f7-9cf7-ee2f76903f3e\",\"title\":\"UpdateViaIdbookmarkRelationIncidentNameft7j0l\",\"relationName\":\"b24e558b-b0fc-4f9f-9583-1d4853b0600e\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/ccaf8264-c8d6-4f67-bba1-b9a29a592313\",\"name\":\"ccaf8264-c8d6-4f67-bba1-b9a29a592313\",\"etag\":\"\\\"3c00f602-0000-0100-0000-69c38e9b0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdatebookmarkRelationBookmarkNamezbxyi8\",\"created\":\"2026-03-25T07:28:26.8124445+00:00\",\"updated\":\"2026-03-25T07:28:26.8124445+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2026-03-24T07:00:00+00:00\",\"queryEndTime\":\"2026-03-25T07:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"53f5c7e4-34eb-4e33-9c57-9445ffc4cd6a\",\"title\":\"UpdatebookmarkRelationIncidentNameldmxhn\",\"relationName\":\"d16e37b8-a295-4b5e-833c-77e25e6b20d5\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/f91b4caf-6e2f-4ba2-bf8d-c8fbde102350\",\"name\":\"f91b4caf-6e2f-4ba2-bf8d-c8fbde102350\",\"etag\":\"\\\"3c006101-0000-0100-0000-69c38e920000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdbookmarkRelationBookmarkName23c1ow\",\"created\":\"2026-03-25T07:28:18.162764+00:00\",\"updated\":\"2026-03-25T07:28:18.162764+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2026-03-24T07:00:00+00:00\",\"queryEndTime\":\"2026-03-25T07:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"21818327-2522-4bca-a761-889f6ae7387d\",\"title\":\"RemoveViaIdbookmarkRelationIncidentName3bjron\",\"relationName\":\"e87a0449-54e0-4807-bbfd-780bfbe4e471\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/5dea8be8-4487-4714-adad-1f935ce6b752\",\"name\":\"5dea8be8-4487-4714-adad-1f935ce6b752\",\"etag\":\"\\\"3c004000-0000-0100-0000-69c38e8b0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemovebookmarkRelationBookmarkName35mvue\",\"created\":\"2026-03-25T07:28:10.5065079+00:00\",\"updated\":\"2026-03-25T07:28:10.5065079+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2026-03-24T07:00:00+00:00\",\"queryEndTime\":\"2026-03-25T07:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"fcdbdca2-668e-499f-8911-a98624615adf\",\"title\":\"RemovebookmarkRelationIncidentNamejmkt5r\",\"relationName\":\"2d1c854b-c1d2-4fd0-ba28-e35aaecc924d\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/c6d903c8-0407-4cef-9c08-0e3c2be798a1\",\"name\":\"c6d903c8-0407-4cef-9c08-0e3c2be798a1\",\"etag\":\"\\\"3b00c3fd-0000-0100-0000-69c38e820000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"GetbookmarkRelationBookmarkName14vcdt\",\"created\":\"2026-03-25T07:28:02.0336308+00:00\",\"updated\":\"2026-03-25T07:28:02.0336308+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2026-03-24T07:00:00+00:00\",\"queryEndTime\":\"2026-03-25T07:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"72b20fd5-9297-487f-b5c0-16d443ae9bc9\",\"title\":\"GetbookmarkRelationIncidentNamektmguy\",\"relationName\":\"91ae51f6-b3d6-45da-b7c4-9be2a72da2a3\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/b188b26a-9e43-4383-ad72-23e85170d0f8\",\"name\":\"b188b26a-9e43-4383-ad72-23e85170d0f8\",\"etag\":\"\\\"3b00f8fb-0000-0100-0000-69c38e780000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Expandbookmarkv0ifpq\",\"created\":\"2026-03-25T07:27:52.8673343+00:00\",\"updated\":\"2026-03-25T07:27:52.8673343+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2026-03-24T07:00:00+00:00\",\"queryEndTime\":\"2026-03-25T07:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/9d088d39-1dd3-4a55-99d7-48d28a98573c\",\"name\":\"9d088d39-1dd3-4a55-99d7-48d28a98573c\",\"etag\":\"\\\"3b00e5fa-0000-0100-0000-69c38e700000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateViaIdbookmark9x6s8w\",\"created\":\"2026-03-25T07:27:44.5255216+00:00\",\"updated\":\"2026-03-25T07:27:44.5255216+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2026-03-24T07:00:00+00:00\",\"queryEndTime\":\"2026-03-25T07:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/2b6690b9-7f3b-4239-b675-41640f710da0\",\"name\":\"2b6690b9-7f3b-4239-b675-41640f710da0\",\"etag\":\"\\\"3b0058f8-0000-0100-0000-69c38e680000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Updatebookmarkcmzxnh\",\"created\":\"2026-03-25T07:27:36.5332527+00:00\",\"updated\":\"2026-03-25T07:27:36.5332527+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2026-03-24T07:00:00+00:00\",\"queryEndTime\":\"2026-03-25T07:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/095360de-bcfe-42e7-ac78-a7a259dabb97\",\"name\":\"095360de-bcfe-42e7-ac78-a7a259dabb97\",\"etag\":\"\\\"3b00f5f6-0000-0100-0000-69c38e600000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdbookmarkn8d5yt\",\"created\":\"2026-03-25T07:27:28.5221427+00:00\",\"updated\":\"2026-03-25T07:27:28.5221427+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2026-03-24T07:00:00+00:00\",\"queryEndTime\":\"2026-03-25T07:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/71ea1e76-7804-472e-90e6-fee48afe4b2e\",\"name\":\"71ea1e76-7804-472e-90e6-fee48afe4b2e\",\"etag\":\"\\\"3b007bf5-0000-0100-0000-69c38e580000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Removebookmark1lcpa3\",\"created\":\"2026-03-25T07:27:20.5893694+00:00\",\"updated\":\"2026-03-25T07:27:20.5893694+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2026-03-24T07:00:00+00:00\",\"queryEndTime\":\"2026-03-25T07:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/94dfe965-27c2-4232-97cd-5d22a82584d7\",\"name\":\"94dfe965-27c2-4232-97cd-5d22a82584d7\",\"etag\":\"\\\"3b00f4f3-0000-0100-0000-69c38e500000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmarkpdoyf6\",\"created\":\"2026-03-25T07:27:11.9607541+00:00\",\"updated\":\"2026-03-25T07:27:11.9607541+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2026-03-24T07:00:00+00:00\",\"queryEndTime\":\"2026-03-25T07:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}]}", "isContentBase64": false } }, - "Get-AzSentinelBookmark+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af?api-version=2021-09-01-preview+1": { + "Get-AzSentinelBookmark+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/94dfe965-27c2-4232-97cd-5d22a82584d7?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/94dfe965-27c2-4232-97cd-5d22a82584d7?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "175" ], - "x-ms-client-request-id": [ "15550d69-e1ae-414e-bbf9-c76c63113ec4" ], + "x-ms-unique-id": [ "18" ], + "x-ms-client-request-id": [ "fafad985-0807-4bb3-94bd-a5e58a156833" ], "CommandName": [ "Get-AzSentinelbookmark" ], "FullCommandName": [ "Get-AzSentinelBookmark_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,37 +67,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11986" ], - "x-ms-request-id": [ "4e7e5b78-7d62-47aa-ae05-b1306f398784" ], - "x-ms-correlation-request-id": [ "4e7e5b78-7d62-47aa-ae05-b1306f398784" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160701Z:4e7e5b78-7d62-47aa-ae05-b1306f398784" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/531c9247-6375-4be0-9917-ce3ee8e5df09" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "793a6971-d4fd-4f84-ba31-8bc33d43c0d6" ], + "x-ms-correlation-request-id": [ "793a6971-d4fd-4f84-ba31-8bc33d43c0d6" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074416Z:793a6971-d4fd-4f84-ba31-8bc33d43c0d6" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:00 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: CBE17979228D44A09F467262C357A571 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:16Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:16 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "5288" ], + "Content-Length": [ "5278" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af\",\"name\":\"52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af\",\"etag\":\"\\\"3c00458a-0000-0100-0000-62fbbc670000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmarkzl3she\",\"created\":\"2022-08-16T15:48:55.7948149+00:00\",\"updated\":\"2022-08-16T15:48:55.7948149+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/94dfe965-27c2-4232-97cd-5d22a82584d7\",\"name\":\"94dfe965-27c2-4232-97cd-5d22a82584d7\",\"etag\":\"\\\"3b00f4f3-0000-0100-0000-69c38e500000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmarkpdoyf6\",\"created\":\"2026-03-25T07:27:11.9607541+00:00\",\"updated\":\"2026-03-25T07:27:11.9607541+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2026-03-24T07:00:00+00:00\",\"queryEndTime\":\"2026-03-25T07:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "Get-AzSentinelBookmark+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af?api-version=2021-09-01-preview+1": { + "Get-AzSentinelBookmark+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/94dfe965-27c2-4232-97cd-5d22a82584d7?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/94dfe965-27c2-4232-97cd-5d22a82584d7?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "176" ], - "x-ms-client-request-id": [ "fc9a3c26-e58e-4155-8f5c-472b52e1b331" ], + "x-ms-unique-id": [ "19" ], + "x-ms-client-request-id": [ "27871364-d20f-4894-94d5-310014e3b684" ], "CommandName": [ "Get-AzSentinelbookmark" ], "FullCommandName": [ "Get-AzSentinelBookmark_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -104,37 +112,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11985" ], - "x-ms-request-id": [ "cf47f3cd-c9c8-4f61-8188-d74243ed15f7" ], - "x-ms-correlation-request-id": [ "cf47f3cd-c9c8-4f61-8188-d74243ed15f7" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160701Z:cf47f3cd-c9c8-4f61-8188-d74243ed15f7" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/43050d5e-4620-4cae-9aaa-48ab06ed04b5" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "a26a9fc7-597b-405e-b941-458f3fd477d9" ], + "x-ms-correlation-request-id": [ "a26a9fc7-597b-405e-b941-458f3fd477d9" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074417Z:a26a9fc7-597b-405e-b941-458f3fd477d9" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:01 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: A61D6CFB124E4C01A6112CA6CB626398 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:17Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:16 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "5288" ], + "Content-Length": [ "5278" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af\",\"name\":\"52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af\",\"etag\":\"\\\"3c00458a-0000-0100-0000-62fbbc670000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmarkzl3she\",\"created\":\"2022-08-16T15:48:55.7948149+00:00\",\"updated\":\"2022-08-16T15:48:55.7948149+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/94dfe965-27c2-4232-97cd-5d22a82584d7\",\"name\":\"94dfe965-27c2-4232-97cd-5d22a82584d7\",\"etag\":\"\\\"3b00f4f3-0000-0100-0000-69c38e500000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmarkpdoyf6\",\"created\":\"2026-03-25T07:27:11.9607541+00:00\",\"updated\":\"2026-03-25T07:27:11.9607541+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2026-03-24T07:00:00+00:00\",\"queryEndTime\":\"2026-03-25T07:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "Get-AzSentinelBookmark+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af?api-version=2021-09-01-preview+2": { + "Get-AzSentinelBookmark+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/94dfe965-27c2-4232-97cd-5d22a82584d7?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/94dfe965-27c2-4232-97cd-5d22a82584d7?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "177" ], - "x-ms-client-request-id": [ "e4985794-1f6c-486a-83f9-d1d5ac7892f3" ], + "x-ms-unique-id": [ "20" ], + "x-ms-client-request-id": [ "bd8f3b0d-bbb6-4bc1-a02a-1a490482a376" ], "CommandName": [ "Get-AzSentinelbookmark" ], "FullCommandName": [ "Get-AzSentinelBookmark_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -145,21 +157,25 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11984" ], - "x-ms-request-id": [ "e0aa37c3-eb91-4682-8158-950084e42e49" ], - "x-ms-correlation-request-id": [ "e0aa37c3-eb91-4682-8158-950084e42e49" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160701Z:e0aa37c3-eb91-4682-8158-950084e42e49" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/a6a2b2e4-acbc-4149-a40a-4fa61c4f06bc" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "36c5e6be-e37e-44d4-b2d4-f487acdbad4d" ], + "x-ms-correlation-request-id": [ "36c5e6be-e37e-44d4-b2d4-f487acdbad4d" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074417Z:36c5e6be-e37e-44d4-b2d4-f487acdbad4d" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:01 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 8F6EA2D2ED7B4A97A257311B07E4114B Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:17Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:17 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "5288" ], + "Content-Length": [ "5278" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af\",\"name\":\"52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af\",\"etag\":\"\\\"3c00458a-0000-0100-0000-62fbbc670000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmarkzl3she\",\"created\":\"2022-08-16T15:48:55.7948149+00:00\",\"updated\":\"2022-08-16T15:48:55.7948149+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/94dfe965-27c2-4232-97cd-5d22a82584d7\",\"name\":\"94dfe965-27c2-4232-97cd-5d22a82584d7\",\"etag\":\"\\\"3b00f4f3-0000-0100-0000-69c38e500000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmarkpdoyf6\",\"created\":\"2026-03-25T07:27:11.9607541+00:00\",\"updated\":\"2026-03-25T07:27:11.9607541+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2026-03-24T07:00:00+00:00\",\"queryEndTime\":\"2026-03-25T07:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelBookmarkRelation.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelBookmarkRelation.Recording.json index 85a8c9b636f5..e539855590c6 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelBookmarkRelation.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelBookmarkRelation.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelBookmarkRelation+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/a1dded2a-ff31-44d4-b554-c43992597473/relations?api-version=2021-09-01-preview+1": { + "Get-AzSentinelBookmarkRelation+[NoContext]+List+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/c6d903c8-0407-4cef-9c08-0e3c2be798a1/relations?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/a1dded2a-ff31-44d4-b554-c43992597473/relations?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/c6d903c8-0407-4cef-9c08-0e3c2be798a1/relations?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "178" ], - "x-ms-client-request-id": [ "23780903-ee14-4753-8f08-e230569be4e9" ], + "x-ms-unique-id": [ "21" ], + "x-ms-client-request-id": [ "93a44806-8666-46ed-a9d2-15034a0ce8bc" ], "CommandName": [ "Get-AzSentinelbookmarkRelation" ], "FullCommandName": [ "Get-AzSentinelBookmarkRelation_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,37 +22,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11983" ], - "x-ms-request-id": [ "02963b6c-1e22-41ee-a714-0f59d8655492" ], - "x-ms-correlation-request-id": [ "02963b6c-1e22-41ee-a714-0f59d8655492" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160702Z:02963b6c-1e22-41ee-a714-0f59d8655492" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/04c92b5a-f017-4eab-88d7-e17b4117bbf0" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "d57a06fc-5bad-4df1-9398-48f96a572038" ], + "x-ms-correlation-request-id": [ "d57a06fc-5bad-4df1-9398-48f96a572038" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074419Z:d57a06fc-5bad-4df1-9398-48f96a572038" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:02 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: F0DA7A6136EB4A42B0E5D0A8963D1A9B Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:18Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:18 GMT" ] }, "ContentHeaders": { "Content-Length": [ "840" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/a1dded2a-ff31-44d4-b554-c43992597473/relations/01c3e510-2a6e-4d12-8289-7e039cd8af1e\",\"name\":\"01c3e510-2a6e-4d12-8289-7e039cd8af1e\",\"etag\":\"\\\"3c00d78a-0000-0100-0000-62fbbd240000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"relatedResourceName\":\"7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/c6d903c8-0407-4cef-9c08-0e3c2be798a1/relations/91ae51f6-b3d6-45da-b7c4-9be2a72da2a3\",\"name\":\"91ae51f6-b3d6-45da-b7c4-9be2a72da2a3\",\"etag\":\"\\\"3b00c3fd-0000-0100-0000-69c38e820000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/72b20fd5-9297-487f-b5c0-16d443ae9bc9\",\"relatedResourceName\":\"72b20fd5-9297-487f-b5c0-16d443ae9bc9\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelBookmarkRelation+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/a1dded2a-ff31-44d4-b554-c43992597473/relations/01c3e510-2a6e-4d12-8289-7e039cd8af1e?api-version=2021-09-01-preview+1": { + "Get-AzSentinelBookmarkRelation+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/c6d903c8-0407-4cef-9c08-0e3c2be798a1/relations/91ae51f6-b3d6-45da-b7c4-9be2a72da2a3?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/a1dded2a-ff31-44d4-b554-c43992597473/relations/01c3e510-2a6e-4d12-8289-7e039cd8af1e?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/c6d903c8-0407-4cef-9c08-0e3c2be798a1/relations/91ae51f6-b3d6-45da-b7c4-9be2a72da2a3?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "179" ], - "x-ms-client-request-id": [ "5790594e-3c05-4cd1-b9c1-caa945ac1e01" ], + "x-ms-unique-id": [ "22" ], + "x-ms-client-request-id": [ "f8e5da97-d789-4027-a97d-8eec0d8ba846" ], "CommandName": [ "Get-AzSentinelbookmarkRelation" ], "FullCommandName": [ "Get-AzSentinelBookmarkRelation_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,37 +67,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11982" ], - "x-ms-request-id": [ "e11766e3-106c-4c92-b5ae-2cac460564d1" ], - "x-ms-correlation-request-id": [ "e11766e3-106c-4c92-b5ae-2cac460564d1" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160702Z:e11766e3-106c-4c92-b5ae-2cac460564d1" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/55e33316-4311-4946-9a24-1a60ef3dcee0" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "7242ab76-7035-40b4-908e-bef04c9a99ac" ], + "x-ms-correlation-request-id": [ "7242ab76-7035-40b4-908e-bef04c9a99ac" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074419Z:7242ab76-7035-40b4-908e-bef04c9a99ac" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:02 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: D2A496B6258A487986CA9A859540DA5F Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:19Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:19 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/a1dded2a-ff31-44d4-b554-c43992597473/relations/01c3e510-2a6e-4d12-8289-7e039cd8af1e\",\"name\":\"01c3e510-2a6e-4d12-8289-7e039cd8af1e\",\"etag\":\"\\\"3c00d78a-0000-0100-0000-62fbbd240000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"relatedResourceName\":\"7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/c6d903c8-0407-4cef-9c08-0e3c2be798a1/relations/91ae51f6-b3d6-45da-b7c4-9be2a72da2a3\",\"name\":\"91ae51f6-b3d6-45da-b7c4-9be2a72da2a3\",\"etag\":\"\\\"3b00c3fd-0000-0100-0000-69c38e820000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/72b20fd5-9297-487f-b5c0-16d443ae9bc9\",\"relatedResourceName\":\"72b20fd5-9297-487f-b5c0-16d443ae9bc9\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", "isContentBase64": false } }, - "Get-AzSentinelBookmarkRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/a1dded2a-ff31-44d4-b554-c43992597473/relations/01c3e510-2a6e-4d12-8289-7e039cd8af1e?api-version=2021-09-01-preview+1": { + "Get-AzSentinelBookmarkRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/c6d903c8-0407-4cef-9c08-0e3c2be798a1/relations/91ae51f6-b3d6-45da-b7c4-9be2a72da2a3?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/a1dded2a-ff31-44d4-b554-c43992597473/relations/01c3e510-2a6e-4d12-8289-7e039cd8af1e?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/c6d903c8-0407-4cef-9c08-0e3c2be798a1/relations/91ae51f6-b3d6-45da-b7c4-9be2a72da2a3?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "180" ], - "x-ms-client-request-id": [ "010424c0-2f8a-49b6-9a63-b0a1b291a0e4" ], + "x-ms-unique-id": [ "23" ], + "x-ms-client-request-id": [ "10ecbfc3-d246-422e-a620-cd0b1813a214" ], "CommandName": [ "Get-AzSentinelbookmarkRelation" ], "FullCommandName": [ "Get-AzSentinelBookmarkRelation_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -104,37 +112,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11981" ], - "x-ms-request-id": [ "31db6efa-501d-4865-b7ca-1e9022eb67c9" ], - "x-ms-correlation-request-id": [ "31db6efa-501d-4865-b7ca-1e9022eb67c9" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160702Z:31db6efa-501d-4865-b7ca-1e9022eb67c9" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/c144bff3-71d4-4a90-bef6-894f778405b4" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "f314a4aa-1f75-4da1-bb25-2aba25c4bebc" ], + "x-ms-correlation-request-id": [ "f314a4aa-1f75-4da1-bb25-2aba25c4bebc" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074420Z:f314a4aa-1f75-4da1-bb25-2aba25c4bebc" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:02 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: E6193DEE413143368F027B9BF171BC96 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:19Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:19 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/a1dded2a-ff31-44d4-b554-c43992597473/relations/01c3e510-2a6e-4d12-8289-7e039cd8af1e\",\"name\":\"01c3e510-2a6e-4d12-8289-7e039cd8af1e\",\"etag\":\"\\\"3c00d78a-0000-0100-0000-62fbbd240000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"relatedResourceName\":\"7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/c6d903c8-0407-4cef-9c08-0e3c2be798a1/relations/91ae51f6-b3d6-45da-b7c4-9be2a72da2a3\",\"name\":\"91ae51f6-b3d6-45da-b7c4-9be2a72da2a3\",\"etag\":\"\\\"3b00c3fd-0000-0100-0000-69c38e820000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/72b20fd5-9297-487f-b5c0-16d443ae9bc9\",\"relatedResourceName\":\"72b20fd5-9297-487f-b5c0-16d443ae9bc9\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", "isContentBase64": false } }, - "Get-AzSentinelBookmarkRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/a1dded2a-ff31-44d4-b554-c43992597473/relations/01c3e510-2a6e-4d12-8289-7e039cd8af1e?api-version=2021-09-01-preview+2": { + "Get-AzSentinelBookmarkRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/c6d903c8-0407-4cef-9c08-0e3c2be798a1/relations/91ae51f6-b3d6-45da-b7c4-9be2a72da2a3?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/a1dded2a-ff31-44d4-b554-c43992597473/relations/01c3e510-2a6e-4d12-8289-7e039cd8af1e?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/c6d903c8-0407-4cef-9c08-0e3c2be798a1/relations/91ae51f6-b3d6-45da-b7c4-9be2a72da2a3?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "181" ], - "x-ms-client-request-id": [ "b558dcee-1f3f-4700-b1a1-2cdb3e64941f" ], + "x-ms-unique-id": [ "24" ], + "x-ms-client-request-id": [ "7c614d9d-2464-493a-837e-dbb92856c8e1" ], "CommandName": [ "Get-AzSentinelbookmarkRelation" ], "FullCommandName": [ "Get-AzSentinelBookmarkRelation_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -145,21 +157,25 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11980" ], - "x-ms-request-id": [ "d326d58d-454d-4f20-8e7b-e0ac4feb9cf9" ], - "x-ms-correlation-request-id": [ "d326d58d-454d-4f20-8e7b-e0ac4feb9cf9" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160702Z:d326d58d-454d-4f20-8e7b-e0ac4feb9cf9" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/8c6412ef-b1a7-4588-a424-f19c40ddba71" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "6dfcd9d9-295d-4dab-a480-dacbe221ae75" ], + "x-ms-correlation-request-id": [ "6dfcd9d9-295d-4dab-a480-dacbe221ae75" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074420Z:6dfcd9d9-295d-4dab-a480-dacbe221ae75" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:02 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 0378A0EE25AE426CB2F0F0C7DB813206 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:20Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:20 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/a1dded2a-ff31-44d4-b554-c43992597473/relations/01c3e510-2a6e-4d12-8289-7e039cd8af1e\",\"name\":\"01c3e510-2a6e-4d12-8289-7e039cd8af1e\",\"etag\":\"\\\"3c00d78a-0000-0100-0000-62fbbd240000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"relatedResourceName\":\"7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/c6d903c8-0407-4cef-9c08-0e3c2be798a1/relations/91ae51f6-b3d6-45da-b7c4-9be2a72da2a3\",\"name\":\"91ae51f6-b3d6-45da-b7c4-9be2a72da2a3\",\"etag\":\"\\\"3b00c3fd-0000-0100-0000-69c38e820000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/72b20fd5-9297-487f-b5c0-16d443ae9bc9\",\"relatedResourceName\":\"72b20fd5-9297-487f-b5c0-16d443ae9bc9\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelDataConnector.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelDataConnector.Recording.json index b49b30893230..a29a51cfdbda 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelDataConnector.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelDataConnector.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelDataConnector+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors?api-version=2021-09-01-preview+1": { + "Get-AzSentinelDataConnector+[NoContext]+List+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/dataConnectors?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/dataConnectors?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "182" ], - "x-ms-client-request-id": [ "f27d39e0-d37d-44ff-9663-1479b8cb7b18" ], + "x-ms-unique-id": [ "25" ], + "x-ms-client-request-id": [ "b54999ec-27c5-4066-9e75-577e36cb8735" ], "CommandName": [ "Get-AzSentineldataConnector" ], "FullCommandName": [ "Get-AzSentinelDataConnector_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,37 +22,40 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "986c6dd9-77c4-4410-84b3-2fe4bb2a4bd7" ], - "x-ms-correlation-request-id": [ "986c6dd9-77c4-4410-84b3-2fe4bb2a4bd7" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160703Z:986c6dd9-77c4-4410-84b3-2fe4bb2a4bd7" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/c4185397-09c0-4382-b623-bc6f066e9245" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "c6724b57-56af-4383-bb09-fdde0f1a8cde" ], + "x-ms-correlation-request-id": [ "c6724b57-56af-4383-bb09-fdde0f1a8cde" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074422Z:c6724b57-56af-4383-bb09-fdde0f1a8cde" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:03 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 3FB326403E474D658DFE377D0075E280 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:21Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:22 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1122" ], + "Content-Length": [ "542" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/ef0ed2f1-dd75-4d02-afef-5fc84ded8e03\",\"name\":\"ef0ed2f1-dd75-4d02-afef-5fc84ded8e03\",\"etag\":\"343f5beb-3f53-4c32-adec-6d96dd1a719e\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/6d021fce-8f39-437c-9fb4-fc0a3794402d\",\"name\":\"6d021fce-8f39-437c-9fb4-fc0a3794402d\",\"etag\":\"7e7b29f8-4921-4f6a-ac9f-288d54eb8cd9\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"Office365\",\"properties\":{\"dataTypes\":{\"sharePoint\":{\"state\":\"disabled\"},\"exchange\":{\"state\":\"enabled\"},\"teams\":{\"state\":\"disabled\"}},\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/dataConnectors/5ae4f003-4029-44eb-8f4b-d65e5280bc42\",\"name\":\"5ae4f003-4029-44eb-8f4b-d65e5280bc42\",\"etag\":\"a9e6118d-e68f-4a47-a827-9d0d49daff5e\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"419581d6-4853-49bd-83b6-d94bb8a77887\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}}]}", "isContentBase64": false } }, - "Get-AzSentinelDataConnector+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/ef0ed2f1-dd75-4d02-afef-5fc84ded8e03?api-version=2021-09-01-preview+1": { + "Get-AzSentinelDataConnector+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/dataConnectors/5ae4f003-4029-44eb-8f4b-d65e5280bc42?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/ef0ed2f1-dd75-4d02-afef-5fc84ded8e03?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/dataConnectors/5ae4f003-4029-44eb-8f4b-d65e5280bc42?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "183" ], - "x-ms-client-request-id": [ "fbf10869-7f00-4cc0-8e29-e2e475dd2c38" ], + "x-ms-unique-id": [ "26" ], + "x-ms-client-request-id": [ "924e529d-954f-497e-90fe-da07a9aa6ed5" ], "CommandName": [ "Get-AzSentineldataConnector" ], "FullCommandName": [ "Get-AzSentinelDataConnector_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,37 +66,40 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "3d032294-c79d-470d-b598-4c710aa21ae2" ], - "x-ms-correlation-request-id": [ "3d032294-c79d-470d-b598-4c710aa21ae2" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160703Z:3d032294-c79d-470d-b598-4c710aa21ae2" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/0fcada71-84af-4981-a471-a4609054acf9" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "57dc2b02-10a9-4c71-8557-7be3c4f51eda" ], + "x-ms-correlation-request-id": [ "57dc2b02-10a9-4c71-8557-7be3c4f51eda" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074423Z:57dc2b02-10a9-4c71-8557-7be3c4f51eda" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:03 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: B910C9A05B0E4C678327973B34792E9F Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:23Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:22 GMT" ] }, "ContentHeaders": { "Content-Length": [ "530" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/ef0ed2f1-dd75-4d02-afef-5fc84ded8e03\",\"name\":\"ef0ed2f1-dd75-4d02-afef-5fc84ded8e03\",\"etag\":\"343f5beb-3f53-4c32-adec-6d96dd1a719e\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/dataConnectors/5ae4f003-4029-44eb-8f4b-d65e5280bc42\",\"name\":\"5ae4f003-4029-44eb-8f4b-d65e5280bc42\",\"etag\":\"a9e6118d-e68f-4a47-a827-9d0d49daff5e\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"419581d6-4853-49bd-83b6-d94bb8a77887\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}}", "isContentBase64": false } }, - "Get-AzSentinelDataConnector+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/ef0ed2f1-dd75-4d02-afef-5fc84ded8e03?api-version=2021-09-01-preview+1": { + "Get-AzSentinelDataConnector+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/dataConnectors/5ae4f003-4029-44eb-8f4b-d65e5280bc42?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/ef0ed2f1-dd75-4d02-afef-5fc84ded8e03?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/dataConnectors/5ae4f003-4029-44eb-8f4b-d65e5280bc42?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "184" ], - "x-ms-client-request-id": [ "397ed35e-0679-4aa1-89cb-7ee3cb337ce6" ], + "x-ms-unique-id": [ "27" ], + "x-ms-client-request-id": [ "18a3d7ef-15b3-4793-a1aa-43c6a2f1c583" ], "CommandName": [ "Get-AzSentineldataConnector" ], "FullCommandName": [ "Get-AzSentinelDataConnector_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -104,37 +110,40 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], - "x-ms-request-id": [ "9152283c-36cf-48b1-8e18-88e04dcd987b" ], - "x-ms-correlation-request-id": [ "9152283c-36cf-48b1-8e18-88e04dcd987b" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160704Z:9152283c-36cf-48b1-8e18-88e04dcd987b" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/6869c39a-f2bb-4857-b750-c6188e2360fe" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "7f79ac9f-9ca3-4c54-b3c0-b1146ce1ce67" ], + "x-ms-correlation-request-id": [ "7f79ac9f-9ca3-4c54-b3c0-b1146ce1ce67" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074424Z:7f79ac9f-9ca3-4c54-b3c0-b1146ce1ce67" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:04 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 4F1E8367E8094BFBAAE80ED21C9A6947 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:23Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:23 GMT" ] }, "ContentHeaders": { "Content-Length": [ "530" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/ef0ed2f1-dd75-4d02-afef-5fc84ded8e03\",\"name\":\"ef0ed2f1-dd75-4d02-afef-5fc84ded8e03\",\"etag\":\"343f5beb-3f53-4c32-adec-6d96dd1a719e\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/dataConnectors/5ae4f003-4029-44eb-8f4b-d65e5280bc42\",\"name\":\"5ae4f003-4029-44eb-8f4b-d65e5280bc42\",\"etag\":\"a9e6118d-e68f-4a47-a827-9d0d49daff5e\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"419581d6-4853-49bd-83b6-d94bb8a77887\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}}", "isContentBase64": false } }, - "Get-AzSentinelDataConnector+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/ef0ed2f1-dd75-4d02-afef-5fc84ded8e03?api-version=2021-09-01-preview+2": { + "Get-AzSentinelDataConnector+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/dataConnectors/5ae4f003-4029-44eb-8f4b-d65e5280bc42?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/ef0ed2f1-dd75-4d02-afef-5fc84ded8e03?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/dataConnectors/5ae4f003-4029-44eb-8f4b-d65e5280bc42?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "185" ], - "x-ms-client-request-id": [ "8cd3b815-b5ea-4147-97ff-d1f6b3cde271" ], + "x-ms-unique-id": [ "28" ], + "x-ms-client-request-id": [ "4f73c438-7dad-467e-9a3b-556bf8d5fd1f" ], "CommandName": [ "Get-AzSentineldataConnector" ], "FullCommandName": [ "Get-AzSentinelDataConnector_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -145,21 +154,24 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "496" ], - "x-ms-request-id": [ "26d74272-4c67-4971-8cc5-793715d75559" ], - "x-ms-correlation-request-id": [ "26d74272-4c67-4971-8cc5-793715d75559" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160704Z:26d74272-4c67-4971-8cc5-793715d75559" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/bead0573-50cb-4649-8244-167a916ade7c" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "a82026fa-4a09-4162-87a7-b00d44594ee4" ], + "x-ms-correlation-request-id": [ "a82026fa-4a09-4162-87a7-b00d44594ee4" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074424Z:a82026fa-4a09-4162-87a7-b00d44594ee4" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:04 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 46AB808D88214533B8AD38C057C71642 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:24Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:24 GMT" ] }, "ContentHeaders": { "Content-Length": [ "530" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/ef0ed2f1-dd75-4d02-afef-5fc84ded8e03\",\"name\":\"ef0ed2f1-dd75-4d02-afef-5fc84ded8e03\",\"etag\":\"343f5beb-3f53-4c32-adec-6d96dd1a719e\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/dataConnectors/5ae4f003-4029-44eb-8f4b-d65e5280bc42\",\"name\":\"5ae4f003-4029-44eb-8f4b-d65e5280bc42\",\"etag\":\"a9e6118d-e68f-4a47-a827-9d0d49daff5e\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"419581d6-4853-49bd-83b6-d94bb8a77887\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEnrichment.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEnrichment.Recording.json index 0dce03291357..ebd4fc3a087f 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEnrichment.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEnrichment.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelEnrichment+[NoContext]+Get_IP+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?api-version=2021-09-01-preview\u0026ipAddress=8.8.8.8+1": { + "Get-AzSentinelEnrichment+[NoContext]+Get_IP+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?api-version=2021-09-01-preview\u0026ipAddress=8.8.8.8+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?api-version=2021-09-01-preview\u0026ipAddress=8.8.8.8", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?api-version=2021-09-01-preview\u0026ipAddress=8.8.8.8", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "186" ], - "x-ms-client-request-id": [ "6b6ded5e-93a2-4fb3-acb3-92d003883b60" ], + "x-ms-unique-id": [ "29" ], + "x-ms-client-request-id": [ "882a0876-7554-41de-a7f5-68c76892879d" ], "CommandName": [ "Get-AzSentinelEnrichment" ], "FullCommandName": [ "Get-AzSentinelEnrichment_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,37 +22,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11979" ], - "x-ms-request-id": [ "ed65f374-acca-48d4-94ea-aac9696bfbaf" ], - "x-ms-correlation-request-id": [ "ed65f374-acca-48d4-94ea-aac9696bfbaf" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160705Z:ed65f374-acca-48d4-94ea-aac9696bfbaf" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1098" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/ff329865-0f0b-46da-93b2-4451f396f492" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16498" ], + "x-ms-request-id": [ "5d43531a-33f1-4e3b-a263-ebb9e0cc06b7" ], + "x-ms-correlation-request-id": [ "5d43531a-33f1-4e3b-a263-ebb9e0cc06b7" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074426Z:5d43531a-33f1-4e3b-a263-ebb9e0cc06b7" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:04 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 9A4209E2101A4DDB997843EB67166D55 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:25Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:25 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "363" ], + "Content-Length": [ "375" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"asn\":\"15169\",\"carrier\":\"google llc\",\"city\":\"glenmont\",\"cityCf\":80,\"continent\":\"north america\",\"country\":\"united states\",\"countryCf\":99,\"ipAddr\":\"8.8.8.8\",\"ipRoutingType\":\"fixed\",\"latitude\":\"40.537\",\"longitude\":\"-82.12859\",\"organization\":\"google\",\"organizationType\":\"Internet Service Provider\",\"region\":\"great lakes\",\"state\":\"ohio\",\"stateCf\":95,\"stateCode\":\"oh\"}", + "Content": "{\"asn\":\"15169\",\"carrier\":\"google\",\"city\":\"mountain view\",\"cityCf\":90,\"continent\":\"north america\",\"country\":\"united states\",\"countryCf\":99,\"ipAddr\":\"8.8.8.8\",\"ipRoutingType\":\"fixed\",\"latitude\":\"37.38802\",\"longitude\":\"-122.07431\",\"organization\":\"google llc\",\"organizationType\":\"Internet Service Provider\",\"region\":\"southwest\",\"state\":\"california\",\"stateCf\":90,\"stateCode\":\"ca\"}", "isContentBase64": false } }, - "Get-AzSentinelEnrichment+[NoContext]+Get_Domain+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.SecurityInsights/enrichment/domain/whois/?api-version=2021-09-01-preview\u0026domain=google.com+1": { + "Get-AzSentinelEnrichment+[NoContext]+Get_Domain+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.SecurityInsights/enrichment/domain/whois/?api-version=2021-09-01-preview\u0026domain=google.com+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.SecurityInsights/enrichment/domain/whois/?api-version=2021-09-01-preview\u0026domain=google.com", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.SecurityInsights/enrichment/domain/whois/?api-version=2021-09-01-preview\u0026domain=google.com", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "187" ], - "x-ms-client-request-id": [ "b08a6bc7-59c5-425a-9421-70cbac317927" ], + "x-ms-unique-id": [ "30" ], + "x-ms-client-request-id": [ "381ae12c-0ef5-4c1c-8220-9e373006b4ac" ], "CommandName": [ "Get-AzSentinelEnrichment" ], "FullCommandName": [ "Get-AzSentinelEnrichment_Get1" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,21 +67,25 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11978" ], - "x-ms-request-id": [ "e60ecf7c-abb2-4a3c-aef4-bb17dd8703d8" ], - "x-ms-correlation-request-id": [ "e60ecf7c-abb2-4a3c-aef4-bb17dd8703d8" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160705Z:e60ecf7c-abb2-4a3c-aef4-bb17dd8703d8" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/ba995ec0-f20e-465b-b5cf-dfd2ad23ae68" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "e768bc93-29cd-4dd1-96c0-1844b9830ce1" ], + "x-ms-correlation-request-id": [ "e768bc93-29cd-4dd1-96c0-1844b9830ce1" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074427Z:e768bc93-29cd-4dd1-96c0-1844b9830ce1" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:05 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: AF4552EB81D34740A369B9833C75AD79 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:26Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:26 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1403" ], + "Content-Length": [ "1160" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"domain\":\"google.com\",\"server\":\"whois.markmonitor.com\",\"created\":\"1997-09-15T00:00:00Z\",\"updated\":\"2019-09-09T00:00:00Z\",\"expires\":\"2028-09-14T00:00:00Z\",\"parsedWhois\":{\"registrar\":{\"name\":\"MarkMonitor, Inc.\",\"abuseContactPhone\":\"12083895770\",\"abuseContactEmail\":\"abusecomplaints@markmonitor.com\",\"ianaId\":\"292\",\"url\":\"http://www.markmonitor.com\",\"whoisServer\":\"whois.markmonitor.com\"},\"contacts\":{\"admin\":{\"name\":\"\",\"org\":\"Google LLC\",\"street\":[],\"city\":\"\",\"state\":\"CA\",\"postal\":\"\",\"country\":\"us\",\"phone\":\"\",\"fax\":\"\",\"email\":\"Select Request Email Form at https://domains.markmonitor.com/whois/google.com\"},\"registrant\":{\"name\":\"\",\"org\":\"Google LLC\",\"street\":[],\"city\":\"\",\"state\":\"CA\",\"postal\":\"\",\"country\":\"us\",\"phone\":\"\",\"fax\":\"\",\"email\":\"Select Request Email Form at https://domains.markmonitor.com/whois/google.com\"},\"billing\":{\"name\":\"\",\"org\":\"\",\"street\":[],\"city\":\"\",\"state\":\"\",\"postal\":\"\",\"country\":\"\",\"phone\":\"\",\"fax\":\"\",\"email\":\"\"},\"tech\":{\"name\":\"\",\"org\":\"Google LLC\",\"street\":[],\"city\":\"\",\"state\":\"CA\",\"postal\":\"\",\"country\":\"us\",\"phone\":\"\",\"fax\":\"\",\"email\":\"Select Request Email Form at https://domains.markmonitor.com/whois/google.com\"}},\"nameServers\":[\"ns1.google.com\",\"ns2.google.com\",\"ns3.google.com\",\"ns4.google.com\"],\"statuses\":[\"clientUpdateProhibited\",\"clientTransferProhibited\",\"clientDeleteProhibited\",\"serverUpdateProhibited\",\"serverTransferProhibited\",\"serverDeleteProhibited\"]}}", + "Content": "{\"domain\":\"google.com\",\"server\":\"whois.markmonitor.com\",\"created\":\"1997-09-15T07:00:00Z\",\"updated\":\"2024-08-02T02:17:33Z\",\"expires\":\"2028-09-13T07:00:00Z\",\"parsedWhois\":{\"registrar\":{\"name\":\"Markmonitor Inc.\",\"abuseContactPhone\":\"+1.2086851750\",\"abuseContactEmail\":\"abusecomplaints@markmonitor.com\",\"ianaId\":\"292\",\"url\":\"292\",\"whoisServer\":\"whois.markmonitor.com\"},\"contacts\":{\"admin\":{\"name\":\"\",\"org\":\"\",\"street\":[\"\"],\"city\":\"\",\"state\":\"\",\"postal\":\"\",\"country\":\"\",\"phone\":\"\",\"fax\":\"\",\"email\":\"\"},\"registrant\":{\"name\":\"REDACTED REGISTRANT\",\"org\":\"Google LLC\",\"street\":[\"REDACTED FOR PRIVACY\"],\"city\":\"REDACTED FOR PRIVACY\",\"state\":\"\",\"postal\":\"REDACTED FOR PRIVACY\",\"country\":\"\",\"phone\":\"redacted for privacy\",\"fax\":\"\",\"email\":\"redacted for privacy\"},\"billing\":{\"name\":\"Markmonitor Inc.\",\"org\":\"\",\"street\":[\"\"],\"city\":\"\",\"state\":\"\",\"postal\":\"\",\"country\":\"\",\"phone\":\"+1.2086851750\",\"fax\":\"\",\"email\":\"abusecomplaints@markmonitor.com\"},\"tech\":{\"name\":\"\",\"org\":\"\",\"street\":[\"\"],\"city\":\"\",\"state\":\"\",\"postal\":\"\",\"country\":\"\",\"phone\":\"\",\"fax\":\"\",\"email\":\"\"}},\"nameServers\":[\"ns1.google.com\",\"ns2.google.com\",\"ns3.google.com\",\"ns4.google.com\"],\"statuses\":[\"ACTIVE\"]}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntity.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntity.Recording.json index 35f9cbdd6797..90b42c9f5dfc 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntity.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntity.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelEntity+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntity+[NoContext]+List+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "188" ], - "x-ms-client-request-id": [ "cedbed8a-00cf-49e1-9e0c-7a9f877c2bec" ], + "x-ms-unique-id": [ "31" ], + "x-ms-client-request-id": [ "9ee74d5a-f20e-4412-9833-346b33687d9e" ], "CommandName": [ "Get-AzSentinelentity" ], "FullCommandName": [ "Get-AzSentinelEntity_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,37 +22,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11977" ], - "x-ms-request-id": [ "e72192da-2eac-471f-a29d-825e10ee9789" ], - "x-ms-correlation-request-id": [ "e72192da-2eac-471f-a29d-825e10ee9789" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160706Z:e72192da-2eac-471f-a29d-825e10ee9789" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/2f89040e-6c9f-409b-a827-1fb0ac8ab0f1" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "02f12bcb-4bd1-4487-98f1-f688a83f926c" ], + "x-ms-correlation-request-id": [ "02f12bcb-4bd1-4487-98f1-f688a83f926c" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074429Z:02f12bcb-4bd1-4487-98f1-f688a83f926c" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:06 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: C5F983A1C2974C0CB86A139B5E5EC3A4 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:28Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:28 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "461" ], + "Content-Length": [ "482" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"5\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"5\",\"IsExactMatch\":false},\"friendlyName\":\"175.45.176.99\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelEntity+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntity+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "189" ], - "x-ms-client-request-id": [ "2c8aa239-c329-4051-a5fe-6b630d2bbeed" ], + "x-ms-unique-id": [ "32" ], + "x-ms-client-request-id": [ "28fef159-8d59-42b1-8e5e-cbdd2efa52ca" ], "CommandName": [ "Get-AzSentinelentity" ], "FullCommandName": [ "Get-AzSentinelEntity_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,37 +67,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11976" ], - "x-ms-request-id": [ "c437a67b-1afd-4881-a87c-ca52af4ed020" ], - "x-ms-correlation-request-id": [ "c437a67b-1afd-4881-a87c-ca52af4ed020" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160706Z:c437a67b-1afd-4881-a87c-ca52af4ed020" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/538dc984-95c9-45bf-90bc-0b772964d777" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "8e841758-85d8-4352-a3f6-79b2ed471b09" ], + "x-ms-correlation-request-id": [ "8e841758-85d8-4352-a3f6-79b2ed471b09" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074429Z:8e841758-85d8-4352-a3f6-79b2ed471b09" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:06 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 3B347DF355684652BED45A3D1E817005 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:29Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:29 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "461" ], + "Content-Length": [ "482" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"5\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"5\",\"IsExactMatch\":false},\"friendlyName\":\"175.45.176.99\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelEntity+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview+2": { + "Get-AzSentinelEntity+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "190" ], - "x-ms-client-request-id": [ "6696cfc8-f953-41f1-999d-7c8df44e9bef" ], + "x-ms-unique-id": [ "33" ], + "x-ms-client-request-id": [ "b98ac154-eaf3-442e-a823-e1bde1780f1a" ], "CommandName": [ "Get-AzSentinelentity" ], "FullCommandName": [ "Get-AzSentinelEntity_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -104,37 +112,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11975" ], - "x-ms-request-id": [ "09105238-41f6-4511-a5d6-325a30c28ffc" ], - "x-ms-correlation-request-id": [ "09105238-41f6-4511-a5d6-325a30c28ffc" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160708Z:09105238-41f6-4511-a5d6-325a30c28ffc" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/da311e14-ccd3-4351-a795-02611defec83" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "2036b232-81e8-4d67-a6eb-d5d6cb52e3f7" ], + "x-ms-correlation-request-id": [ "2036b232-81e8-4d67-a6eb-d5d6cb52e3f7" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074430Z:2036b232-81e8-4d67-a6eb-d5d6cb52e3f7" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:07 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: B1A1D239B19C4CD0AEC901B365454832 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:30Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:30 GMT" ] }, "ContentHeaders": { "Content-Length": [ "413" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}", "isContentBase64": false } }, - "Get-AzSentinelEntity+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntity+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "191" ], - "x-ms-client-request-id": [ "b8409c32-04fa-4331-b0c2-de9729f742ae" ], + "x-ms-unique-id": [ "34" ], + "x-ms-client-request-id": [ "14671b81-dd1f-4746-8a1b-b64281884561" ], "CommandName": [ "Get-AzSentinelentity" ], "FullCommandName": [ "Get-AzSentinelEntity_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -145,37 +157,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11974" ], - "x-ms-request-id": [ "105d944b-e949-47a1-ab99-36782ac161b7" ], - "x-ms-correlation-request-id": [ "105d944b-e949-47a1-ab99-36782ac161b7" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160708Z:105d944b-e949-47a1-ab99-36782ac161b7" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/3b8cbcf8-9a68-40f1-b60b-a1989d3a602e" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "0517749f-48b0-40ec-825d-787fd95dd4d9" ], + "x-ms-correlation-request-id": [ "0517749f-48b0-40ec-825d-787fd95dd4d9" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074431Z:0517749f-48b0-40ec-825d-787fd95dd4d9" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:08 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 37EC5CA590094499AB333D27FCAC8E01 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:31Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:31 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "461" ], + "Content-Length": [ "482" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"5\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"5\",\"IsExactMatch\":false},\"friendlyName\":\"175.45.176.99\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelEntity+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview+2": { + "Get-AzSentinelEntity+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "192" ], - "x-ms-client-request-id": [ "41bab93e-87d5-4e74-88cd-2219a0f93337" ], + "x-ms-unique-id": [ "35" ], + "x-ms-client-request-id": [ "d676b019-cf34-4f8b-b9c4-fc6b870eae44" ], "CommandName": [ "Get-AzSentinelentity" ], "FullCommandName": [ "Get-AzSentinelEntity_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -186,37 +202,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11973" ], - "x-ms-request-id": [ "192fa77e-ac6a-4239-aa2f-6dbd9c4cbe6e" ], - "x-ms-correlation-request-id": [ "192fa77e-ac6a-4239-aa2f-6dbd9c4cbe6e" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160708Z:192fa77e-ac6a-4239-aa2f-6dbd9c4cbe6e" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1098" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/a795e51c-a36f-4568-95ef-dd89a3251b61" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16498" ], + "x-ms-request-id": [ "9b109cb2-c2c3-45fc-8ffb-929dca4afcb8" ], + "x-ms-correlation-request-id": [ "9b109cb2-c2c3-45fc-8ffb-929dca4afcb8" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074432Z:9b109cb2-c2c3-45fc-8ffb-929dca4afcb8" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:08 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: DBB06AF764924BC1A7531FB40973EEED Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:31Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:31 GMT" ] }, "ContentHeaders": { "Content-Length": [ "413" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}", "isContentBase64": false } }, - "Get-AzSentinelEntity+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview+3": { + "Get-AzSentinelEntity+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview+3": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "193" ], - "x-ms-client-request-id": [ "a1ba90cb-118e-458c-994c-cb079c780958" ], + "x-ms-unique-id": [ "36" ], + "x-ms-client-request-id": [ "595339df-b83b-41f1-b45d-7b09421c0d3f" ], "CommandName": [ "Get-AzSentinelentity" ], "FullCommandName": [ "Get-AzSentinelEntity_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -227,21 +247,25 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11972" ], - "x-ms-request-id": [ "f0867a60-b546-4309-aec7-04c40ec441fc" ], - "x-ms-correlation-request-id": [ "f0867a60-b546-4309-aec7-04c40ec441fc" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160710Z:f0867a60-b546-4309-aec7-04c40ec441fc" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/3d57a4c3-08d9-4d54-bdb3-18f764930052" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "6d868b0c-bb84-4435-92f7-f9ed0367aba9" ], + "x-ms-correlation-request-id": [ "6d868b0c-bb84-4435-92f7-f9ed0367aba9" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074432Z:6d868b0c-bb84-4435-92f7-f9ed0367aba9" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:10 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 6BA5E64627364CDF937F0C3290826EE9 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:32Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:32 GMT" ] }, "ContentHeaders": { "Content-Length": [ "413" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityActivity.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityActivity.Recording.json index 544dd15e81c8..0070a87e6fac 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityActivity.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityActivity.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelEntityActivity+[NoContext]+Queries+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntityActivity+[NoContext]+Queries+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "194" ], - "x-ms-client-request-id": [ "f11f310f-eb7d-4494-8cbf-a3b00a40d82e" ], + "x-ms-unique-id": [ "37" ], + "x-ms-client-request-id": [ "0d5a1c26-195c-40b7-8133-48c3a09cfebf" ], "CommandName": [ "Get-AzSentinelentity" ], "FullCommandName": [ "Get-AzSentinelEntity_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,37 +22,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11971" ], - "x-ms-request-id": [ "c2ad44cd-756f-4644-bf04-e38bebf85c67" ], - "x-ms-correlation-request-id": [ "c2ad44cd-756f-4644-bf04-e38bebf85c67" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160711Z:c2ad44cd-756f-4644-bf04-e38bebf85c67" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/69001eab-7e43-4486-9634-1ca14d2faf51" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "8cdbe236-e1f4-4534-ab6b-f9d00c0eb712" ], + "x-ms-correlation-request-id": [ "8cdbe236-e1f4-4534-ab6b-f9d00c0eb712" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074433Z:8cdbe236-e1f4-4534-ab6b-f9d00c0eb712" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:10 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 4B4CBB8E11D44A0CA077E592AFAB02BB Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:33Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:33 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "461" ], + "Content-Length": [ "482" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"5\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"5\",\"IsExactMatch\":false},\"friendlyName\":\"175.45.176.99\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelEntityActivity+[NoContext]+Queries+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries?api-version=2021-09-01-preview\u0026kind=Insight+2": { + "Get-AzSentinelEntityActivity+[NoContext]+Queries+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries?api-version=2021-09-01-preview\u0026kind=Insight+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries?api-version=2021-09-01-preview\u0026kind=Insight", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries?api-version=2021-09-01-preview\u0026kind=Insight", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "195" ], - "x-ms-client-request-id": [ "bfeccd56-c4b4-428f-8585-2431d50ce612" ], + "x-ms-unique-id": [ "38" ], + "x-ms-client-request-id": [ "7b7f941c-01f0-4798-93d9-171567efc12d" ], "CommandName": [ "Get-AzSentinelEntityActivity" ], "FullCommandName": [ "Get-AzSentinelEntityActivity_Queries" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,21 +67,25 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11970" ], - "x-ms-request-id": [ "4603fdc7-eb0f-404f-bf45-a28a23f6e307" ], - "x-ms-correlation-request-id": [ "4603fdc7-eb0f-404f-bf45-a28a23f6e307" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160713Z:4603fdc7-eb0f-404f-bf45-a28a23f6e307" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/3b222d09-a0ac-4393-952c-89ae05f6a9ab" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "f46e154b-d9ed-4b58-8524-b729ac6a0f3a" ], + "x-ms-correlation-request-id": [ "f46e154b-d9ed-4b58-8524-b729ac6a0f3a" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074435Z:f46e154b-d9ed-4b58-8524-b729ac6a0f3a" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:13 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 48F0F1B0B2894CEBBA3B5533A20739B6 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:33Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:34 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "20801" ], + "Content-Length": [ "23274" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries/b8e2df44-f98f-4c95-bcbe-f8210f3e0f23\",\"name\":\"b8e2df44-f98f-4c95-bcbe-f8210f3e0f23\",\"type\":\"Microsoft.SecurityInsights/entities/queries\",\"kind\":\"Insight\",\"properties\":{\"displayName\":\"IP address remote connections\",\"description\":\"\u0027Provides the remote IP connection count information for outbound and inbound connections to an IP address. Note due to potential performance impact, data is limited to a 7 day max window.\u0027\\n\",\"baseQuery\":\"let GetIPStats = (Ip_Address:string){\\n//checking time span to lock to 7 days or less for Entity page usage\\nlet start = datetime(\u0027{{StartTimeISO}}\u0027);\\nlet end = datetime(\u0027{{EndTimeISO}}\u0027);\\nlet end_start = datetime_diff(\u0027day\u0027,end,start);\\nlet start_time = iff(end_start \u003e 7, end - 7d, start);\\nlet end_time = end;\\nlet IpStats = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = SourceIp, Type, RemoteIPAddress = DestinationIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = DestinationIp, Type, RemoteIPAddress = SourceIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(ActionType =~ \\\"ConnectionSuccess\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(ActionType =~ \\\"InboundConnectionAccepted\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n//| where DeviceAction has_any (\u0027allow\u0027, \u0027allowed\u0027, \u0027accept\u0027, \u0027built\u0027, \u0027start\u0027, \u0027connect\u0027, \u0027\u0027)\\n//| where not(DeviceAction has_any (\u0027built\u0027,\u0027deny\u0027, \u0027denied\u0027, \u0027rst\u0027, \u0027blocked\u0027, \u0027teardown\u0027))\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = SourceIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = DestinationIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n//| where DeviceAction has_any (\u0027allow\u0027, \u0027allowed\u0027, \u0027accept\u0027, \u0027built\u0027, \u0027start\u0027, \u0027connect\u0027, \u0027\u0027)\\n//| where not(DeviceAction has_any (\u0027built\u0027,\u0027deny\u0027, \u0027denied\u0027, \u0027rst\u0027, \u0027blocked\u0027, \u0027teardown\u0027))\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = DestinationIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = SourceIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n)\\n);\\nIpStats\\n};\\nGetIPStats(\u0027175.45.176.99\u0027)\",\"tableQuery\":{\"columnsDefinitions\":[{\"header\":\"Direction\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"IPAddress\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"RemoteIP/Count\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"Total\",\"outputType\":\"Number\",\"supportDeepLink\":true}],\"queriesDefinitions\":[{\"filter\":\"where InboundCount \u003e 0\",\"summarize\":\"summarize Total = sum(InboundCount) by IPAddress, RemoteIPAddress | top 1 by Total\",\"project\":\"project Direction = \u0027Top In\u0027, IPAddress, RemoteIP = RemoteIPAddress, Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"where OutboundCount \u003e 0\",\"summarize\":\"summarize Total = sum(OutboundCount) by IPAddress, RemoteIPAddress | top 1 by Total\",\"project\":\"project Direction = \u0027Top Out\u0027, IPAddress, RemoteIP = RemoteIPAddress, Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"where UnknownDirection \u003e 0\",\"summarize\":\"summarize Total = sum(UnknownDirection) by IPAddress, RemoteIPAddress | top 1 by Total\",\"project\":\"project Direction = \u0027Top Unknown\u0027, IPAddress, RemoteIP = RemoteIPAddress, Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"project IPAddress, RemoteIPAddress, InboundCount, OutboundCount, UnknownDirection\",\"summarize\":\"summarize Inbound = sum(InboundCount), Outbound = sum(OutboundCount), Unknown = sum(UnknownDirection), RemIPs = make_set(RemoteIPAddress) by IPAddress | extend Total = tolong(Inbound + Outbound + Unknown)\",\"project\":\"project Direction = \u0027All\u0027, IPAddress, RemoteIP = case(array_length(RemIPs) == 1, tostring(RemIPs[0]), array_length(RemIPs) \u003e 1 and array_length(RemIPs) \u003c= 100, strcat(tostring(array_length(RemIPs)),\u0027 IPs\u0027), array_length(RemIPs) \u003e= 101, \u0027\u003e 100 IPs\u0027 , \u0027None\u0027), Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]}]},\"chartQuery\":null,\"additionalQuery\":{\"text\":\"See All connections\",\"query\":\"summarize StartTime = min(StartTime), EndTime = max(EndTime), InboundTotal = sum(InboundCount), OutboundTotal = sum(OutboundCount), ReceivedBytesTotal = sum(ReceivedBytes), SentBytesTotal = sum(SentBytes), UnknownDirectionBytesTotal = sum(UnknownDirection) by IPAddress, RemoteIPAddress, Type\"},\"defaultTimeRange\":{\"beforeRange\":\"12h\",\"afterRange\":\"12h\"},\"referenceTimeRange\":null,\"dataTypes\":[{\"dataType\":\"Heartbeat\"},{\"dataType\":\"VMConnection\"},{\"dataType\":\"VMComputer\"},{\"dataType\":\"WireData\"},{\"dataType\":\"ProtectionStatus\"},{\"dataType\":\"DeviceNetworkInfo\"},{\"dataType\":\"DeviceNetworkEvents\"},{\"dataType\":\"DnsEvents\"},{\"dataType\":\"CommonSecurityLog\"},{\"dataType\":\"Event\"},{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Ip\",\"requiredInputFieldsSets\":[[\"Ip_Address\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries/340e5f6f-d218-4a11-8638-09e1af7847cc\",\"name\":\"340e5f6f-d218-4a11-8638-09e1af7847cc\",\"type\":\"Microsoft.SecurityInsights/entities/queries\",\"kind\":\"Insight\",\"properties\":{\"displayName\":\"IP address remote connections with TI match\",\"description\":\"\u0027Provides the threat intelligence related hits for the remote IP address. Note due to potential performance impact, data is limited to a 7 day max window.\u0027\\n\",\"baseQuery\":\"let GetIPStats = (Ip_Address:string){\\n//checking time span to lock to 7 days or less for Entity page usage\\nlet start = datetime(\u0027{{StartTimeISO}}\u0027);\\nlet end = datetime(\u0027{{EndTimeISO}}\u0027);\\nlet end_start = datetime_diff(\u0027day\u0027,end,start);\\nlet start_time = iff(end_start \u003e 7, end - 7d, start);\\nlet end_time = end;\\nlet IpStats = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = SourceIp, Type, RemoteIPAddress = DestinationIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = DestinationIp, Type, RemoteIPAddress = SourceIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(ActionType =~ \\\"ConnectionSuccess\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(ActionType =~ \\\"InboundConnectionAccepted\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = SourceIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = DestinationIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = DestinationIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = SourceIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n)\\n);\\nIpStats\\n| join kind=inner (ThreatIntelligenceIndicator | where TimeGenerated \u003c ago(1m)\\n| where Active = true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = case(\\nisnotempty(NetworkIP), NetworkIP,\\nisempty(NetworkIP) and isnotempty(NetworkSourceIP), NetworkSourceIP,\\nisempty(NetworkIP) and isempty(NetworkSourceIP) and isnotempty(NetworkDestinationIP), NetworkDestinationIP,\\nisempty(NetworkIP) and isempty(NetworkSourceIP) and isempty(NetworkDestinationIP), EmailSourceIpAddress,\\n\\\"NotAvailable\\\"\\n)\\n| summarize arg_max(TimeGenerated, *) by ThreatIntelMatch = Description, ThreatType, TI_ipEntity) on $left.RemoteIPAddress == $right.TI_ipEntity\\n};\\nGetIPStats(\u0027175.45.176.99\u0027)\",\"tableQuery\":{\"columnsDefinitions\":[{\"header\":\"Direction\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"IPAddress\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"RemoteIP\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"ThreatType\",\"outputType\":\"String\",\"supportDeepLink\":false}],\"queriesDefinitions\":[{\"filter\":\"project IPAddress, RemoteIPAddress, InboundCount, ThreatType\",\"summarize\":\"summarize Inbound = sum(InboundCount) by IPAddress, RemoteIPAddress, ThreatType | where Inbound \u003e 0\",\"project\":\"project Direction = \u0027In\u0027, IPAddress, RemoteIP = RemoteIPAddress, ThreatType\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"ThreatType\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"project IPAddress, RemoteIPAddress, OutboundCount, ThreatType\",\"summarize\":\"summarize Outbound = sum(OutboundCount) by IPAddress, RemoteIPAddress, ThreatType | where Outbound \u003e 0\",\"project\":\"project Direction = \u0027Out\u0027, IPAddress, RemoteIP = RemoteIPAddress, ThreatType\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"ThreatType\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"project IPAddress, RemoteIPAddress, UnknownDirection, ThreatType\",\"summarize\":\"summarize UnknownCount = sum(UnknownDirection) by IPAddress, RemoteIPAddress, ThreatType | where UnknownCount \u003e 0\",\"project\":\"project Direction = \u0027Unknown\u0027, IPAddress, RemoteIP = RemoteIPAddress, ThreatType\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"ThreatType\",\"Query\":\"{{BaseQuery}} | \"}]}]},\"chartQuery\":{\"title\":\"Connection Count to IP in TI\",\"dataSets\":[{\"query\":\"summarize Count = max(InboundCount) by Time = bin(StartTime, 1d), RemoteIPAddress = strcat(RemoteIPAddress,\u0027 - In\u0027) | where isnotempty(Count) and Count \u003e 0\",\"xColumnName\":\"Time\",\"yColumnName\":\"Count\",\"legendColumnName\":\"RemoteIPAddress\"},{\"query\":\"summarize Count = max(OutboundCount) by Time = bin(StartTime, 1d), RemoteIPAddress = strcat(RemoteIPAddress,\u0027 - Out\u0027) | where isnotempty(Count) and Count \u003e 0\",\"xColumnName\":\"Time\",\"yColumnName\":\"Count\",\"legendColumnName\":\"RemoteIPAddress\"},{\"query\":\"summarize Count = max(UnknownDirection) by Time = bin(StartTime, 1d), RemoteIPAddress = strcat(RemoteIPAddress,\u0027 - UnknownDirection\u0027) | where isnotempty(Count) and Count \u003e 0\",\"xColumnName\":\"Time\",\"yColumnName\":\"Count\",\"legendColumnName\":\"RemoteIPAddress\"}],\"type\":\"BarChart\"},\"additionalQuery\":{\"text\":\"See All connections\",\"query\":\"project StartTime, EndTime, IPAddress, RemoteIPAddress, InboundCount, OutboundCount, ReceivedBytes, SentBytes, UnknownDirection, Type, ThreatType, ThreatIntelMatch\"},\"defaultTimeRange\":{\"beforeRange\":\"12h\",\"afterRange\":\"12h\"},\"referenceTimeRange\":null,\"dataTypes\":[{\"dataType\":\"Heartbeat\"},{\"dataType\":\"VMConnection\"},{\"dataType\":\"VMComputer\"},{\"dataType\":\"WireData\"},{\"dataType\":\"ProtectionStatus\"},{\"dataType\":\"DeviceNetworkInfo\"},{\"dataType\":\"DeviceNetworkEvents\"},{\"dataType\":\"DnsEvents\"},{\"dataType\":\"CommonSecurityLog\"},{\"dataType\":\"Event\"},{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Ip\",\"requiredInputFieldsSets\":[[\"Ip_Address\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries/3834647e-ac3e-4fb4-a5f8-0dd50ba2b66c\",\"name\":\"3834647e-ac3e-4fb4-a5f8-0dd50ba2b66c\",\"type\":\"Microsoft.SecurityInsights/entities/queries\",\"kind\":\"Insight\",\"properties\":{\"displayName\":\"Watchlist Insights (Preview)\",\"description\":\"### Description\\n ___\\nThis insight aggregates data from the watchlists templates (Network Addresses) regarding the IP address.\",\"baseQuery\":\"let defaultValue = \u0027defaultValue\u0027; \\n let myIP = \u0027175.45.176.99\u0027; \\n let ips = _GetWatchlist(\u0027NetworkAddresses\u0027); \\n ips | extend IPSubnet = column_ifexists(\u0027IP Subnet\u0027, defaultValue) | extend FirstIP = split(IPSubnet , \u0027-\u0027).[0], SecondIP = split(IPSubnet, \u0027-\u0027).[1], checkIPv4 = parse_ipv4(myIP) | extend myIPnum = iff(isempty(checkIPv4), (parse_ipv6(myIP)), tostring(checkIPv4)) | extend firstIPparsed = iff(isempty(checkIPv4), parse_ipv6(tostring(FirstIP)), tostring(parse_ipv4(tostring(FirstIP)))), secondIPparsed = iff(isempty(checkIPv4), parse_ipv6(tostring(SecondIP)), tostring(parse_ipv4(tostring(SecondIP)))) | extend results = iff((isnotempty(checkIPv4) and tolong(firstIPparsed) \u003c= tolong(myIPnum) and (tolong(myIPnum) \u003c= tolong(secondIPparsed)) or (ipv4_is_in_range(myIP, tostring(SecondIP)) or (ipv6_compare(myIP, tostring(FirstIP)) == 0) or (ipv6_compare(myIP, tostring(SecondIP))==0))), True, false) | where results == true | extend RangeName = column_ifexists(\u0027Range Name\u0027, defaultValue) | extend IPSubnet = column_ifexists(\u0027IP Subnet\u0027, defaultValue) | extend Tags = column_ifexists(\u0027Tags\u0027, defaultValue) | extend [\u0027Watchlist Insight\u0027] = \u0027IP Address is within a known range\u0027 | extend [\u0027Additional Data\u0027] = strcat(\u0027Range Name: \u0027, RangeName,\u0027, \u0027,\u0027IP Range: \u0027, IPSubnet) | project [\u0027Watchlist Insight\u0027],[\u0027Additional Data\u0027], Tags\",\"tableQuery\":{\"columnsDefinitions\":[{\"header\":\"Watchlist Insight\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"Additional Data\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"Tags\",\"outputType\":\"String\",\"supportDeepLink\":false}],\"queriesDefinitions\":[{\"filter\":\" where 1 == 1\",\"summarize\":\" summarize count() by [\u0027Watchlist Insight\u0027], [\u0027Additional Data\u0027], Tags\",\"project\":\" project [\u0027Watchlist Insight\u0027], [\u0027Additional Data\u0027], Tags\",\"linkColumnsDefinitions\":[]}]},\"chartQuery\":null,\"additionalQuery\":null,\"defaultTimeRange\":{\"beforeRange\":\"0d\",\"afterRange\":\"0d\"},\"referenceTimeRange\":{\"beforeRange\":\"0d\"},\"dataTypes\":[{\"dataType\":\"Watchlist templates\"}],\"inputEntityType\":\"Ip\",\"requiredInputFieldsSets\":[[\"IP_Address\"]],\"entitiesFilter\":{}}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries/340e5f6f-d218-4a11-8638-09e1af7847cc\",\"name\":\"340e5f6f-d218-4a11-8638-09e1af7847cc\",\"type\":\"Microsoft.SecurityInsights/entities/queries\",\"kind\":\"Insight\",\"properties\":{\"displayName\":\"IP address remote connections with TI match\",\"description\":\"\u0027Identifies when a connection is made outbound to or inbound from a remote IP address that is also an IOC in the ThreatIntelligenceIndicator table, along with how many times the connection was made during the indicated timeframe.\\n Note: due to potential performance impact, data is limited to a 7 day max window.\u0027\\n\",\"baseQuery\":\"let GetIPStats = (Ip_Address:string){\\n//checking time span to lock to 7 days or less for Entity page usage\\nlet start = datetime(\u0027{{StartTimeISO}}\u0027);\\nlet end = datetime(\u0027{{EndTimeISO}}\u0027);\\nlet end_start = datetime_diff(\u0027day\u0027,end,start);\\nlet start_time = iff(end_start \u003e 7, end - 7d, start);\\nlet end_time = end;\\nlet IpStats = (union isfuzzy=true\\n(\\nVMConnection\\n| where isnotempty(Ip_Address)\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = SourceIp, Type, RemoteIPAddress = DestinationIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nVMConnection\\n| where isnotempty(Ip_Address)\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = DestinationIp, Type, RemoteIPAddress = SourceIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nDeviceNetworkEvents\\n| where isnotempty(Ip_Address)\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(ActionType =~ \\\"ConnectionSuccess\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where isnotempty(Ip_Address)\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(ActionType =~ \\\"InboundConnectionAccepted\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nCommonSecurityLog\\n| where isnotempty(Ip_Address)\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = SourceIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = DestinationIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n),\\n(\\nCommonSecurityLog\\n| where isnotempty(Ip_Address)\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = DestinationIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = SourceIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n)\\n);\\nIpStats\\n| join kind=inner (\\nThreatIntelligenceIndicator\\n| where isnotempty(Ip_Address)\\n| where TimeGenerated \u003e= start_time\\n| where ExpirationDateTime \u003e now()\\n| where Active = true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = case(\\nisnotempty(NetworkIP), NetworkIP,\\nisempty(NetworkIP) and isnotempty(NetworkSourceIP), NetworkSourceIP,\\nisempty(NetworkIP) and isempty(NetworkSourceIP) and isnotempty(NetworkDestinationIP), NetworkDestinationIP,\\nisempty(NetworkIP) and isempty(NetworkSourceIP) and isempty(NetworkDestinationIP), EmailSourceIpAddress,\\n\\\"NotAvailable\\\"\\n)\\n| summarize arg_max(TimeGenerated, *) by Description, ThreatType, TI_ipEntity\\n) on $left.RemoteIPAddress == $right.TI_ipEntity\\n};\\nGetIPStats(\u0027175.45.176.99\u0027)\",\"tableQuery\":{\"columnsDefinitions\":[{\"header\":\"Direction\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"IPAddress\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"RemoteIP\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"ThreatType\",\"outputType\":\"String\",\"supportDeepLink\":false}],\"queriesDefinitions\":[{\"filter\":\"project IPAddress, RemoteIPAddress, InboundCount, ThreatType\",\"summarize\":\"summarize Inbound = sum(InboundCount) by IPAddress, RemoteIPAddress, ThreatType | where Inbound \u003e 0\",\"project\":\"project Direction = \u0027In\u0027, IPAddress, RemoteIP = RemoteIPAddress, ThreatType\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"ThreatType\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"project IPAddress, RemoteIPAddress, OutboundCount, ThreatType\",\"summarize\":\"summarize Outbound = sum(OutboundCount) by IPAddress, RemoteIPAddress, ThreatType | where Outbound \u003e 0\",\"project\":\"project Direction = \u0027Out\u0027, IPAddress, RemoteIP = RemoteIPAddress, ThreatType\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"ThreatType\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"project IPAddress, RemoteIPAddress, UnknownDirection, ThreatType\",\"summarize\":\"summarize UnknownCount = sum(UnknownDirection) by IPAddress, RemoteIPAddress, ThreatType | where UnknownCount \u003e 0\",\"project\":\"project Direction = \u0027Unknown\u0027, IPAddress, RemoteIP = RemoteIPAddress, ThreatType\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"ThreatType\",\"Query\":\"{{BaseQuery}} | \"}]}]},\"chartQuery\":{\"title\":\"Connection Count to IP in TI\",\"dataSets\":[{\"query\":\"summarize Count = max(InboundCount) by Time = bin(StartTime, 1d), RemoteIPAddress = strcat(RemoteIPAddress,\u0027 - In\u0027) | where isnotempty(Count) and Count \u003e 0\",\"xColumnName\":\"Time\",\"yColumnName\":\"Count\",\"legendColumnName\":\"RemoteIPAddress\"},{\"query\":\"summarize Count = max(OutboundCount) by Time = bin(StartTime, 1d), RemoteIPAddress = strcat(RemoteIPAddress,\u0027 - Out\u0027) | where isnotempty(Count) and Count \u003e 0\",\"xColumnName\":\"Time\",\"yColumnName\":\"Count\",\"legendColumnName\":\"RemoteIPAddress\"},{\"query\":\"summarize Count = max(UnknownDirection) by Time = bin(StartTime, 1d), RemoteIPAddress = strcat(RemoteIPAddress,\u0027 - UnknownDirection\u0027) | where isnotempty(Count) and Count \u003e 0\",\"xColumnName\":\"Time\",\"yColumnName\":\"Count\",\"legendColumnName\":\"RemoteIPAddress\"}],\"type\":\"BarChart\"},\"additionalQuery\":{\"text\":\"See All connections\",\"query\":\"project StartTime, EndTime, IPAddress, RemoteIPAddress, InboundCount, OutboundCount, ReceivedBytes, SentBytes, UnknownDirection, Type, ThreatType, Description, Tags\"},\"defaultTimeRange\":{\"beforeRange\":\"12h\",\"afterRange\":\"12h\"},\"referenceTimeRange\":null,\"dataTypes\":[{\"dataType\":\"VMConnection\"},{\"dataType\":\"DeviceNetworkEvents\"},{\"dataType\":\"CommonSecurityLog\"}],\"inputEntityType\":\"Ip\",\"requiredInputFieldsSets\":[[\"Ip_Address\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries/b8e2df44-f98f-4c95-bcbe-f8210f3e0f23\",\"name\":\"b8e2df44-f98f-4c95-bcbe-f8210f3e0f23\",\"type\":\"Microsoft.SecurityInsights/entities/queries\",\"kind\":\"Insight\",\"properties\":{\"displayName\":\"IP address remote connections\",\"description\":\"\u0027Provides the remote IP connection count information for outbound and inbound connections to an IP address. Note due to potential performance impact, data is limited to a 7 day max window.\u0027\\n\",\"baseQuery\":\"let GetIPStats = (Ip_Address:string){\\n//checking time span to lock to 7 days or less for Entity page usage\\nlet start = datetime(\u0027{{StartTimeISO}}\u0027);\\nlet end = datetime(\u0027{{EndTimeISO}}\u0027);\\nlet end_start = datetime_diff(\u0027day\u0027,end,start);\\nlet start_time = iff(end_start \u003e 7, end - 7d, start);\\nlet end_time = end;\\nlet IpStats = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = SourceIp, Type, RemoteIPAddress = DestinationIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = DestinationIp, Type, RemoteIPAddress = SourceIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(ActionType =~ \\\"ConnectionSuccess\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(ActionType =~ \\\"InboundConnectionAccepted\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n//| where DeviceAction has_any (\u0027allow\u0027, \u0027allowed\u0027, \u0027accept\u0027, \u0027built\u0027, \u0027start\u0027, \u0027connect\u0027, \u0027\u0027)\\n//| where not(DeviceAction has_any (\u0027built\u0027,\u0027deny\u0027, \u0027denied\u0027, \u0027rst\u0027, \u0027blocked\u0027, \u0027teardown\u0027))\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = SourceIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = DestinationIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n//| where DeviceAction has_any (\u0027allow\u0027, \u0027allowed\u0027, \u0027accept\u0027, \u0027built\u0027, \u0027start\u0027, \u0027connect\u0027, \u0027\u0027)\\n//| where not(DeviceAction has_any (\u0027built\u0027,\u0027deny\u0027, \u0027denied\u0027, \u0027rst\u0027, \u0027blocked\u0027, \u0027teardown\u0027))\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = DestinationIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = SourceIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n)\\n);\\nIpStats\\n};\\nGetIPStats(\u0027175.45.176.99\u0027)\",\"tableQuery\":{\"columnsDefinitions\":[{\"header\":\"Direction\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"IPAddress\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"RemoteIP/Count\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"Total\",\"outputType\":\"Number\",\"supportDeepLink\":true}],\"queriesDefinitions\":[{\"filter\":\"where InboundCount \u003e 0\",\"summarize\":\"summarize Total = sum(InboundCount) by IPAddress, RemoteIPAddress | top 1 by Total\",\"project\":\"project Direction = \u0027Top In\u0027, IPAddress, RemoteIP = RemoteIPAddress, Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"where OutboundCount \u003e 0\",\"summarize\":\"summarize Total = sum(OutboundCount) by IPAddress, RemoteIPAddress | top 1 by Total\",\"project\":\"project Direction = \u0027Top Out\u0027, IPAddress, RemoteIP = RemoteIPAddress, Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"where UnknownDirection \u003e 0\",\"summarize\":\"summarize Total = sum(UnknownDirection) by IPAddress, RemoteIPAddress | top 1 by Total\",\"project\":\"project Direction = \u0027Top Unknown\u0027, IPAddress, RemoteIP = RemoteIPAddress, Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"project IPAddress, RemoteIPAddress, InboundCount, OutboundCount, UnknownDirection\",\"summarize\":\"summarize Inbound = sum(InboundCount), Outbound = sum(OutboundCount), Unknown = sum(UnknownDirection), RemIPs = make_set(RemoteIPAddress) by IPAddress | extend Total = tolong(Inbound + Outbound + Unknown)\",\"project\":\"project Direction = \u0027All\u0027, IPAddress, RemoteIP = case(array_length(RemIPs) == 1, tostring(RemIPs[0]), array_length(RemIPs) \u003e 1 and array_length(RemIPs) \u003c= 100, strcat(tostring(array_length(RemIPs)),\u0027 IPs\u0027), array_length(RemIPs) \u003e= 101, \u0027\u003e 100 IPs\u0027 , \u0027None\u0027), Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]}]},\"chartQuery\":null,\"additionalQuery\":{\"text\":\"See All connections\",\"query\":\"summarize StartTime = min(StartTime), EndTime = max(EndTime), InboundTotal = sum(InboundCount), OutboundTotal = sum(OutboundCount), ReceivedBytesTotal = sum(ReceivedBytes), SentBytesTotal = sum(SentBytes), UnknownDirectionBytesTotal = sum(UnknownDirection) by IPAddress, RemoteIPAddress, Type\"},\"defaultTimeRange\":{\"beforeRange\":\"12h\",\"afterRange\":\"12h\"},\"referenceTimeRange\":null,\"dataTypes\":[{\"dataType\":\"Heartbeat\"},{\"dataType\":\"VMConnection\"},{\"dataType\":\"VMComputer\"},{\"dataType\":\"WireData\"},{\"dataType\":\"ProtectionStatus\"},{\"dataType\":\"DeviceNetworkInfo\"},{\"dataType\":\"DeviceNetworkEvents\"},{\"dataType\":\"DnsEvents\"},{\"dataType\":\"CommonSecurityLog\"},{\"dataType\":\"Event\"},{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Ip\",\"requiredInputFieldsSets\":[[\"Ip_Address\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries/8b4c6812-1829-423d-bb1e-04e3d06095b0\",\"name\":\"8b4c6812-1829-423d-bb1e-04e3d06095b0\",\"type\":\"Microsoft.SecurityInsights/entities/queries\",\"kind\":\"Insight\",\"properties\":{\"displayName\":\"This IP has a TI match\",\"description\":\"\u0027IP match from your TI table. Note due to potential performance impact, data is limited to a 30 day look back in TI.\u0027\\n\",\"baseQuery\":\"let GetIPMatch = (Ip_Address:string){\\n//checking time span to lock to 14 days or less for IP relevance and for Entity page perf\\nlet start = datetime(\u0027{{StartTimeISO}}\u0027);\\nlet end = datetime(\u0027{{EndTimeISO}}\u0027);\\nlet end_start = datetime_diff(\u0027day\u0027,end,start);\\nlet start_time = iff(end_start \u003e 14, end - 14d, start);\\nlet end_time = end;\\nThreatIntelligenceIndicator\\n| where isnotempty(Ip_Address)\\n| where TimeGenerated \u003e= start_time\\n| where ExpirationDateTime \u003e now()\\n| where Active = true\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where NetworkIP == Ip_Address or NetworkDestinationIP == Ip_Address or NetworkSourceIP == Ip_Address or EmailSourceIpAddress == Ip_Address\\n| extend FieldsMatched = pack(\\\"NetworkIP\\\", NetworkIP == Ip_Address, \\\"NetworkDestinationIP\\\", NetworkDestinationIP == Ip_Address, \\\"NetworkSourceIP\\\", NetworkSourceIP == Ip_Address, \\\"EmailSourceIpAddress\\\", EmailSourceIpAddress == Ip_Address)\\n| project LatestIndicatorTime, ThreatType, IPAddress = Ip_Address, SourceSystem, ConfidenceScore, Description, FieldsMatched, Tags\\n};\\nGetIPMatch(\u0027175.45.176.99\u0027)\",\"tableQuery\":{\"columnsDefinitions\":[{\"header\":\"IPAddress\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"ConfidenceScore\",\"outputType\":\"Number\",\"supportDeepLink\":false},{\"header\":\"ThreatType\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"LatestIndicatorTime\",\"outputType\":\"Date\",\"supportDeepLink\":false}],\"queriesDefinitions\":[{\"filter\":\"project IPAddress, ConfidenceScore, ThreatType, LatestIndicatorTime\",\"summarize\":\"summarize by IPAddress, ConfidenceScore, ThreatType, LatestIndicatorTime\",\"project\":\"project IPAddress, ConfidenceScore, ThreatType, LatestIndicatorTime\",\"linkColumnsDefinitions\":[{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"ConfidenceScore\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"ThreatType\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"LatestIndicatorTime\",\"Query\":\"{{BaseQuery}} | \"}]}]},\"chartQuery\":null,\"additionalQuery\":{\"text\":\"See All details\",\"query\":\"project LatestIndicatorTime, ThreatType, IPAddress, SourceSystem, ConfidenceScore, Description, FieldsMatched, Tags\"},\"defaultTimeRange\":{\"beforeRange\":\"12h\",\"afterRange\":\"12h\"},\"referenceTimeRange\":null,\"dataTypes\":[{\"dataType\":\"ThreatIntelligenceIndicator\"}],\"inputEntityType\":\"Ip\",\"requiredInputFieldsSets\":[[\"Ip_Address\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries/3834647e-ac3e-4fb4-a5f8-0dd50ba2b66c\",\"name\":\"3834647e-ac3e-4fb4-a5f8-0dd50ba2b66c\",\"type\":\"Microsoft.SecurityInsights/entities/queries\",\"kind\":\"Insight\",\"properties\":{\"displayName\":\"Watchlist Insights (Preview)\",\"description\":\"### Description\\n ___\\nThis insight aggregates data from the watchlists templates (Network Addresses) regarding the IP address.\",\"baseQuery\":\"let defaultValue = \u0027defaultValue\u0027; \\n let myIP = \u0027175.45.176.99\u0027; \\n let ips = _GetWatchlist(\u0027NetworkAddresses\u0027); \\n ips | extend IPSubnet = column_ifexists(\u0027IP Subnet\u0027, defaultValue) | extend FirstIP = split(IPSubnet , \u0027-\u0027).[0], SecondIP = split(IPSubnet, \u0027-\u0027).[1], checkIPv4 = parse_ipv4(myIP) | extend myIPnum = iff(isempty(checkIPv4), (parse_ipv6(myIP)), tostring(checkIPv4)) | extend firstIPparsed = iff(isempty(checkIPv4), parse_ipv6(tostring(FirstIP)), tostring(parse_ipv4(tostring(FirstIP)))), secondIPparsed = iff(isempty(checkIPv4), parse_ipv6(tostring(SecondIP)), tostring(parse_ipv4(tostring(SecondIP)))) | extend results = iff((isnotempty(checkIPv4) and tolong(firstIPparsed) \u003c= tolong(myIPnum) and (tolong(myIPnum) \u003c= tolong(secondIPparsed)) or (ipv4_is_in_range(myIP, tostring(SecondIP)) or (ipv6_compare(myIP, tostring(FirstIP)) == 0) or (ipv6_compare(myIP, tostring(SecondIP))==0))), True, false) | where results == true | extend RangeName = column_ifexists(\u0027Range Name\u0027, defaultValue) | extend IPSubnet = column_ifexists(\u0027IP Subnet\u0027, defaultValue) | extend Tags = column_ifexists(\u0027Tags\u0027, defaultValue) | extend [\u0027Watchlist Insight\u0027] = \u0027IP Address is within a known range\u0027 | extend [\u0027Additional Data\u0027] = strcat(\u0027Range Name: \u0027, RangeName,\u0027, \u0027,\u0027IP Range: \u0027, IPSubnet) | project [\u0027Watchlist Insight\u0027],[\u0027Additional Data\u0027], Tags\",\"tableQuery\":{\"columnsDefinitions\":[{\"header\":\"Watchlist Insight\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"Additional Data\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"Tags\",\"outputType\":\"String\",\"supportDeepLink\":false}],\"queriesDefinitions\":[{\"filter\":\" where 1 == 1\",\"summarize\":\" summarize count() by [\u0027Watchlist Insight\u0027], [\u0027Additional Data\u0027], Tags\",\"project\":\" project [\u0027Watchlist Insight\u0027], [\u0027Additional Data\u0027], Tags\",\"linkColumnsDefinitions\":[]}]},\"chartQuery\":null,\"additionalQuery\":null,\"defaultTimeRange\":{\"beforeRange\":\"0d\",\"afterRange\":\"0d\"},\"referenceTimeRange\":{\"beforeRange\":\"0d\"},\"dataTypes\":[{\"dataType\":\"Watchlist templates\"}],\"inputEntityType\":\"Ip\",\"requiredInputFieldsSets\":[[\"IP_Address\"]],\"entitiesFilter\":{}}}]}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityInsight.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityInsight.Recording.json index c2038891bcfe..84072f5754d8 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityInsight.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityInsight.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelEntityInsight+[NoContext]+GetExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntityInsight+[NoContext]+GetExpanded+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "196" ], - "x-ms-client-request-id": [ "4df3c847-e6b8-45da-b944-807a0520c1ed" ], + "x-ms-unique-id": [ "39" ], + "x-ms-client-request-id": [ "005be7ad-f42d-475f-9501-894b35475956" ], "CommandName": [ "Get-AzSentinelentity" ], "FullCommandName": [ "Get-AzSentinelEntity_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,35 +22,39 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11969" ], - "x-ms-request-id": [ "c31f8f05-40c1-4ae6-bfc6-9fd835eee4c2" ], - "x-ms-correlation-request-id": [ "c31f8f05-40c1-4ae6-bfc6-9fd835eee4c2" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160714Z:c31f8f05-40c1-4ae6-bfc6-9fd835eee4c2" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/e0eac561-6e86-45d2-9e05-04cd25081921" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "59977389-eb13-4a47-bbde-b0f3e23cc95d" ], + "x-ms-correlation-request-id": [ "59977389-eb13-4a47-bbde-b0f3e23cc95d" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074436Z:59977389-eb13-4a47-bbde-b0f3e23cc95d" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:14 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: C53F2189307344CD92F97C99F3BCC8D3 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:35Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:35 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "461" ], + "Content-Length": [ "482" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"5\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"5\",\"IsExactMatch\":false},\"friendlyName\":\"175.45.176.99\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelEntityInsight+[NoContext]+GetExpanded+$POST+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getInsights?api-version=2021-09-01-preview+2": { + "Get-AzSentinelEntityInsight+[NoContext]+GetExpanded+$POST+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getInsights?api-version=2021-09-01-preview+2": { "Request": { "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getInsights?api-version=2021-09-01-preview", - "Content": "{\n \"startTime\": \"2022-08-15T04:00:00.0000000+00:00\",\n \"endTime\": \"2022-08-16T04:00:00.0000000+00:00\"\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getInsights?api-version=2021-09-01-preview", + "Content": "{\r\n \"startTime\": \"2026-03-24T09:00:00.0000000+02:00\",\r\n \"endTime\": \"2026-03-25T09:00:00.0000000+02:00\"\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "104" ] + "Content-Length": [ "107" ] } }, "Response": { @@ -58,21 +62,25 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11968" ], - "x-ms-request-id": [ "3e7d60ca-4911-4419-8092-c1a1a55a27a9" ], - "x-ms-correlation-request-id": [ "3e7d60ca-4911-4419-8092-c1a1a55a27a9" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160718Z:3e7d60ca-4911-4419-8092-c1a1a55a27a9" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/14dd244e-093f-4d98-b4fe-5d94da6ebca2" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "33a967a5-c022-44b2-be6e-b5000c82cb98" ], + "x-ms-correlation-request-id": [ "33a967a5-c022-44b2-be6e-b5000c82cb98" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074441Z:33a967a5-c022-44b2-be6e-b5000c82cb98" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:18 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: A795AF07AF6240FD922BC27FEEBA4718 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:36Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:40 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1719" ], + "Content-Length": [ "2172" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"tableQueryResults\":{\"columns\":[{\"name\":\"Direction\",\"type\":\"string\"},{\"name\":\"IPAddress\",\"type\":\"string\"},{\"name\":\"RemoteIP\",\"type\":\"string\"},{\"name\":\"Total\",\"type\":\"long\"},{\"name\":\"InternalOrder\",\"type\":\"long\"},{\"name\":\"Index\",\"type\":\"long\"}],\"rows\":[]},\"chartQueryResults\":[],\"queryTimeInterval\":{\"startTime\":\"2022-08-15T04:00:00+00:00\",\"endTime\":\"2022-08-16T04:00:00+00:00\"},\"queryId\":\"b8e2df44-f98f-4c95-bcbe-f8210f3e0f23\"},{\"tableQueryResults\":{\"columns\":[{\"name\":\"Direction\",\"type\":\"string\"},{\"name\":\"IPAddress\",\"type\":\"string\"},{\"name\":\"RemoteIP\",\"type\":\"string\"},{\"name\":\"ThreatType\",\"type\":\"string\"},{\"name\":\"InternalOrder\",\"type\":\"long\"},{\"name\":\"Index\",\"type\":\"long\"}],\"rows\":[]},\"chartQueryResults\":[{\"columns\":[{\"name\":\"Time\",\"type\":\"datetime\"},{\"name\":\"RemoteIPAddress\",\"type\":\"string\"},{\"name\":\"Count\",\"type\":\"long\"}],\"rows\":[]},{\"columns\":[{\"name\":\"Time\",\"type\":\"datetime\"},{\"name\":\"RemoteIPAddress\",\"type\":\"string\"},{\"name\":\"Count\",\"type\":\"long\"}],\"rows\":[]},{\"columns\":[{\"name\":\"Time\",\"type\":\"datetime\"},{\"name\":\"RemoteIPAddress\",\"type\":\"string\"},{\"name\":\"Count\",\"type\":\"long\"}],\"rows\":[]}],\"queryTimeInterval\":{\"startTime\":\"2022-08-15T04:00:00+00:00\",\"endTime\":\"2022-08-16T04:00:00+00:00\"},\"queryId\":\"340e5f6f-d218-4a11-8638-09e1af7847cc\"},{\"tableQueryResults\":{\"columns\":[{\"name\":\"Watchlist Insight\",\"type\":\"string\"},{\"name\":\"Additional Data\",\"type\":\"string\"},{\"name\":\"Tags\",\"type\":\"string\"},{\"name\":\"InternalOrder\",\"type\":\"long\"},{\"name\":\"Index\",\"type\":\"long\"}],\"rows\":[]},\"chartQueryResults\":[],\"queryTimeInterval\":{\"startTime\":\"2022-08-15T04:00:00+00:00\",\"endTime\":\"2022-08-16T04:00:00+00:00\"},\"queryId\":\"3834647e-ac3e-4fb4-a5f8-0dd50ba2b66c\"}],\"metaData\":{\"totalCount\":3,\"errors\":[]}}", + "Content": "{\"value\":[{\"tableQueryResults\":{\"columns\":[{\"name\":\"Direction\",\"type\":\"string\"},{\"name\":\"IPAddress\",\"type\":\"string\"},{\"name\":\"RemoteIP\",\"type\":\"string\"},{\"name\":\"ThreatType\",\"type\":\"string\"},{\"name\":\"InternalOrder\",\"type\":\"long\"},{\"name\":\"Index\",\"type\":\"long\"}],\"rows\":[]},\"chartQueryResults\":[{\"columns\":[{\"name\":\"Time\",\"type\":\"datetime\"},{\"name\":\"RemoteIPAddress\",\"type\":\"string\"},{\"name\":\"Count\",\"type\":\"long\"}],\"rows\":[]},{\"columns\":[{\"name\":\"Time\",\"type\":\"datetime\"},{\"name\":\"RemoteIPAddress\",\"type\":\"string\"},{\"name\":\"Count\",\"type\":\"long\"}],\"rows\":[]},{\"columns\":[{\"name\":\"Time\",\"type\":\"datetime\"},{\"name\":\"RemoteIPAddress\",\"type\":\"string\"},{\"name\":\"Count\",\"type\":\"long\"}],\"rows\":[]}],\"queryTimeInterval\":{\"startTime\":\"2026-03-24T07:00:00+00:00\",\"endTime\":\"2026-03-25T07:00:00+00:00\"},\"queryId\":\"340e5f6f-d218-4a11-8638-09e1af7847cc\"},{\"tableQueryResults\":{\"columns\":[{\"name\":\"Direction\",\"type\":\"string\"},{\"name\":\"IPAddress\",\"type\":\"string\"},{\"name\":\"RemoteIP\",\"type\":\"string\"},{\"name\":\"Total\",\"type\":\"long\"},{\"name\":\"InternalOrder\",\"type\":\"long\"},{\"name\":\"Index\",\"type\":\"long\"}],\"rows\":[]},\"chartQueryResults\":[],\"queryTimeInterval\":{\"startTime\":\"2026-03-24T07:00:00+00:00\",\"endTime\":\"2026-03-25T07:00:00+00:00\"},\"queryId\":\"b8e2df44-f98f-4c95-bcbe-f8210f3e0f23\"},{\"tableQueryResults\":{\"columns\":[{\"name\":\"IPAddress\",\"type\":\"string\"},{\"name\":\"ConfidenceScore\",\"type\":\"real\"},{\"name\":\"ThreatType\",\"type\":\"string\"},{\"name\":\"LatestIndicatorTime\",\"type\":\"datetime\"},{\"name\":\"InternalOrder\",\"type\":\"long\"},{\"name\":\"Index\",\"type\":\"long\"}],\"rows\":[]},\"chartQueryResults\":[],\"queryTimeInterval\":{\"startTime\":\"2026-03-24T07:00:00+00:00\",\"endTime\":\"2026-03-25T07:00:00+00:00\"},\"queryId\":\"8b4c6812-1829-423d-bb1e-04e3d06095b0\"},{\"tableQueryResults\":{\"columns\":[{\"name\":\"Watchlist Insight\",\"type\":\"string\"},{\"name\":\"Additional Data\",\"type\":\"string\"},{\"name\":\"Tags\",\"type\":\"string\"},{\"name\":\"InternalOrder\",\"type\":\"long\"},{\"name\":\"Index\",\"type\":\"long\"}],\"rows\":[]},\"chartQueryResults\":[],\"queryTimeInterval\":{\"startTime\":\"2026-03-24T07:00:00+00:00\",\"endTime\":\"2026-03-25T07:00:00+00:00\"},\"queryId\":\"3834647e-ac3e-4fb4-a5f8-0dd50ba2b66c\"}],\"metaData\":{\"totalCount\":4,\"errors\":[]}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityQuery.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityQuery.Recording.json index b6ad0ed3a9d6..33ac51aaf9a8 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityQuery.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityQuery.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelEntityQuery+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntityQuery+[NoContext]+List+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "198" ], - "x-ms-client-request-id": [ "139b8db9-9503-4161-976d-08d1ff534e15" ], + "x-ms-unique-id": [ "41" ], + "x-ms-client-request-id": [ "c040e966-d38e-44f9-915e-8d3185ddff64" ], "CommandName": [ "Get-AzSentinelentityQuery" ], "FullCommandName": [ "Get-AzSentinelEntityQuery_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,37 +22,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11967" ], - "x-ms-request-id": [ "1c231c1b-2b9f-49c5-9dde-50db33c5bfdf" ], - "x-ms-correlation-request-id": [ "1c231c1b-2b9f-49c5-9dde-50db33c5bfdf" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160719Z:1c231c1b-2b9f-49c5-9dde-50db33c5bfdf" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/5c11f4d4-4cf3-480f-9006-bf246bfb5f66" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "c1ca1d3b-9765-4b35-8b69-8bc6c32c1406" ], + "x-ms-correlation-request-id": [ "c1ca1d3b-9765-4b35-8b69-8bc6c32c1406" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074442Z:c1ca1d3b-9765-4b35-8b69-8bc6c32c1406" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:19 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 166287E1C53A407C891EF34DD2705760 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:41Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:41 GMT" ] }, "ContentHeaders": { "Content-Length": [ "156647" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/98b974fd-cc64-48b8-9bd0-3a209f5b944b\",\"name\":\"98b974fd-cc64-48b8-9bd0-3a209f5b944b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related entities\",\"queryTemplate\":\"let GetAlertRelatedEntities = (v_SecurityAlert_SystemAlertId:string){\\r\\n SecurityAlert\\r\\n | where SystemAlertId == v_SecurityAlert_SystemAlertId\\r\\n | project entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities};\\r\\n GetAlertRelatedEntities(\u0027\u003csystemAlertId\u003e\u0027)\",\"inputFields\":[\"systemAlertId\"],\"outputEntityTypes\":[],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"SecurityAlert\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/27f76e63-c41b-480f-bb18-12ad2e011d49\",\"name\":\"27f76e63-c41b-480f-bb18-12ad2e011d49\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related entities\",\"queryTemplate\":\"\",\"inputFields\":[],\"outputEntityTypes\":[],\"dataSources\":[],\"inputEntityType\":\"HuntingBookmark\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/055a5692-555f-42bd-ac17-923a5a9994ed\",\"name\":\"055a5692-555f-42bd-ac17-923a5a9994ed\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetHostRelatedAlerts = (v_Host_HostName:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027host\u0027 and entity[\u0027HostName\u0027] =~ v_Host_HostName\\r\\n | project-away entity};\\r\\n GetHostRelatedAlerts(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/e36c2ceb-4caf-4919-8433-d61dbc3e294a\",\"name\":\"e36c2ceb-4caf-4919-8433-d61dbc3e294a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related bookmarks\",\"queryTemplate\":\"\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"HuntingBookmark\"],\"dataSources\":[],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/a77992f3-25e9-4d01-99a4-5ff606cc410a\",\"name\":\"a77992f3-25e9-4d01-99a4-5ff606cc410a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetAccountRelatedAlerts = (v_Account_Name:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027account\u0027 and entity[\u0027Name\u0027] =~ v_Account_Name\\r\\n | project-away entity};\\r\\n GetAccountRelatedAlerts(\u0027\u003caccountName\u003e\u0027)\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/504ea455-3bf7-47ef-8555-dc747b465f99\",\"name\":\"504ea455-3bf7-47ef-8555-dc747b465f99\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related bookmarks\",\"queryTemplate\":\"\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"HuntingBookmark\"],\"dataSources\":[],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/4a014a1b-c5a1-499f-9f54-3f7b99b0a675\",\"name\":\"4a014a1b-c5a1-499f-9f54-3f7b99b0a675\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetAzureResourceRelatedAlerts = (v_AzureResource_ResourceId:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027azure-resource\u0027 and entity[\u0027ResourceId\u0027] =~ v_AzureResource_ResourceId\\r\\n | project-away entity};\\r\\n GetAzureResourceRelatedAlerts(\u0027\u003cresourceId\u003e\u0027)\",\"inputFields\":[\"resourceId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"AzureResource\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/f74ad13a-ae93-47b9-8782-b1142b95d046\",\"name\":\"f74ad13a-ae93-47b9-8782-b1142b95d046\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetCloudApplicationRelatedAlerts = (v_CloudApplication_AppId:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027cloud-application\u0027 and entity[\u0027AppId\u0027] =~ v_CloudApplication_AppId\\r\\n | project-away entity};\\r\\n GetCloudApplicationRelatedAlerts(\u0027\u003cappId\u003e\u0027)\",\"inputFields\":[\"appId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"CloudApplication\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/80218599-45b4-4402-95cc-86f9929dd43d\",\"name\":\"80218599-45b4-4402-95cc-86f9929dd43d\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetDNSRelatedAlerts = (v_DNS_DomainName:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027dns\u0027 and entity[\u0027DomainName\u0027] =~ v_DNS_DomainName\\r\\n | project-away entity};\\r\\n GetDNSRelatedAlerts(\u0027\u003cdomainName\u003e\u0027)\",\"inputFields\":[\"domainName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"DNS\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/0f0bccef-4512-4530-a866-27056a39dcd6\",\"name\":\"0f0bccef-4512-4530-a866-27056a39dcd6\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetFileRelatedAlerts = (v_File_Name:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027file\u0027 and entity[\u0027Name\u0027] =~ v_File_Name\\r\\n | project-away entity};\\r\\n GetFileRelatedAlerts(\u0027\u003cfileName\u003e\u0027)\",\"inputFields\":[\"fileName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"File\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/b6eaa3ad-e69b-437e-9c13-bb5273dd34ab\",\"name\":\"b6eaa3ad-e69b-437e-9c13-bb5273dd34ab\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetFileHashRelatedAlerts = (v_FileHash_Value:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027filehash\u0027 and entity[\u0027Value\u0027] =~ v_FileHash_Value\\r\\n | project-away entity};\\r\\n GetFileHashRelatedAlerts(\u0027\u003chashValue\u003e\u0027)\",\"inputFields\":[\"hashValue\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"FileHash\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/58c1516f-b78a-4d78-9e71-77c40849c27b\",\"name\":\"58c1516f-b78a-4d78-9e71-77c40849c27b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetIPRelatedAlerts = (v_IP_Address:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027ip\u0027 and entity[\u0027Address\u0027] =~ v_IP_Address\\r\\n | project-away entity};\\r\\n GetIPRelatedAlerts(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/6a6a5dcb-605c-4dad-8bb6-c8c439db4f0a\",\"name\":\"6a6a5dcb-605c-4dad-8bb6-c8c439db4f0a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related bookmarks\",\"queryTemplate\":\"\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"HuntingBookmark\"],\"dataSources\":[],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/b8407195-b9a3-4565-bf08-7b23e5c57e3a\",\"name\":\"b8407195-b9a3-4565-bf08-7b23e5c57e3a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetMalwareRelatedAlerts = (v_Malware_Name:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027malware\u0027 and entity[\u0027Name\u0027] =~ v_Malware_Name\\r\\n | project-away entity};\\r\\n GetMalwareRelatedAlerts(\u0027\u003cmalwareName\u003e\u0027)\",\"inputFields\":[\"malwareName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Malware\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/63a4fa2f-f89d-4cf5-96a2-cb2479e49731\",\"name\":\"63a4fa2f-f89d-4cf5-96a2-cb2479e49731\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetProcessRelatedAlerts = (v_Process_ProcessId:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027process\u0027 and entity[\u0027ProcessId\u0027] =~ v_Process_ProcessId\\r\\n | project-away entity};\\r\\n GetProcessRelatedAlerts(\u0027\u003cprocessId\u003e\u0027)\",\"inputFields\":[\"processId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/d788cd65-a7ef-448e-aa34-81185ac0e611\",\"name\":\"d788cd65-a7ef-448e-aa34-81185ac0e611\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetRegistryKeyRelatedAlerts = (v_RegistryKey_Key:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027registry-key\u0027 and entity[\u0027Key\u0027] =~ v_RegistryKey_Key\\r\\n | project-away entity};\\r\\n GetRegistryKeyRelatedAlerts(\u0027\u003ckey\u003e\u0027)\",\"inputFields\":[\"key\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"RegistryKey\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/3a45a7e3-80e0-4e05-84db-b97bd1ae452b\",\"name\":\"3a45a7e3-80e0-4e05-84db-b97bd1ae452b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetRegistryValueRelatedAlerts = (v_RegistryValue_Name:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027registry-value\u0027 and entity[\u0027Name\u0027] =~ v_RegistryValue_Name\\r\\n | project-away entity};\\r\\n GetRegistryValueRelatedAlerts(\u0027\u003cvalueName\u003e\u0027)\",\"inputFields\":[\"valueName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"RegistryValue\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/43c07636-6be0-4c62-8c62-9a6040a98821\",\"name\":\"43c07636-6be0-4c62-8c62-9a6040a98821\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetSecurityGroupRelatedAlerts = (v_SecurityGroup_DistinguishedName:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027security-group\u0027 and entity[\u0027DistinguishedName\u0027] =~ v_SecurityGroup_DistinguishedName\\r\\n | project-away entity};\\r\\n GetSecurityGroupRelatedAlerts(\u0027\u003cdistinguishedName\u003e\u0027)\",\"inputFields\":[\"distinguishedName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"SecurityGroup\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/7b61d5e2-4b66-40a7-bb0f-9145b445104e\",\"name\":\"7b61d5e2-4b66-40a7-bb0f-9145b445104e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetURLRelatedAlerts = (v_URL_Url:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027url\u0027 and entity[\u0027Url\u0027] =~ v_URL_Url\\r\\n | project-away entity};\\r\\n GetURLRelatedAlerts(\u0027\u003curl\u003e\u0027)\",\"inputFields\":[\"url\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"URL\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/855ea9fe-2fdd-4890-8daa-c895c136eef3\",\"name\":\"855ea9fe-2fdd-4890-8daa-c895c136eef3\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related bookmarks\",\"queryTemplate\":\"\",\"inputFields\":[\"url\"],\"outputEntityTypes\":[\"HuntingBookmark\"],\"dataSources\":[],\"inputEntityType\":\"URL\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/4daeed0e-0e74-4f2d-990c-a958210e9dd7\",\"name\":\"4daeed0e-0e74-4f2d-990c-a958210e9dd7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetIoTDeviceRelatedAlerts = (v_IoTDevice_DeviceId:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027iotdevice\u0027 and entity[\u0027DeviceId\u0027] =~ v_IoTDevice_DeviceId\\r\\n | project-away entity};\\r\\n GetIoTDeviceRelatedAlerts(\u0027\u003cdeviceId\u003e\u0027)\",\"inputFields\":[\"deviceId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"IoTDevice\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/fb123681-fb7e-4684-86fd-3866df84ac2f\",\"name\":\"fb123681-fb7e-4684-86fd-3866df84ac2f\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Assigned IPs\",\"queryTemplate\":\"let GetIPsForHost = (v_Host_HostName:string){\\r\\n Heartbeat\\r\\n | where Computer =~ v_Host_HostName\\r\\n | summarize arg_max(TimeGenerated, *) by ComputerIP\\r\\n };\\r\\n GetIPsForHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/fa16a940-53cc-4e45-9e6f-d8409cb42390\",\"name\":\"fa16a940-53cc-4e45-9e6f-d8409cb42390\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Host assigned with IP\",\"queryTemplate\":\"let GetHostsForIp = (v_IP_Address:string){\\r\\n Heartbeat\\r\\n | where ComputerIP =~ v_IP_Address\\r\\n | summarize arg_max(TimeGenerated, *) by Computer\\r\\n };\\r\\n GetHostsForIp(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/0a691e7d-a9bb-4a80-8591-2cc0b5094298\",\"name\":\"0a691e7d-a9bb-4a80-8591-2cc0b5094298\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetMailboxRelatedAlerts = (v_Mailbox_MailboxPrimaryAddress:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027mailbox\u0027 and entity[\u0027MailboxPrimaryAddress\u0027] =~ v_Mailbox_MailboxPrimaryAddress\\r\\n | project-away entity};\\r\\n GetMailboxRelatedAlerts(\u0027\u003cmailboxPrimaryAddress\u003e\u0027)\",\"inputFields\":[\"mailboxPrimaryAddress\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Mailbox\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/cf68388a-a0db-41d5-969f-919f7a2e47bc\",\"name\":\"cf68388a-a0db-41d5-969f-919f7a2e47bc\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetMailClusterRelatedAlerts = (v_MailCluster_Query:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027mailCluster\u0027 and entity[\u0027Query\u0027] =~ v_MailCluster_Query\\r\\n | project-away entity};\\r\\n GetMailClusterRelatedAlerts(\u0027\u003cquery\u003e\u0027)\",\"inputFields\":[\"query\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"MailCluster\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/33fbca35-93cf-45f8-864f-eb3d553d5bb8\",\"name\":\"33fbca35-93cf-45f8-864f-eb3d553d5bb8\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetMailMessageRelatedAlerts = (v_MailMessage_NetworkMessageId:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027mailMessage\u0027 and entity[\u0027NetworkMessageId\u0027] =~ v_MailMessage_NetworkMessageId\\r\\n | project-away entity};\\r\\n GetMailMessageRelatedAlerts(\u0027\u003cnetworkMessageId\u003e\u0027)\",\"inputFields\":[\"networkMessageId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"MailMessage\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/d215b047-259d-40b4-843c-4d509b013525\",\"name\":\"d215b047-259d-40b4-843c-4d509b013525\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetSubmissionMailRelatedAlerts = (v_SubmissionMail_SubmissionId:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027SubmissionMail\u0027 and entity[\u0027SubmissionId\u0027] =~ v_SubmissionMail_SubmissionId\\r\\n | project-away entity};\\r\\n GetSubmissionMailRelatedAlerts(\u0027\u003csubmissionId\u003e\u0027)\",\"inputFields\":[\"submissionId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"SubmissionMail\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/6168f65c-448f-4732-8b6c-10e5693de946\",\"name\":\"6168f65c-448f-4732-8b6c-10e5693de946\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"IoTDevice related Nics\",\"queryTemplate\":\"let GetIoTDeviceRelatedNics = (v_IoTDevice_DeviceId:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027iotdevice\u0027\\r\\n and entity[\u0027DeviceId\u0027] =~ v_IoTDevice_DeviceId\\r\\n | project Nic = entity[\u0027Nics\u0027]\\r\\n | mv-expand Nic\\r\\n | where isnotempty(Nic)\\r\\n };\\r\\n GetIoTDeviceRelatedNics(\u0027\u003cdeviceId\u003e\u0027)\",\"inputFields\":[\"deviceId\"],\"outputEntityTypes\":[\"Nic\"],\"dataSources\":[],\"inputEntityType\":\"IoTDevice\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/887b5f82-f5a8-4735-bec9-1e563ced0f9f\",\"name\":\"887b5f82-f5a8-4735-bec9-1e563ced0f9f\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"IoTDevice related Azure Resources\",\"queryTemplate\":\"let GetIoTDeviceRelatedIoTHub = (v_IoTDevice_DeviceId:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] =~ \u0027iotdevice\u0027\\r\\n and entity[\u0027DeviceId\u0027] =~ v_IoTDevice_DeviceId\\r\\n | project IoTHub = entity[\u0027IoTHub\u0027]\\r\\n | mv-expand IoTHub\\r\\n | where isnotempty(IoTHub)\\r\\n };\\r\\n GetIoTDeviceRelatedIoTHub(\u0027\u003cdeviceId\u003e\u0027)\",\"inputFields\":[\"deviceId\"],\"outputEntityTypes\":[\"AzureResource\"],\"dataSources\":[],\"inputEntityType\":\"IoTDevice\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/f70e333a-fc67-445f-88db-e4665a3425e4\",\"name\":\"f70e333a-fc67-445f-88db-e4665a3425e4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Nic related Ip\",\"queryTemplate\":\"let GetNicRelatedIpAddress = (v_Nic_MacAddress:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] =~ \u0027nic\u0027\\r\\n and entity[\u0027MacAddress\u0027] =~ v_Nic_MacAddress\\r\\n | project IpAddress = entity[\u0027IpAddress\u0027]\\r\\n | mv-expand IpAddress\\r\\n | where isnotempty(IpAddress)\\r\\n };\\r\\n GetNicRelatedIpAddress(\u0027\u003cMacAddress\u003e\u0027)\",\"inputFields\":[\"MacAddress\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[],\"inputEntityType\":\"Nic\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/4c541df8-a680-4da5-96c9-74456927213f\",\"name\":\"4c541df8-a680-4da5-96c9-74456927213f\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts the account failed to log in to the most\",\"queryTemplate\":\"let FailedLoginEventId = 4625;\\r\\n let SuccessfulLoginEventId = 4624;\\n\\t\\t\\t\\t\\t\\t\\tlet isimAuthenticationInstalled=toscalar(union isfuzzy=true (datatable(Test:string)[]), (imAuthentication| take 0) | getschema | count | project Exists=(Count\u003e1));\\n\\t\\t\\t\\t\\t\\t\\tlet Legacy = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_UPNSuffix:string){\\n\\t\\t\\t\\t\\t\\t\\t (datatable(exists:int)[1] | where not(isimAuthenticationInstalled)) | join\\n\\t\\t\\t\\t\\t\\t\\t ( \\n\\t\\t\\t\\t\\t\\t\\t SecurityEvent\\n\\t\\t\\t\\t\\t\\t\\t | extend p_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t )\\n\\t\\t\\t\\t\\t\\t\\t | extend p_Account_UPNSuffix = case(\\n\\t\\t\\t\\t\\t\\t\\t v_Account_UPNSuffix has \u0027@\u0027, tostring(split(v_Account_UPNSuffix, \u0027@\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_UPNSuffix has \u0027\\\\\\\\\u0027, tostring(split(v_Account_UPNSuffix, \u0027\\\\\\\\\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_UPNSuffix\\n\\t\\t\\t\\t\\t\\t\\t )\\n\\t\\t\\t\\t\\t\\t\\t | extend p_Account_NTDomain = case(\\n\\t\\t\\t\\t\\t\\t\\t v_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_UPNSuffix, \u0027\\\\\\\\\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_NTDomain\\n\\t\\t\\t\\t\\t\\t\\t ) \\n\\t\\t\\t\\t\\t\\t\\t | extend Account_UPNSuffix = iff(Account has \u0027@\u0027, tostring(split(Account,\u0027@\u0027)[1]),\u0027\u0027)\\n\\t\\t\\t\\t\\t\\t\\t | extend Account_NTDomain = iff(Account has \u0027\\\\\\\\\u0027, tostring(split(Account,\u0027\\\\\\\\\u0027)[0]),\u0027\u0027)\\n\\t\\t\\t\\t\\t\\t\\t | extend Account_Name = extract(@\u0027^([^\\\\\\\\]*\\\\\\\\)?([^@]+)@?\u0027,2,Account)\\n\\t\\t\\t\\t\\t\\t\\t | where ( (isnotempty(Account_Name) and Account_Name==p_Account_Name) \\n\\t\\t\\t\\t\\t\\t\\t and \\n\\t\\t\\t\\t\\t\\t\\t iff(isnotempty(p_Account_NTDomain) and isnotempty(Account_NTDomain) ,p_Account_NTDomain==Account_NTDomain,true )\\n\\t\\t\\t\\t\\t\\t\\t and\\n\\t\\t\\t\\t\\t\\t\\t iff(isnotempty(p_Account_UPNSuffix) and isnotempty(Account_UPNSuffix) ,p_Account_UPNSuffix==Account_UPNSuffix,true )\\n\\t\\t\\t\\t\\t\\t\\t )\\n\\t\\t\\t\\t\\t\\t\\t | summarize Host_Aux_SuccessfulLoginCount = countif(EventID==SuccessfulLoginEventId)\\n\\t\\t\\t\\t\\t\\t\\t , Host_Aux_FailedLoginsCount\\t= countif(EventID==FailedLoginEventId)\\n\\t\\t\\t\\t\\t\\t\\t , Host_Aux_LogonTypes=make_set(LogonType)\\n\\t\\t\\t\\t\\t\\t\\t by Computer, Account, SourceComputerId, _ResourceId\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Host_Aux_FailedLoginsCount\\n\\t\\t\\t\\t\\t\\t\\t | parse Computer with Host_NTDomain \u0027\\\\\\\\\u0027 *\\n\\t\\t\\t\\t\\t\\t\\t | extend Host_HostName = tostring(split(Computer,\u0027.\u0027)[0]), \\n\\t\\t\\t\\t\\t\\t\\t Host_DnsDomain = strcat_array(array_slice(split(Computer,\u0027.\u0027),1,256),\u0027.\u0027)\\n\\t\\t\\t\\t\\t\\t\\t , Host_OMSAgentID=SourceComputerId, Host_AzureID = _ResourceId\\n\\t\\t\\t\\t\\t\\t\\t | project-away Computer, Account, _ResourceId, SourceComputerId\\n\\t\\t\\t\\t\\t\\t\\t | extend exists=int(1) ) on exists | project-away exists, exists1 \\n\\t\\t\\t\\t\\t\\t\\t };\\n\\t\\t\\t\\t\\t\\t\\t let Normalized = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_UPNSuffix:string){\\n\\t\\t\\t\\t\\t\\t\\t (datatable(exists:int)[1] | where isimAuthenticationInstalled) | join \\n\\t\\t\\t\\t\\t\\t\\t (\\n\\t\\t\\t\\t\\t\\t\\t imAuthentication(starttime=ago(24h),targetusername_has=v_Account_Name) \\n\\t\\t\\t\\t\\t\\t\\t | where isnotempty(TargetDvcHostname)\\n\\t\\t\\t\\t\\t\\t\\t //* postfiltering *\\n\\t\\t\\t\\t\\t\\t\\t | where TargetUsername has v_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t | summarize Host_Aux_SuccessfulLoginCount = countif(EventResult==\u0027Success\u0027)\\n\\t\\t\\t\\t\\t\\t\\t , Host_Aux_FailedLoginsCount\\t= countif(EventResult==\u0027Failure\u0027)\\n\\t\\t\\t\\t\\t\\t\\t , Host_Aux_LogonTypes=make_set(EventSubType)\\n\\t\\t\\t\\t\\t\\t\\t by TargetDvcHostname, TargetDvcId\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Host_Aux_FailedLoginsCount\\n\\t\\t\\t\\t\\t\\t\\t | parse TargetDvcHostname with Host_NTDomain \u0027\\\\\\\\\u0027 *\\n\\t\\t\\t\\t\\t\\t\\t | extend Host_UnstructuredName = TargetDvcHostname\\n\\t\\t\\t\\t\\t\\t\\t | project-keep Host_*\\n\\t\\t\\t\\t\\t\\t\\t | extend exists=int(1) ) on exists | project-away exists, exists1 \\n\\t\\t\\t\\t\\t\\t\\t };\\n\\t\\t\\t\\t\\t\\t\\t union isfuzzy=true Legacy(\u0027\u003caccountName\u003e\u0027,\u0027\u003cntDomain\u003e\u0027,\u0027\u003cupnSuffix\u003e\u0027),Normalized(\u0027\u003caccountName\u003e\u0027,\u0027\u003cntDomain\u003e\u0027,\u0027\u003cupnSuffix\u003e\u0027)\",\"inputFields\":[\"accountName\",\"upnSuffix\",\"ntDomain\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/2db8cac9-d2ce-4494-93bf-4678cd872ce4\",\"name\":\"2db8cac9-d2ce-4494-93bf-4678cd872ce4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"IPs from rare locations used by account\",\"queryTemplate\":\"let IPsFromRareLocations = (v_Account_Name:string, v_Account_UPNSuffix:string, v_Account_AadUserId:string){\\n\\t\\t\\t\\t\\t\\t\\tlet LocationPrevalence =\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t)\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_UPNSuffix = case(\\n\\t\\t\\t\\t\\t\\t\\tv_Account_UPNSuffix has \u0027@\u0027, tostring(split(v_Account_UPNSuffix, \u0027@\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_UPNSuffix has \u0027\\\\\\\\\u0027, tostring(split(v_Account_UPNSuffix, \u0027\\\\\\\\\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_UPNSuffix\\n\\t\\t\\t\\t\\t\\t\\t)\\n\\t\\t\\t\\t\\t\\t\\t| parse UserPrincipalName with Account_Name \u0027@\u0027 Account_UPNSuffix\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_AadUserId = toguid(UserId)\\n\\t\\t\\t\\t\\t\\t\\t| where (isnotempty(Account_Name) and Account_Name =~ p_Account_Name and isnotempty(Account_UPNSuffix) and Account_UPNSuffix =~ p_Account_UPNSuffix)\\n\\t\\t\\t\\t\\t\\t\\tor (isnotempty(Account_AadUserId) and Account_AadUserId == toguid(v_Account_AadUserId))\\n\\t\\t\\t\\t\\t\\t\\t| extend FullLocation = strcat(Location,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\n\\t\\t\\t\\t\\t\\t\\t| summarize ConnectionCount = count() by FullLocation, UserPrincipalName, IPAddress, Account_Name, Account_UPNSuffix, Account_AadUserId;\\n\\t\\t\\t\\t\\t\\t\\tLocationPrevalence\\n\\t\\t\\t\\t\\t\\t\\t| summarize make_list(IPAddress), make_list(FullLocation), make_list(ConnectionCount), dcount(FullLocation), totalActivity = sum(ConnectionCount) by UserPrincipalName, Account_Name, Account_UPNSuffix, Account_AadUserId\\n\\t\\t\\t\\t\\t\\t\\t| mvexpand Location = list_FullLocation, ConnectionCount = list_ConnectionCount, IPAddress = list_IPAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend Location = tostring(Location), ConnectionCount = toint(ConnectionCount), IPAddress = tostring(IPAddress)\\n\\t\\t\\t\\t\\t\\t\\t| extend percentOfActivity = 100*round(todouble(ConnectionCount)/totalActivity,4)\\n\\t\\t\\t\\t\\t\\t\\t| where percentOfActivity \u003c 10\\n\\t\\t\\t\\t\\t\\t\\t| project UserPrincipalName, Account_Name, Account_UPNSuffix, Account_AadUserId, IPAddress, Location, ConnectionCount, percentOfActivity\\n\\t\\t\\t\\t\\t\\t\\t| sort by percentOfActivity asc, ConnectionCount desc\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by percentOfActivity asc\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Location_Country = tostring(split(Location,\u0027|\u0027)[0]), IP_Location_Region = tostring(split(Location,\u0027|\u0027)[1]), IP_Location_City = tostring(split(Location,\u0027|\u0027)[2])\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_Aux_info = pack(\u0027PercentOfActivity\u0027, percentOfActivity, \u0027ConnectionCount\u0027, ConnectionCount)\\n\\t\\t\\t\\t\\t\\t\\t| parse UserPrincipalName with Account_NTDomain \u0027\\\\\\\\\u0027 *\\n\\t\\t\\t\\t\\t\\t\\t| project Account_UnstructuredName = UserPrincipalName, Account_Name, Account_NTDomain, Account_UPNSuffix, Account_AadUserId, IP_Address = IPAddress, IP_Location_Country, IP_Location_Region, IP_Location_City, Account_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tIPsFromRareLocations(\u0027\u003caccountName\u003e\u0027, \u0027\u003cupnSuffix\u003e\u0027, \u0027\u003caadUserId\u003e\u0027)\",\"inputFields\":[\"accountName\",\"upnSuffix\",\"aadUserId\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/160c7513-f704-46b7-adf9-d9c4176a44a3\",\"name\":\"160c7513-f704-46b7-adf9-d9c4176a44a3\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts triggering Microsoft Defender Application Control\",\"queryTemplate\":\"let AppControlEvents=(v_Account_Name:string, v_Account_UPNSuffix:string, v_Account_Sid:string){\\n\\t\\t\\t\\t\\t\\t\\tlet p_Account_UPN = iff(isnotempty(v_Account_Name) and isnotempty(v_Account_UPNSuffix), strcat(v_Account_Name,\u0027@\u0027,v_Account_UPNSuffix), \\\"\\\");\\n\\t\\t\\t\\t\\t\\t\\tlet AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string)\\n\\t\\t\\t\\t\\t\\t\\t [\\\"AppControlAppInstallationAudited\\\", \\\"Application control detected the installation of an untrusted app.\\\",\\\"Untrusted app installed\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlAppInstallationBlocked\\\", \\\"Application control blocked the installation of an untrusted app.\\\", \\\"Untrusted app installation blocked\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlCodeIntegrityDriverRevoked\\\", \\\"Application control found a driver with a revoked certificate.\\\", \\\"Driver with revoked certificate detected\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlCodeIntegrityImageRevoked\\\", \\\"Application control found an executable file with a revoked certificate.\\\", \\\"Executable with revoked certificate detected\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlExecutableAudited\\\",\\\"Application control detected the use of an untrusted executable.\\\",\\\"Untrusted executable used\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlExecutableClocked\\\",\\\"Application control blocked the use of an untrusted executable.\\\",\\\"Untrusted executable blocked\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlScriptAudited\\\", \\\"Application control detected the use of an untrusted script.\\\", \\\"Untrusted script detected\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlScriptBlocked\\\", \\\"Application control blocked the use of an untrusted script.\\\", \\\"Untrusted script blocked\\\" ];\\n\\t\\t\\t\\t\\t\\t\\tDeviceEvents\\n\\t\\t\\t\\t\\t\\t\\t| where ActionType in (AppControls) \\n\\t\\t\\t\\t\\t\\t\\t| where isnotempty(p_Account_UPN) and p_Account_UPN =~ InitiatingProcessAccountUpn \\n\\t\\t\\t\\t\\t\\t\\t or\\n\\t\\t\\t\\t\\t\\t\\t isnotempty(v_Account_Sid) and v_Account_Sid =~ InitiatingProcessAccountSid\\n\\t\\t\\t\\t\\t\\t\\t| project Host_UnstructuredName = DeviceName\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_AppConCount=count() by Host_UnstructuredName\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_AppConCount desc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tAppControlEvents(\u0027\u003caccountName\u003e\u0027,\u0027\u003cupnSuffix\u003e\u0027,\u0027\u003csid\u003e\u0027)\",\"inputFields\":[\"accountName\",\"upnSuffix\",\"sid\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/f89061dd-e6d6-4553-9c88-301a7360fc14\",\"name\":\"f89061dd-e6d6-4553-9c88-301a7360fc14\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent processes for this account\",\"queryTemplate\":\"let GetSysLogEventsByAccount = (v_Account_Name:string){\\n\\t\\t\\t\\t\\t\\t\\tSyslog\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t)\\n\\t\\t\\t\\t\\t\\t\\t| where SyslogMessage has v_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027HostName\u0027, HostName, \u0027HostIP\u0027, HostIP)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_StartTime=min(EventTime), Process_Aux_EndTime=max(EventTime), count(), Process_Aux_info = makeset(info) by Computer, ProcessName, ProcessID\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_StartTime, Process_Aux_EndTime, Process_Host_UnstructuredName=Computer, Process_ImageFile_FullPath=ProcessName, Process_ProcessId=tostring(ProcessID), Process_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetSysLogEventsByAccount(\u0027\u003caccountName\u003e\u0027)\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"Syslog\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/dd8f30e4-8171-452e-84a0-99bcd570bd08\",\"name\":\"dd8f30e4-8171-452e-84a0-99bcd570bd08\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Services created by account\",\"queryTemplate\":\"let GetServiceCreationsByAccount = (v_Account_Name:string, v_Account_NTDomain:string){\\n\\t\\t\\t\\t\\t\\t\\tEvent\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 7045\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t)\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_NTDomain = case(\\n\\t\\t\\t\\t\\t\\t\\tv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_NTDomain\\n\\t\\t\\t\\t\\t\\t\\t)\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Account_Name = tostring(split(UserName, \u0027\\\\\\\\\u0027)[1]), Process_Account_NTDomain = tostring(split(UserName, \u0027\\\\\\\\\u0027)[0])\\n\\t\\t\\t\\t\\t\\t\\t| where Process_Account_Name =~ p_Account_Name and Process_Account_NTDomain =~ p_Account_NTDomain\\n\\t\\t\\t\\t\\t\\t\\t| extend EventDataParse = parse_xml(EventData)\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceName = tostring(EventDataParse.DataItem.EventData.Data[0][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend ImagePath = tostring(EventDataParse.DataItem.EventData.Data[1][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceType = tostring(EventDataParse.DataItem.EventData.Data[2][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend StartType = tostring(EventDataParse.DataItem.EventData.Data[3][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceAccount = tostring(EventDataParse.DataItem.EventData.Data[4][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| where ImagePath !has \u0027\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Definition Updates\\\\\\\\\u0027\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_Account_info = pack(\u0027ServiceName\u0027, ServiceName, \u0027ServiceType\u0027, ServiceType, \u0027StartType\u0027, StartType, \u0027ServiceAccount\u0027, ServiceAccount)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Host_Aux_StartTimeUtc = min(TimeGenerated), Process_Host_Aux_EndTimeUtc = max(TimeGenerated) by Process_Host_UnstructuredName = Computer, Process_Account_Name, \\n\\t\\t\\t\\t\\t\\t\\tProcess_Account_NTDomain, Process_Account_UnstructuredName = UserName, Process_ImageFile_FullPath = ImagePath, tostring(Process_Aux_Account_info)\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_Host_Aux_StartTimeUtc desc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetServiceCreationsByAccount(\u0027\u003caccountName\u003e\u0027, \u0027\u003cntDomain\u003e\u0027)\",\"inputFields\":[\"accountName\",\"ntDomain\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/84375346-c3f0-4926-ae48-a156010c67e3\",\"name\":\"84375346-c3f0-4926-ae48-a156010c67e3\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account failed logons\",\"queryTemplate\":\"let GetAllLogonsForUser = (v_Account_Name:string){\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t)\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4625\\n\\t\\t\\t\\t\\t\\t\\t| where AccountType == \u0027User\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where tolower(Account) contains tolower(v_Account_Name)\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027EventID\u0027, EventID, \u0027Account\u0027, Account, \u0027LogonTypeName\u0027, LogonTypeName, \u0027SubStatus\u0027, SubStatus, \u0027AccountType\u0027, AccountType, \u0027WorkstationName\u0027, WorkstationName, \u0027IpAddress\u0027, IpAddress)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer, SourceComputerId\\n\\t\\t\\t\\t\\t\\t\\t| project Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime = max_TimeGenerated, Host_UnstructuredName=Computer, Host_Aux_info, Host_OMSAgentID=SourceComputerId\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_StartTime asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetAllLogonsForUser(tolower(\u0027\u003caccountName\u003e\u0027))\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/7f3989bf-1558-4d3c-bb5e-e17ac2a67a87\",\"name\":\"7f3989bf-1558-4d3c-bb5e-e17ac2a67a87\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Office activity IPs for this account\",\"queryTemplate\":\"let isimAuthenticationInstalled=toscalar(union isfuzzy=true (datatable(Test:string)[]), (imAuthentication| take 0) | getschema | count | project Exists=(Count\u003e1));\\n\\t\\t\\t\\t\\t\\t\\tlet Legacy = (v_Account_Name:string){\\n\\t\\t\\t\\t\\t\\t\\t(datatable(exists:int)[1] | where not(isimAuthenticationInstalled)) \\n\\t\\t\\t\\t\\t\\t\\t| join\\n\\t\\t\\t\\t\\t\\t\\t(OfficeActivity\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t )\\n\\t\\t\\t\\t\\t\\t\\t| where UserId contains v_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027ClientIP\u0027, ClientIP, \u0027UserType\u0027, UserType, \u0027Operation\u0027, Operation, \u0027OfficeWorkload\u0027, OfficeWorkload, \u0027ResultStatus\u0027, ResultStatus)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), IP_Aux_info = makeset(info) by ClientIP\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Aux_StartTime = min_TimeGenerated, IP_Aux_EndTime = max_TimeGenerated, ClientIP, IP_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=ClientIP\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_StartTime desc nulls last | extend exists=int(1)) on exists\\n\\t\\t\\t\\t\\t\\t\\t| project-away exists, exists1 \\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tlet Normalized = (v_Account_Name:string){\\n\\t\\t\\t\\t\\t\\t\\t(datatable(exists:int)[1] | where isimAuthenticationInstalled)\\n\\t\\t\\t\\t\\t\\t\\t| join (\\n\\t\\t\\t\\t\\t\\t\\t imAuthentication(targetusername_has=v_Account_Name)\\n\\t\\t\\t\\t\\t\\t\\t| summarize IP_Aux_StartTime=min(TimeGenerated), IP_Aux_EndTime=max(TimeGenerated) by SrcDvcIpAddr\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=SrcDvcIpAddr\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_StartTime desc nulls last | extend exists=int(1)) on exists | project-away exists, exists1 \\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tunion isfuzzy=true Legacy(\u0027\u003caccountName\u003e\u0027), Normalized(\u0027\u003caccountName\u003e\u0027)\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"OfficeActivity\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/6d1c2ca8-8efe-4fa2-bea6-fa582c03637c\",\"name\":\"6d1c2ca8-8efe-4fa2-bea6-fa582c03637c\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account interactive logon to new devices\",\"queryTemplate\":\"let GetNewInteractiveLogonsForUser = (v_Account_Name:string, v_Account_Sid:string, v_Account_AadUserId:string)\\n\\t\\t\\t\\t\\t\\t\\t{\\n\\t\\t\\t\\t\\t\\t\\t BehaviorAnalytics\\n\\t\\t\\t\\t\\t\\t\\t | extend v_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name)\\n\\t\\t\\t\\t\\t\\t\\t | where ActionType == \\\"InteractiveLogon\\\" and \\n\\t\\t\\t\\t\\t\\t\\t tobool(ActivityInsights.FirstTimeUserLoggedOnToDevice) and \\n\\t\\t\\t\\t\\t\\t\\t (\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UserName) and UserName =~ v_Account_Name) or \\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.AccountObjectID) and UsersInsights.AccountObjectID == v_Account_AadUserId) or\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.OnPremisesSID) and UsersInsights.OnPremisesSID =~ v_Account_Sid)\\n\\t\\t\\t\\t\\t\\t\\t )\\n\\t\\t\\t\\t\\t\\t\\t | extend device_info = pack(\u0027DevicesInsights\u0027, DevicesInsights, \u0027ActivityInsights\u0027, ActivityInsights)\\n\\t\\t\\t\\t\\t\\t\\t | project Host_Aux_TimeGenerated = TimeGenerated,\\n\\t\\t\\t\\t\\t\\t\\t Host_UnstructuredName = DestinationDevice,\\n\\t\\t\\t\\t\\t\\t\\t Host_Aux_Insights = device_info,\\n\\t\\t\\t\\t\\t\\t\\t Account_Name = UserName,\\n\\t\\t\\t\\t\\t\\t\\t Account_Sid = v_Account_Sid,\\n\\t\\t\\t\\t\\t\\t\\t Account_AadUserId = toguid(UsersInsights.AccountObjectID),\\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_Insights = UsersInsights\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Host_Aux_TimeGenerated asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetNewInteractiveLogonsForUser(\u0027\u003caccountName\u003e\u0027, \u0027\u003csid\u003e\u0027, \u0027\u003caadUserId\u003e\u0027)\",\"inputFields\":[\"accountName\",\"sid\",\"aadUserId\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"BehaviorAnalytics\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/b66ab2aa-cd31-43b9-82a2-dd5f0ee9ca81\",\"name\":\"b66ab2aa-cd31-43b9-82a2-dd5f0ee9ca81\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account remote interactive logon to new devices\",\"queryTemplate\":\"let GetAllNewRemoteInteractiveLogonForUser = (v_Account_Name:string, v_Account_Sid:string, v_Account_AadUserId:string)\\n\\t\\t\\t\\t\\t\\t\\t{\\n\\t\\t\\t\\t\\t\\t\\t BehaviorAnalytics\\n\\t\\t\\t\\t\\t\\t\\t | extend v_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name)\\n\\t\\t\\t\\t\\t\\t\\t | where ActionType == \\\"RemoteInteractiveLogon\\\" and \\n\\t\\t\\t\\t\\t\\t\\t tobool(ActivityInsights.FirstTimeUserLoggedOnToDevice) and \\n\\t\\t\\t\\t\\t\\t\\t (\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UserName) and UserName =~ v_Account_Name) or \\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.AccountObjectID) and UsersInsights.AccountObjectID == v_Account_AadUserId) or\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.OnPremisesSID) and UsersInsights.OnPremisesSID =~ v_Account_Sid)\\n\\t\\t\\t\\t\\t\\t\\t )\\n\\t\\t\\t\\t\\t\\t\\t | extend device_info = pack(\u0027DevicesInsights\u0027, DevicesInsights, \u0027ActivityInsights\u0027, ActivityInsights)\\n\\t\\t\\t\\t\\t\\t\\t | project Host_Aux_TimeGenerated = TimeGenerated,\\n\\t\\t\\t\\t\\t\\t\\t Host_UnstructuredName = DestinationDevice,\\n\\t\\t\\t\\t\\t\\t\\t Host_Aux_Insights = device_info,\\n\\t\\t\\t\\t\\t\\t\\t Account_Name = UserName,\\n\\t\\t\\t\\t\\t\\t\\t Account_Sid = v_Account_Sid,\\n\\t\\t\\t\\t\\t\\t\\t Account_AadUserId = toguid(UsersInsights.AccountObjectID),\\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_Insights = UsersInsights\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Host_Aux_TimeGenerated asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetAllNewRemoteInteractiveLogonForUser(\u0027\u003caccountName\u003e\u0027, \u0027\u003csid\u003e\u0027, \u0027\u003caadUserId\u003e\u0027)\",\"inputFields\":[\"accountName\",\"sid\",\"aadUserId\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"BehaviorAnalytics\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/82cdcee5-cc2e-4e9f-a235-357159c60c8c\",\"name\":\"82cdcee5-cc2e-4e9f-a235-357159c60c8c\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account access to new resources\",\"queryTemplate\":\"let GetAllNewResourceAccessForUser = (v_Account_Name:string, v_Account_Sid:string, v_Account_AadUserId:string)\\n\\t\\t\\t\\t\\t\\t\\t{\\n\\t\\t\\t\\t\\t\\t\\t BehaviorAnalytics\\n\\t\\t\\t\\t\\t\\t\\t | extend v_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name)\\n\\t\\t\\t\\t\\t\\t\\t | where ActionType == \\\"ResourceAccess\\\" and \\n\\t\\t\\t\\t\\t\\t\\t tobool(ActivityInsights.FirstTimeUserLoggedOnToDevice) and \\n\\t\\t\\t\\t\\t\\t\\t (\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UserName) and UserName =~ v_Account_Name) or \\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.AccountObjectID) and UsersInsights.AccountObjectID == v_Account_AadUserId) or\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.OnPremisesSID) and UsersInsights.OnPremisesSID =~ v_Account_Sid)\\n\\t\\t\\t\\t\\t\\t\\t )\\n\\t\\t\\t\\t\\t\\t\\t | extend device_info = pack(\u0027DevicesInsights\u0027, DevicesInsights, \u0027ActivityInsights\u0027, ActivityInsights)\\n\\t\\t\\t\\t\\t\\t\\t | project Host_Aux_TimeGenerated = TimeGenerated,\\n\\t\\t\\t\\t\\t\\t\\t Host_UnstructuredName = DestinationDevice,\\n\\t\\t\\t\\t\\t\\t\\t Host_Aux_Insights = device_info,\\n\\t\\t\\t\\t\\t\\t\\t Account_Name = UserName,\\n\\t\\t\\t\\t\\t\\t\\t Account_Sid = v_Account_Sid,\\n\\t\\t\\t\\t\\t\\t\\t Account_AadUserId = UsersInsights.AccountObjectID,\\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_Insights = UsersInsights\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Host_Aux_TimeGenerated asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetAllNewResourceAccessForUser(\u0027\u003caccountName\u003e\u0027, \u0027\u003csid\u003e\u0027, \u0027\u003caadUserId\u003e\u0027)\",\"inputFields\":[\"accountName\",\"sid\",\"aadUserId\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"BehaviorAnalytics\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/18b7e4e3-5b57-4924-b3cd-7e9a5a143521\",\"name\":\"18b7e4e3-5b57-4924-b3cd-7e9a5a143521\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Peers with a recent alert\",\"queryTemplate\":\"let GetUserPeersWithAlerts = (v_Account_Name:string, v_Account_UPNSuffix:string, v_Account_AadUserId:string) { \\n\\t\\t\\t\\t\\t\\t\\t let Account_UPN = strcat(v_Account_Name, \u0027@\u0027,v_Account_UPNSuffix);\\n\\t\\t\\t\\t\\t\\t\\t let Peers= UserPeerAnalytics \\n\\t\\t\\t\\t\\t\\t\\t | where UserPrincipalName =~ Account_UPN or UserId =~ v_Account_AadUserId\\n\\t\\t\\t\\t\\t\\t\\t | where TimeGenerated == toscalar (UserPeerAnalytics | summarize max(TimeGenerated))\\n\\t\\t\\t\\t\\t\\t\\t | project PeerUserPrincipalName, PeerUserId, Rank\\n\\t\\t\\t\\t\\t\\t\\t | extend PeerUserPrincipalName=tolower(PeerUserPrincipalName)\\n\\t\\t\\t\\t\\t\\t\\t | parse PeerUserPrincipalName with Account_Name \u0027@\u0027 Account_UPNSuffix;\\n\\t\\t\\t\\t\\t\\t\\t let PeerNames= Peers | summarize make_set_if(Account_Name, isnotempty(Account_Name));\\n\\t\\t\\t\\t\\t\\t\\t let PeerIds = Peers | summarize make_set_if(PeerUserId , isnotempty(PeerUserId));\\n\\t\\t\\t\\t\\t\\t\\t let PeersWithSecAlert=SecurityAlert\\n\\t\\t\\t\\t\\t\\t\\t | where Entities has \\\"account\\\"\\n\\t\\t\\t\\t\\t\\t\\t | where Entities has_any (PeerNames) or Entities has_any (PeerIds)\\n\\t\\t\\t\\t\\t\\t\\t | mvexpand todynamic(Entities) \\n\\t\\t\\t\\t\\t\\t\\t | where tostring(parse_json(Entities).Type) ==\\\"account\\\" \\n\\t\\t\\t\\t\\t\\t\\t | where tostring(parse_json(Entities).Name) has_any (PeerNames) or tostring(parse_json(Entities).AadUserId) has_any (PeerIds)\\n\\t\\t\\t\\t\\t\\t\\t | summarize Account_Aux_AlertCount = count() \\n\\t\\t\\t\\t\\t\\t\\t by Account_Name=tolower(tostring(parse_json(Entities).Name))\\n\\t\\t\\t\\t\\t\\t\\t , Account_UPNSuffix=tolower(tostring(parse_json(Entities).UPNSuffix));\\n\\t\\t\\t\\t\\t\\t\\t PeersWithSecAlert \\n\\t\\t\\t\\t\\t\\t\\t | join kind=innerunique\\n\\t\\t\\t\\t\\t\\t\\t Peers \\n\\t\\t\\t\\t\\t\\t\\t on Account_Name, Account_UPNSuffix\\n\\t\\t\\t\\t\\t\\t\\t | project Account_Name, Account_UPNSuffix, Account_Aux_AlertCount\\n\\t\\t\\t\\t\\t\\t\\t };\\n\\t\\t\\t\\t\\t\\t\\t GetUserPeersWithAlerts(\\\"{{Account_Name}}\\\",\\\"{{Account_UPNSuffix}}\\\", \\\"{{Account_AadUserId}}\\\")\",\"inputFields\":[\"accountName\",\"upnSuffix\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"UserPeerAnalytics SecurityAlert\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/c34bf507-cedf-4120-bf41-f835dd68b0d9\",\"name\":\"c34bf507-cedf-4120-bf41-f835dd68b0d9\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts which the account logged on to\",\"queryTemplate\":\"let GetAllHostsbyAccount = (v_Account_Name:string){\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t)\\n\\t\\t\\t\\t\\t\\t\\t| where UserPrincipalName contains v_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t| extend RemoteHost = tolower(tostring(parsejson(DeviceDetail[\u0027displayName\u0027])))\\n\\t\\t\\t\\t\\t\\t\\t| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n\\t\\t\\t\\t\\t\\t\\t| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027UserDisplayName\u0027, UserDisplayName, \u0027UserPrincipalName\u0027, UserPrincipalName, \u0027AppDisplayName\u0027, AppDisplayName, \u0027ClientAppUsed\u0027, ClientAppUsed, \u0027Browser\u0027, tostring(Browser), \u0027IPAddress\u0027, IPAddress, \u0027ResultType\u0027, ResultType, \u0027ResultDescription\u0027, ResultDescription, \u0027Location\u0027, Location, \u0027State\u0027, State, \u0027City\u0027, City, \u0027StatusCode\u0027, StatusCode, \u0027StatusDetails\u0027, StatusDetails)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by RemoteHost , tostring(OS)\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, RemoteHost, OS, Host_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by min_TimeGenerated desc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=RemoteHost, Host_OSVersion=OS, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetAllHostsbyAccount(\u0027\u003caccountName\u003e\u0027)\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/81d63625-6617-455d-b1e3-ee5ed989e5f8\",\"name\":\"81d63625-6617-455d-b1e3-ee5ed989e5f8\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Screenshots taken\",\"queryTemplate\":\"let HostScreenshot= (Account_Name:string, Account_UPNSuffix:string){\\n\\t\\t\\t\\t\\t\\t\\t let p_Account_UPN = strcat(Account_Name,\u0027@\u0027,Account_UPNSuffix);\\n\\t\\t\\t\\t\\t\\t\\t DeviceEvents \\n\\t\\t\\t\\t\\t\\t\\t | where ActionType ==\u0027ScreenshotTaken\u0027 \\n\\t\\t\\t\\t\\t\\t\\t | where InitiatingProcessAccountUpn =~ p_Account_UPN\\n\\t\\t\\t\\t\\t\\t\\t | summarize Count=count() by DeviceName\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Count desc\\n\\t\\t\\t\\t\\t\\t\\t | project Host_UnstructuredName=DeviceName\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tHostScreenshot(\u0027\u003cAccount_Name\u003e\u0027, \u0027\u003cAccount_UPNSuffix\u003e\u0027)\",\"inputFields\":[\"accountName\",\"upnSuffix\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/8a697f4c-04af-4198-a6d3-ce5dc3acc8dd\",\"name\":\"8a697f4c-04af-4198-a6d3-ce5dc3acc8dd\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account successful logons\",\"queryTemplate\":\"let GetAllLogonsForUser = (v_Account_Name:string){\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t)\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4624\\n\\t\\t\\t\\t\\t\\t\\t| where AccountType == \u0027User\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where tolower(Account) contains tolower(v_Account_Name)\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027EventID\u0027, EventID, \u0027Account\u0027, Account, \u0027LogonTypeName\u0027, LogonTypeName, \u0027SubStatus\u0027, SubStatus, \u0027AccountType\u0027, AccountType, \u0027WorkstationName\u0027, WorkstationName, \u0027IpAddress\u0027, IpAddress)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer, SourceComputerId, _ResourceId\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, Computer, Host_Aux_info, Host_OMSAgentID=SourceComputerId, Host_AzureID=_ResourceId\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_StartTime asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetAllLogonsForUser(tolower(\u0027\u003caccountName\u003e\u0027))\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/62527635-bc5a-4233-bb93-e4eb4e60bb70\",\"name\":\"62527635-bc5a-4233-bb93-e4eb4e60bb70\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts where this file was mentioned\",\"queryTemplate\":\"let GetFilesHost = (v_File_Name:string){\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\n\\t\\t\\t\\t\\t\\t\\t| where CommandLine contains v_File_Name or ServiceFileName contains v_File_Name or ServiceName contains v_File_Name\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated) by Computer, Host_OMSAgentID=SourceComputerId, Host_AzureID = _ResourceId\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, Computer, Host_OMSAgentID, Host_AzureID\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_min_TimeGenerated=min_TimeGenerated, Host_Aux_max_TimeGenerated=max_TimeGenerated\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_min_TimeGenerated desc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetFilesHost(\u0027\u003cfileName\u003e\u0027)\",\"inputFields\":[\"fileName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"File\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/4e0d1f17-e3a9-4c1a-aa7d-3842828c10a2\",\"name\":\"4e0d1f17-e3a9-4c1a-aa7d-3842828c10a2\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - Hosts communicating the most amount of data with this Host\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetHost2Host = (v_Host_HostName:string) {\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent \\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceName == v_Host_HostName or ServerDeviceName == v_Host_HostName\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceName == v_Host_HostName, \\\"Outbound\\\", \\\"Inbound\\\")\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID), \\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\n\\t\\t\\t\\t\\t\\t\\tDeviceName = iff(Direction == \\\"Outbound\\\", ServerDeviceName, ClientDeviceName),\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by DeviceGUID, DeviceName, IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType)\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\n\\t\\t\\t\\t\\t\\t\\t| extend TotalBandwidth_MB = floor(todecimal(TotalBandwidth_MB / 1000), 0.1)\\n\\t\\t\\t\\t\\t\\t\\t| project Host_HostName = DeviceName, Host_Aux_IpAddress = IpAddress,Host_Aux_Type = IoTDevice_DeviceType, Host_Aux_LastActivity = LastActivity, Host_Aux_Protocols = Protocols, Host_Aux_ServerPorts = ServerPorts, Host_Aux_TotalBandwidth_MB = TotalBandwidth_MB\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_TotalBandwidth_MB\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetHost2Host(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/cc942838-2ce5-4a05-8bf9-25a00102a7b7\",\"name\":\"cc942838-2ce5-4a05-8bf9-25a00102a7b7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - IP Addresses communicating the most amount of data with this Host\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetHost2IP = (v_Host_HostName: string) {\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent \\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceName == v_Host_HostName or ServerDeviceName == v_Host_HostName\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceName == v_Host_HostName, \\\"Outbound\\\", \\\"Inbound\\\")\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID), \\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\n\\t\\t\\t\\t\\t\\t\\tDeviceIsExternal = iff(Direction == \\\"Outbound\\\", ServerisExternal, ClientisExternal),\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort, Direction\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by IoTDevice_DeviceId = DeviceGUID, IoTDevice_IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType), DeviceIsExternal = tostring(DeviceIsExternal)\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Address = IoTDevice_IpAddress, IP_Aux_DeviceType = IoTDevice_DeviceType, IP_Aux_LastActivity = LastActivity, IP_Aux_Protocols = Protocols, IP_Aux_ServerPorts = ServerPorts, IP_Aux_TotalBandwidth_MB = TotalBandwidth_MB, IP_Aux_IsExternal = DeviceIsExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_TotalBandwidth_MB = floor(todecimal(IP_Aux_TotalBandwidth_MB / 1000), 0.1)\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_TotalBandwidth_MB\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetHost2IP(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/98b2ce21-167d-43bd-a496-9f2c85c5f95b\",\"name\":\"98b2ce21-167d-43bd-a496-9f2c85c5f95b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Accounts with several failed logins immediately followed by a successful login\",\"queryTemplate\":\"let BRUTEFORCE_THRESHOLD = 10;\\n\\t\\t\\t\\t\\t\\t\\tlet SuccessfulLoginEventId = 4624;\\n\\t\\t\\t\\t\\t\\t\\tlet FailedLoginEventId = 4625;\\n\\t\\t\\t\\t\\t\\t\\tlet AccountsPossibleSuccessfulBruteForce = (v_Host_HostName:string, v_Host_DnsDomain:string){\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\n\\t\\t\\t\\t\\t\\t\\t| where AccountType == \u0027User\u0027\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Host_HostName=tostring(split(v_Host_HostName,\u0027.\u0027)[0])\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Host_DnsDomain=case (isnotempty(v_Host_DnsDomain),v_Host_DnsDomain\\n\\t\\t\\t\\t\\t\\t\\t ,v_Host_HostName has \u0027.\u0027, extract(@\u0027\\\\.(.+$)\u0027,1,v_Host_HostName)\\n\\t\\t\\t\\t\\t\\t\\t , \u0027\u0027)\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_HostName=tostring(split(Computer,\u0027.\u0027)[0])\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_DnsDomain=iff(Computer has \u0027.\u0027, extract(@\u0027\\\\.(.+$)\u0027,1,Computer) ,\\\"\\\")\\n\\t\\t\\t\\t\\t\\t\\t| where p_Host_HostName=~Host_HostName and (isempty(p_Host_DnsDomain) or isempty(Host_DnsDomain) or p_Host_DnsDomain=~Host_DnsDomain)\\n\\t\\t\\t\\t\\t\\t\\t| extend Fails = (EventID == FailedLoginEventId), Success = (EventID == SuccessfulLoginEventId)\\n\\t\\t\\t\\t\\t\\t\\t| extend Account = tolower(Account)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Account_Aux_SuccessPerMin = countif(Success), Account_Aux_FailPerMin = countif(Fails) by Account, bin(TimeGenerated, 1m) \\n\\t\\t\\t\\t\\t\\t\\t| where Account_Aux_FailPerMin\\t\u003e BRUTEFORCE_THRESHOLD and Account_Aux_SuccessPerMin \u003e 0\\n\\t\\t\\t\\t\\t\\t\\t| extend EventData = pack(\u0027FailPerMin\u0027,Account_Aux_FailPerMin, \u0027SuccessPerMin\u0027, Account_Aux_SuccessPerMin, \u0027Time\u0027, TimeGenerated )\\n\\t\\t\\t\\t\\t\\t\\t| summarize Max = max(Account_Aux_FailPerMin), Account_Aux_EventsData=makeset(EventData) by Account\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Max\\n\\t\\t\\t\\t\\t\\t\\t| parse Account with Account_NTDomain \u0027\\\\\\\\\u0027 *\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_Name = extract(@\u0027^([^\\\\\\\\]*\\\\\\\\)?([^@]+)(@.*)?$\u0027,2,Account), \\n\\t\\t\\t\\t\\t\\t\\t Account_UPNSuffix = extract(@\u0027^([^\\\\\\\\]*\\\\\\\\)?([^@]+)(@(.*))?$\u0027,4,Account)\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Name, Account_NTDomain, Account_UPNSuffix, Account_Aux_EventsData\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tAccountsPossibleSuccessfulBruteForce(\u0027\u003chostName\u003e\u0027, \u0027\u003cdnsDomain\u003e\u0027)\",\"inputFields\":[\"hostName\",\"dnsDomain\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/bb6100ee-ae38-41b5-8457-88d503a3bf8f\",\"name\":\"bb6100ee-ae38-41b5-8457-88d503a3bf8f\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent inbound WireData connections\",\"queryTemplate\":\"let GetWireDataInboundWithHost = (v_Host_HostName:string){\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Inbound\u0027 \\n\\t\\t\\t\\t\\t\\t\\t| where Computer has v_Host_HostName\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027Computer\u0027, Computer, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027RemoteIP\u0027, RemoteIP, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_Min_SessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by ProcessName , LocalIP, ProcessID\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_info = IP_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_Min_SessionStartTime, ProcessName , LocalIP, IP_Aux_info, Process_Aux_info, Process_ProcessId=tostring(ProcessID)\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=LocalIP, Process_ImageFile_FullPath=ProcessName\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataInboundWithHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"IP\",\"Process\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/8c00a2a0-43d3-45a9-aa2e-f73deb0abfbb\",\"name\":\"8c00a2a0-43d3-45a9-aa2e-f73deb0abfbb\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent outbound WireData connections\",\"queryTemplate\":\"let GetWireDataOutboundWithHost = (v_Host_HostName:string){\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Outbound\u0027 \\n\\t\\t\\t\\t\\t\\t\\t| where Computer has v_Host_HostName\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027Computer\u0027, Computer, \u0027LocalIP\u0027, LocalIP, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_Min_SessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by ProcessName, RemoteIP, ProcessID\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_info = IP_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_Min_SessionStartTime, ProcessName, RemoteIP, IP_Aux_info, Process_Aux_info, Process_ProcessId=tostring(ProcessID)\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=RemoteIP, Process_ImageFile_FullPath=ProcessName\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataOutboundWithHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"IP\",\"Process\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/ea747f91-23f9-425a-baa8-628f30193888\",\"name\":\"ea747f91-23f9-425a-baa8-628f30193888\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent processes for this host\",\"queryTemplate\":\"let GetSysLogEventsOnHost = (v_Host_HostName:string){\\n\\t\\t\\t\\t\\t\\t\\tSyslog\\n\\t\\t\\t\\t\\t\\t\\t| where Computer has v_Host_HostName\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027HostName\u0027, HostName, \u0027HostIP\u0027, HostIP)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_StartTime=min(EventTime), Process_Aux_EndTime=max(EventTime), count(), Process_Aux_info = makeset(info) by Computer, ProcessName, ProcessID\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_StartTime, Process_Aux_EndTime, Process_Host_UnstructuredName=Computer, Process_ProcessId=tostring(ProcessID), Process_ImageFile_FullPath=ProcessName, Process_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetSysLogEventsOnHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"Syslog\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/07da3cc8-c8ad-4710-a44e-334cdcb7882b\",\"name\":\"07da3cc8-c8ad-4710-a44e-334cdcb7882b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Parent processes running on host\",\"queryTemplate\":\"let GetParentProcessesOnHost = (v_Host_HostName:string){\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent \\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4688 \\n\\t\\t\\t\\t\\t\\t\\t| where isnotempty(ParentProcessName)\\n\\t\\t\\t\\t\\t\\t\\t| where NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\csc.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\csc.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\cvtres.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\cvtres.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName!contains \u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where(ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\u0027 and (NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\u0027 or NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\u0027))\\n\\t\\t\\t\\t\\t\\t\\t| where(ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\u0027 and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\TrustedInstaller.exe\u0027)\\n\\t\\t\\t\\t\\t\\t\\t| where toupper(Computer) contains v_Host_HostName or toupper(WorkstationName) contains v_Host_HostName\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027EventID\u0027, EventID, \u0027TargetAccount\u0027, TargetAccount)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Process_Aux_info = makeset(info) by Account, Computer, ParentProcessName, NewProcessName, CommandLine, ProcessId\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, Account, Computer, ParentProcessName, NewProcessName, CommandLine, ProcessId, Process_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Process_Host_UnstructuredName=Computer, Process_Account_UnstructuredName=Account, Process_CommandLine=CommandLine, Process_ProcessId=ProcessId, Process_ImageFile_FullPath=NewProcessName, Process_ParentProcess_ImageFile_FullPath=ParentProcessName, Process_Aux_StartTime = min_TimeGenerated, Process_Aux_EndTime= max_TimeGenerated\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_Aux_StartTime asc\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetParentProcessesOnHost(toupper(\u0027\u003chostName\u003e\u0027))\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/f87b2afb-068f-4734-88a0-94560309f9d7\",\"name\":\"f87b2afb-068f-4734-88a0-94560309f9d7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Processes on Host blocked from loading non-Microsoft-signed binaries\",\"queryTemplate\":\"let BlockedUnsigned = (v_Host_HostName:string){\\n\\t\\t\\t\\t\\t\\t\\tDeviceEvents\\n\\t\\t\\t\\t\\t\\t\\t| where ActionType == \\\"ExploitGuardNonMicrosoftSignedBlocked\\\" and FileName !hassuffix \\\".ni.dll\\\"\\n\\t\\t\\t\\t\\t\\t\\t| where v_Host_HostName =~ tostring(split(DeviceName, \u0027.\u0027)[0])\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_Count=count() by Process_ProcessId=InitiatingProcessId, Process_CommandLine=InitiatingProcessCommandLine, Process_Host_UnstructuredName=DeviceName\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_Aux_Count desc\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tBlockedUnsigned(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/d3393571-0533-4127-bfe1-6b1de4ab126e\",\"name\":\"d3393571-0533-4127-bfe1-6b1de4ab126e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Processes running on Host\",\"queryTemplate\":\"let GetActiveProcessesOnHost = (v_Host_HostName:string){\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent \\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4688\\n\\t\\t\\t\\t\\t\\t\\t| where NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\csc.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\csc.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\cvtres.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\cvtres.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName!contains \u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where (ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\u0027 and (NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\u0027 or NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\u0027))\\n\\t\\t\\t\\t\\t\\t\\t| where (ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\u0027 and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\TrustedInstaller.exe\u0027)\\n\\t\\t\\t\\t\\t\\t\\t| where toupper(Computer) contains v_Host_HostName or toupper(WorkstationName) contains v_Host_HostName\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_StartTime=min(TimeGenerated), Process_Aux_EndTime=max(TimeGenerated) by Computer, Account, NewProcessName, CommandLine, ProcessId, ParentProcessName\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_StartTime, Process_Aux_EndTime, Computer, Account, NewProcessName, CommandLine, ProcessId, Process_ParentProcess_ImageFile_FullPath=ParentProcessName\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Process_Host_UnstructuredName=Computer, Process_Account_UnstructuredName=Account, Process_CommandLine=CommandLine, Process_ProcessId=ProcessId, Process_ImageFile_FullPath=NewProcessName\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_Aux_StartTime desc\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetActiveProcessesOnHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/6537a8c3-a269-4b2f-8c70-3824c23fef7b\",\"name\":\"6537a8c3-a269-4b2f-8c70-3824c23fef7b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Services created on host\",\"queryTemplate\":\"let GetServiceCreationsOnHost = (v_Host_HostName:string){\\n\\t\\t\\t\\t\\t\\t\\tEvent \\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 7045\\n\\t\\t\\t\\t\\t\\t\\t| where Computer =~ v_Host_HostName\\n\\t\\t\\t\\t\\t\\t\\t| extend EventDataParse = parse_xml(EventData)\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_ServiceName = tostring(EventDataParse.DataItem.EventData.Data[0][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend ImagePath = tostring(EventDataParse.DataItem.EventData.Data[1][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceType = tostring(EventDataParse.DataItem.EventData.Data[2][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend StartType = tostring(EventDataParse.DataItem.EventData.Data[3][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceAccount = tostring(EventDataParse.DataItem.EventData.Data[4][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| where ImagePath !has \u0027\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Definition Updates\\\\\\\\\u0027 \\n\\t\\t\\t\\t\\t\\t\\tand ImagePath !has \u0027\\\\\\\\Packages\\\\\\\\Plugins\\\\\\\\Microsoft.EnterpriseCloud.Monitoring.MicrosoftMonitoringAgent\\\\\\\\\u0027\\n\\t\\t\\t\\t\\t\\t\\tand not(ImagePath has \u0027\\\\\\\\WindowsAzure\\\\\\\\GuestAgent_\u0027 and ImagePath has \u0027\\\\\\\\Telemetry\\\\\\\\WindowsAzureTelemetryService.exe\u0027) \\n\\t\\t\\t\\t\\t\\t\\tand not(ImagePath has \u0027\\\\\\\\WindowsAzure\\\\\\\\GuestAgent_\u0027 and ImagePath has \u0027\\\\\\\\GuestAgent\\\\\\\\WindowsAzureGuestAgent.exe\u0027)\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_Service_info = pack(\u0027ServiceName\u0027, Process_Aux_ServiceName, \u0027ServiceType\u0027, ServiceType, \u0027StartType\u0027, StartType, \u0027ServiceAccount\u0027, ServiceAccount)\\n\\t\\t\\t\\t\\t\\t\\t| project TimeGenerated, Computer, UserName, Process_Aux_ServiceName, ImagePath, Process_Aux_Service_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Process_Host_UnstructuredName=Computer, Process_Account_UnstructuredName=UserName, Process_ImageFile_FullPath=ImagePath, Process_CreationTimeUtc=TimeGenerated\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_CreationTimeUtc desc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetServiceCreationsOnHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"Event\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/3aed43db-e358-4952-a5cd-a10f00d90af4\",\"name\":\"3aed43db-e358-4952-a5cd-a10f00d90af4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User accounts created or deleted on host\",\"queryTemplate\":\"let GetAccountChangesOnHost = (v_Host_HostName:string){\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4720 or EventID == 4726\\n\\t\\t\\t\\t\\t\\t\\t| where AccountType == \u0027User\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where Computer contains v_Host_HostName or WorkstationName contains v_Host_HostName\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027TargetAccount\u0027, TargetAccount, \u0027SubjectAccount\u0027, SubjectAccount, \u0027Activity\u0027, Activity)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Account_Aux_info = makeset(info) by Computer, TargetAccount\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTime=min_TimeGenerated, Account_Aux_EndTime=max_TimeGenerated, Account_Host_UnstructuredName=Computer, Account_UnstructuredName=TargetAccount, Account_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Account_Aux_StartTime asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetAccountChangesOnHost(toupper(\u0027\u003chostName\u003e\u0027))\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/37fdc179-d35c-4dcd-b6ff-6cf02248d8f9\",\"name\":\"37fdc179-d35c-4dcd-b6ff-6cf02248d8f9\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Accounts which logged onto this host and their IPs\",\"queryTemplate\":\"let GetAccountsFromHost = (v_Host_HostName:string){\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\n\\t\\t\\t\\t\\t\\t\\t| extend RemoteHost = tolower(tostring(DeviceDetail.displayName))\\n\\t\\t\\t\\t\\t\\t\\t| where RemoteHost == tolower(v_Host_HostName)\\n\\t\\t\\t\\t\\t\\t\\t| extend OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser), TrustType = tostring(DeviceDetail.trustType)\\n\\t\\t\\t\\t\\t\\t\\t| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n\\t\\t\\t\\t\\t\\t\\t| extend Latitude = tostring(LocationDetails.geoCoordinates.latitude), Longitude = tostring(LocationDetails.geoCoordinates.longitude)\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027UserPrincipalName\u0027, UserPrincipalName, \u0027AppDisplayName\u0027, AppDisplayName, \u0027ClientAppUsed\u0027, ClientAppUsed, \u0027Browser\u0027, tostring(Browser), \u0027ResultType\u0027, ResultType, \u0027ResultDescription\u0027, ResultDescription, \u0027Location\u0027, Location, \u0027StatusCode\u0027, StatusCode, \u0027StatusDetails\u0027, StatusDetails)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), count(), Account_Aux_info = makeset(info) by RemoteHost , UserDisplayName, OS, IPAddress, State, City, Latitude, Longitude\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_info = Account_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTimeUtc = min_TimeGenerated, Account_Aux_EndTimeUtc = max_TimeGenerated, RemoteHost, UserDisplayName, OS, IPAddress, State, City, Latitude, Longitude, Account_Aux_info, IP_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Account_Aux_StartTimeUtc desc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project-rename Account_UnstructuredName=UserDisplayName, Account_Host_UnstructuredName=RemoteHost, Account_Host_OSVersion=OS, IP_Address=IPAddress, IP_Location_State=State, IP_Location_City=City, IP_Location_Latitude=Latitude, IP_Location_Longitude=Longitude\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetAccountsFromHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Account\",\"IP\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/b8de20fa-d96e-4fe0-84b3-8477ca29b04a\",\"name\":\"b8de20fa-d96e-4fe0-84b3-8477ca29b04a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Accounts triggering Microsoft Defender Application Control\",\"queryTemplate\":\"let AppControlEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n\\t\\t\\t\\t\\t\\t\\tlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\n\\t\\t\\t\\t\\t\\t\\tlet AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string)\\n\\t\\t\\t\\t\\t\\t\\t [\\\"AppControlAppInstallationAudited\\\", \\\"Application control detected the installation of an untrusted app.\\\",\\\"Untrusted app installed\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlAppInstallationBlocked\\\", \\\"Application control blocked the installation of an untrusted app.\\\", \\\"Untrusted app installation blocked\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlCodeIntegrityDriverRevoked\\\", \\\"Application control found a driver with a revoked certificate.\\\", \\\"Driver with revoked certificate detected\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlCodeIntegrityImageRevoked\\\", \\\"Application control found an executable file with a revoked certificate.\\\", \\\"Executable with revoked certificate detected\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlExecutableAudited\\\",\\\"Application control detected the use of an untrusted executable.\\\",\\\"Untrusted executable used\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlExecutableClocked\\\",\\\"Application control blocked the use of an untrusted executable.\\\",\\\"Untrusted executable blocked\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlScriptAudited\\\", \\\"Application control detected the use of an untrusted script.\\\", \\\"Untrusted script detected\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlScriptBlocked\\\", \\\"Application control blocked the use of an untrusted script.\\\", \\\"Untrusted script blocked\\\" ];\\n\\t\\t\\t\\t\\t\\t\\tDeviceEvents\\n\\t\\t\\t\\t\\t\\t\\t| where ActionType in (AppControls) \\n\\t\\t\\t\\t\\t\\t\\t| where DeviceName ==p_FullDeviceName\\n\\t\\t\\t\\t\\t\\t\\t| parse InitiatingProcessAccountUpn with Account_Name \u0027@\u0027 Account_UPNSuffix\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Name, Account_UPNSuffix, Account_Sid=InitiatingProcessAccountSid\\n\\t\\t\\t\\t\\t\\t\\t| summarize Account_Aux_AppConCount=count() by Account_Name, Account_UPNSuffix, Account_Sid\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Account_Aux_AppConCount desc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tAppControlEvents(\u0027\u003chostName\u003e\u0027,\u0027\u003cntDomain\u003e\u0027,\u0027\u003cdnsDomain\u003e\u0027)\",\"inputFields\":[\"hostName\",\"dnsDomain\",\"ntDomain\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/b66111f6-42ff-4f5a-8e3e-66ca1a71a758\",\"name\":\"b66111f6-42ff-4f5a-8e3e-66ca1a71a758\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - Hosts communicating the most amount of data with this IP Address\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIP2Host = (v_IP_Address:string) {\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent \\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\n\\t\\t\\t\\t\\t\\t\\t| where ClientIpAddress == v_IP_Address or ServerIpAddress == v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientIpAddress == v_IP_Address, \\\"Outbound\\\", \\\"Inbound\\\")\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID), \\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\n\\t\\t\\t\\t\\t\\t\\tDeviceName = iff(Direction == \\\"Outbound\\\", ServerDeviceName, ClientDeviceName),\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by DeviceGUID, DeviceName, IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType)\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\n\\t\\t\\t\\t\\t\\t\\t| extend TotalBandwidth_MB = floor(todecimal(TotalBandwidth_MB / 1000), 0.1)\\n\\t\\t\\t\\t\\t\\t\\t| project Host_HostName = DeviceName, Host_Aux_IpAddress = IpAddress, Host_Aux_Type = IoTDevice_DeviceType, Host_Aux_LastActivity = LastActivity, Host_Aux_Protocols = Protocols, Host_Aux_ServerPorts = ServerPorts, Host_Aux_TotalBandwidth_MB = TotalBandwidth_MB\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_TotalBandwidth_MB\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIP2Host(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/b7bd2812-f485-4430-bfac-6b0a1dd4c3f7\",\"name\":\"b7bd2812-f485-4430-bfac-6b0a1dd4c3f7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - IP Addresses communicating the most amount of data with this IP Address\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIP2IP = (v_IP_Address:string) {\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent \\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\n\\t\\t\\t\\t\\t\\t\\t| where ClientIpAddress == v_IP_Address or ServerIpAddress == v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientIpAddress == v_IP_Address, \\\"Outbound\\\", \\\"Inbound\\\")\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID), \\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\n\\t\\t\\t\\t\\t\\t\\tDeviceIsExternal = iff(Direction == \\\"Outbound\\\", ServerisExternal, ClientisExternal),\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort, Direction\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by IoTDevice_DeviceId = DeviceGUID, IoTDevice_IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType), DeviceIsExternal = tostring(DeviceIsExternal)\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Address = IoTDevice_IpAddress, IP_Aux_DeviceType = IoTDevice_DeviceType, IP_Aux_LastActivity = LastActivity, IP_Aux_Protocols = Protocols, IP_Aux_ServerPorts = ServerPorts, IP_Aux_TotalBandwidth_MB = TotalBandwidth_MB, IP_Aux_IsExternal = DeviceIsExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_TotalBandwidth_MB = floor(todecimal(IP_Aux_TotalBandwidth_MB / 1000), 0.1)\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_TotalBandwidth_MB\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIP2IP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/37ca3555-c135-4a73-a65e-9c1d00323f5d\",\"name\":\"37ca3555-c135-4a73-a65e-9c1d00323f5d\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"The least active accounts on Azure from this IP\",\"queryTemplate\":\"let AccountActivity_byIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tAzureActivity\\n\\t\\t\\t\\t\\t\\t\\t| where Caller != \u0027\u0027 and CallerIpAddress =~ v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| summarize Account_Aux_StartTime = min(TimeGenerated), \\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_EndTime = max(TimeGenerated), \\n\\t\\t\\t\\t\\t\\t\\t Count = count() by \\n\\t\\t\\t\\t\\t\\t\\t Caller, TenantId\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Count asc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| extend UPN = iff(Caller contains \u0027@\u0027, Caller, \u0027\u0027), Account_AadUserId = toguid(iff(Caller !contains \u0027@\u0027, Caller,\u0027\u0027))\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_Name = split(UPN,\u0027@\u0027)[0] , Account_UPNSuffix = split(UPN,\u0027@\u0027)[1]\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Name, Account_UPNSuffix, Account_AadUserId, Account_AadTenantId=TenantId, Account_Aux_StartTime , Account_Aux_EndTime \\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tAccountActivity_byIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"AzureActivity\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/97a1d515-abf2-4231-9a35-985f9de0bb91\",\"name\":\"97a1d515-abf2-4231-9a35-985f9de0bb91\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"The most active accounts on Azure from this IP\",\"queryTemplate\":\"let AccountActivity_byIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tAzureActivity\\n\\t\\t\\t\\t\\t\\t\\t| where Caller != \u0027\u0027 and CallerIpAddress =~ v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| summarize Account_Aux_StartTime = min(TimeGenerated), \\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_EndTime = max(TimeGenerated), \\n\\t\\t\\t\\t\\t\\t\\t Count = count() by \\n\\t\\t\\t\\t\\t\\t\\t Caller, TenantId\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Count desc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| extend UPN = iff(Caller contains \u0027@\u0027, Caller, \u0027\u0027), Account_AadUserId = toguid(iff(Caller !contains \u0027@\u0027, Caller,\u0027\u0027))\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_Name = split(UPN,\u0027@\u0027)[0] , Account_UPNSuffix = split(UPN,\u0027@\u0027)[1]\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Name, Account_UPNSuffix, Account_AadUserId, Account_AadTenantId=TenantId, Account_Aux_StartTime , Account_Aux_EndTime \\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tAccountActivity_byIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"AzureActivity\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/aa497951-c779-4ea2-be2a-127ea66c5fba\",\"name\":\"aa497951-c779-4ea2-be2a-127ea66c5fba\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts receiving the least amount of data from this IP\",\"queryTemplate\":\"let HostsReceivingDatafromIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| parse Computer with HostName \u0027.\u0027 Host_DnsDomain\\n\\t\\t\\t\\t\\t\\t\\t| where SessionState == \u0027Disconnected\u0027 \\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP =~ v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_HostName = iff(Computer has \u0027.\u0027, HostName, Computer)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_BytesReceived = sum(ReceivedBytes), Host_Aux_LocalIPs=make_set(LocalIP) by Host_HostName, Host_DnsDomain\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_BytesReceived asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tHostsReceivingDatafromIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/73fb9b8d-fd13-4c43-8136-6d693cafaa23\",\"name\":\"73fb9b8d-fd13-4c43-8136-6d693cafaa23\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts receiving the most amount of data from this IP\",\"queryTemplate\":\"let HostsReceivingDatafromIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| parse Computer with HostName \u0027.\u0027 Host_DnsDomain\\n\\t\\t\\t\\t\\t\\t\\t| where SessionState == \u0027Disconnected\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP =~ v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_HostName = iff(Computer has \u0027.\u0027, HostName, Computer)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_BytesReceived = sum(ReceivedBytes), Host_Aux_LocalIPs=make_set(LocalIP) by Host_HostName, Host_DnsDomain\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_BytesReceived desc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tHostsReceivingDatafromIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/ab597a67-352e-4914-b2e6-d64919a910a8\",\"name\":\"ab597a67-352e-4914-b2e6-d64919a910a8\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts sending the least amount of data to this IP\",\"queryTemplate\":\"let HostsSendingDatatoIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| where SessionState == \u0027Disconnected\u0027 \\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP =~ v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_BytesSent = sum(SentBytes) by Computer, LocalIP\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_BytesSent asc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_LocalIP=LocalIP\\n\\t\\t\\t\\t\\t\\t\\t };\\n\\t\\t\\t\\t\\t\\t\\tHostsSendingDatatoIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/5b57680b-d60a-42a5-9cd5-17e499834f8e\",\"name\":\"5b57680b-d60a-42a5-9cd5-17e499834f8e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts sending the most amount of data to this IP\",\"queryTemplate\":\"let HostsSendingDatatoIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| where SessionState == \u0027Disconnected\u0027 \\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP =~ v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_BytesSent = sum(SentBytes) by Computer, LocalIP\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_BytesSent desc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_LocalIP=LocalIP \\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tHostsSendingDatatoIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/980762f8-014e-4439-8840-5f0a90285dce\",\"name\":\"980762f8-014e-4439-8840-5f0a90285dce\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Destination IPs with the greatest number of dropped sessions\",\"queryTemplate\":\"let MostDroppedDestIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tWindowsFirewall\\n\\t\\t\\t\\t\\t\\t\\t| where FirewallAction == \u0027DROP\u0027\\n\\t\\t\\t\\t\\t\\t\\t and SourceIP =~ v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| summarize DropCount = count(), Ports = makeset(DestinationPort) by DestinationIP\\n\\t\\t\\t\\t\\t\\t\\t| sort by array_length(Ports), DropCount\\n\\t\\t\\t\\t\\t\\t\\t| serialize rn=row_number()\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by rn asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address = DestinationIP, IP_Aux_DropCount = DropCount, IP_Aux_DroppedSessionPorts = Ports\\n\\t\\t\\t\\t\\t\\t\\t| project-away rn\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tMostDroppedDestIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"WindowsFirewall\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/935ab312-cb52-42a5-b296-548f21786102\",\"name\":\"935ab312-cb52-42a5-b296-548f21786102\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Source IPs with the greatest number of dropped sessions\",\"queryTemplate\":\"let MostDroppedSourceIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tWindowsFirewall\\n\\t\\t\\t\\t\\t\\t\\t| where FirewallAction == \u0027DROP\u0027\\n\\t\\t\\t\\t\\t\\t\\t and DestinationIP =~ v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| summarize IP_Aux_DropCount = count(), IP_Aux_DestPorts = makeset(DestinationPort) by SourceIP\\n\\t\\t\\t\\t\\t\\t\\t| sort by IP_Aux_DropCount\\n\\t\\t\\t\\t\\t\\t\\t| serialize rn=row_number()\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by rn asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Address = SourceIP, IP_Aux_DropCount, IP_Aux_DestPorts\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tMostDroppedSourceIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"WindowsFirewall\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/588f5d9f-3380-4eff-9983-e61d62fdd172\",\"name\":\"588f5d9f-3380-4eff-9983-e61d62fdd172\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Office activity accounts with this IP\",\"queryTemplate\":\"let GetAllAccountByIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tOfficeActivity \\n\\t\\t\\t\\t\\t\\t\\t| where ClientIP =~ v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027ClientIP\u0027, ClientIP, \u0027UserType\u0027, UserType, \u0027Operation\u0027, Operation, \u0027OfficeWorkload\u0027, OfficeWorkload, \u0027ResultStatus\u0027, ResultStatus)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Account_Aux_Count=count(), Account_Aux_info = makeset(info) by UserId\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTime = min_TimeGenerated, Account_Aux_EndTime = max_TimeGenerated, UserId, Account_Aux_Count, Account_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Account_UnstructuredName=UserId\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Account_Aux_Count desc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetAllAccountByIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"OfficeActivity\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/801bacb0-612a-4195-a84f-7939cca63b92\",\"name\":\"801bacb0-612a-4195-a84f-7939cca63b92\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent client IPs with DNS name lookup query for this IP\",\"queryTemplate\":\"let GetAllIPByClientIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\t _Im_Dns(response_has_ipv4=v_IP_Address)\\n\\t\\t\\t\\t\\t\\t\\t | extend IP_Address=SrcIpAddr\\n\\t\\t\\t\\t\\t\\t\\t | summarize IP_Aux_StartTime=min(TimeGenerated), IP_Aux_EndTime=max(TimeGenerated), IP_Aux_DomainNames=make_set(DnsQuery), IP_Aux_Count= count() by IP_Address\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by IP_Aux_Count asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t };\\n\\t\\t\\t\\t\\t\\t\\t GetAllIPByClientIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"DnsEvents\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/188ff904-e3c3-4253-9326-e0190b4b7a01\",\"name\":\"188ff904-e3c3-4253-9326-e0190b4b7a01\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent inbound WireData connections\",\"queryTemplate\":\"let GetWireDataInboundWithIp = (v_IPAddress:string){\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Inbound\u0027 \\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP has v_IPAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027LocalPortNumber\u0027, LocalPortNumber, \u0027RemoteIP\u0027, RemoteIP, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_EarliestSessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by Computer, ProcessName , LocalIP, ProcessID\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_info = IP_Aux_info, Host_Aux_info = IP_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_EarliestSessionStartTime, Computer, ProcessName , LocalIP, Process_ProcessId=tostring(ProcessID), IP_Aux_info, Process_Aux_info, Host_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=LocalIP, Process_ImageFile_FullPath=ProcessName, Host_UnstructuredName=Computer\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataInboundWithIp(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\",\"Process\",\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/897267e4-68e1-4827-b318-7fb055b52fc0\",\"name\":\"897267e4-68e1-4827-b318-7fb055b52fc0\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent outbound WireData connections\",\"queryTemplate\":\"let GetWireDataOutboundWithIp = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Outbound\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where LocalIP has v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027LocalIP\u0027, LocalIP, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\n\\t\\t\\t\\t\\t\\t\\t| summarize count(), IP_Aux_info = makeset(info) by Computer, ProcessName, RemoteIP, ProcessID\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_info = IP_Aux_info, Host_Aux_info = IP_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\n\\t\\t\\t\\t\\t\\t\\t| project Computer, ProcessName, RemoteIP, Process_ProcessId=tostring(ProcessID), IP_Aux_info, Process_Aux_info, Host_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=RemoteIP, Process_ImageFile_FullPath=ProcessName, Host_UnstructuredName=Computer\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataOutboundWithIp(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\",\"Process\",\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/fdb3e714-c036-4708-a0eb-6ae10a1912a1\",\"name\":\"fdb3e714-c036-4708-a0eb-6ae10a1912a1\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent accounts associated with this IP\",\"queryTemplate\":\"let GetLeastPrevUsersbyIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\n\\t\\t\\t\\t\\t\\t\\t| where IPAddress contains v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| extend RemoteHost = tolower(tostring(parse_json(DeviceDetail[\u0027displayName\u0027])))\\n\\t\\t\\t\\t\\t\\t\\t| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n\\t\\t\\t\\t\\t\\t\\t| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027AppDisplayName\u0027, AppDisplayName, \u0027ClientAppUsed\u0027, ClientAppUsed, \u0027Browser\u0027, tostring(Browser), \u0027IPAddress\u0027, IPAddress, \u0027ResultType\u0027, ResultType, \u0027ResultDescription\u0027, ResultDescription, \u0027Location\u0027, Location, \u0027State\u0027, State, \u0027City\u0027, City, \u0027StatusCode\u0027, StatusCode, \u0027StatusDetails\u0027, StatusDetails)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), count(), Account_Aux_info = makeset(info) by RemoteHost , UserDisplayName, tostring(OS), UserPrincipalName, AADTenantId, UserId\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTime = min_TimeGenerated, Account_Aux_EndTime = max_TimeGenerated, RemoteHost, UserDisplayName, OS, UserPrincipalName, AADTenantId, Account_AadUserId=toguid(UserId), Account_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Account_UnstructuredName=UserPrincipalName, Account_DisplayName=UserDisplayName, Account_AadTenantId=AADTenantId , Account_Host_UnstructuredName=RemoteHost, Account_Host_OSVersion=OS };\\n\\t\\t\\t\\t\\t\\t\\tGetLeastPrevUsersbyIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/0cb64e03-8534-47b6-9094-7de2d018fd7a\",\"name\":\"0cb64e03-8534-47b6-9094-7de2d018fd7a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Most prevalent client IPs with DNS name lookup query for this IP\",\"queryTemplate\":\"let GetAllIPByClientIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\t _Im_Dns(response_has_ipv4=v_IP_Address)\\n\\t\\t\\t\\t\\t\\t\\t | extend IP_Address=SrcIpAddr\\n\\t\\t\\t\\t\\t\\t\\t | summarize IP_Aux_StartTime=min(TimeGenerated), IP_Aux_EndTime=max(TimeGenerated), IP_Aux_DomainNames=make_set(DnsQuery), IP_Aux_Count= count() by IP_Address\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by IP_Aux_Count desc nulls last\\n\\t\\t\\t\\t\\t\\t\\t };\\n\\t\\t\\t\\t\\t\\t\\t GetAllIPByClientIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"DnsEvents\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/41146c58-ffc6-47ff-975e-f85013629dfd\",\"name\":\"41146c58-ffc6-47ff-975e-f85013629dfd\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Most prevalent Linux hosts with this IP\",\"queryTemplate\":\"let GetSysLogEventsWithIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tSyslog\\n\\t\\t\\t\\t\\t\\t\\t| where HostIP has v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027HostIP\u0027, HostIP, \u0027ProcessName\u0027, ProcessName, \u0027SeverityLevel\u0027, SeverityLevel)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(EventTime), max(EventTime), count(), Host_Aux_info = makeset(info) by Computer\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ desc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project Host_Aux_StartTime = min_EventTime, Host_Aux_EndTime = max_EventTime, Computer, Host_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetSysLogEventsWithIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"Syslog\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/bc6c7cc9-da18-4afd-8fda-d201f13b54a4\",\"name\":\"bc6c7cc9-da18-4afd-8fda-d201f13b54a4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Most prevalent accounts associated with this IP\",\"queryTemplate\":\"let GetMostPrevUsersbyIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\n\\t\\t\\t\\t\\t\\t\\t| where IPAddress contains v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| extend RemoteHost = tolower(tostring(parse_json(DeviceDetail[\u0027displayName\u0027])))\\n\\t\\t\\t\\t\\t\\t\\t| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n\\t\\t\\t\\t\\t\\t\\t| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027AppDisplayName\u0027, AppDisplayName, \u0027ClientAppUsed\u0027, ClientAppUsed, \u0027Browser\u0027, tostring(Browser), \u0027IPAddress\u0027, IPAddress, \u0027ResultType\u0027, ResultType, \u0027ResultDescription\u0027, ResultDescription, \u0027Location\u0027, Location, \u0027State\u0027, State, \u0027City\u0027, City, \u0027StatusCode\u0027, StatusCode, \u0027StatusDetails\u0027, StatusDetails)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), count(), Account_Aux_info = makeset(info) by RemoteHost , UserDisplayName, tostring(OS), UserPrincipalName, AADTenantId, UserId\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ desc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTimeUtc = min_TimeGenerated, Account_Aux_EndTimeUtc = max_TimeGenerated, RemoteHost, UserDisplayName, OS, UserPrincipalName, AADTenantId, Account_Aux_info, Account_AadUserId=toguid(UserId)\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Account_UnstructuredName=UserPrincipalName, Account_DisplayName=UserDisplayName, Account_AadTenantId=AADTenantId, Account_Host_UnstructuredName=RemoteHost, Account_Host_OSVersion=OS\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetMostPrevUsersbyIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/f87b2afb-068f-4734-88a0-94560309f9c7\",\"name\":\"f87b2afb-068f-4734-88a0-94560309f9c7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Processes blocked from loading non-Microsoft-signed binaries\",\"queryTemplate\":\"let BlockedUnsignedFile = (v_Process_ProcessId:int, v_Process_ImageFile:string){\\n\\t\\t\\t\\t\\t\\t\\tlet p_Process_ImageFile_Name = tostring(parse_json(v_Process_ImageFile)[\u0027Name\u0027]);\\n\\t\\t\\t\\t\\t\\t\\tDeviceEvents\\n\\t\\t\\t\\t\\t\\t\\t| where ActionType == \\\"ExploitGuardNonMicrosoftSignedBlocked\\\" and FileName !hassuffix \\\".ni.dll\\\"\\n\\t\\t\\t\\t\\t\\t\\t| where InitiatingProcessId == v_Process_ProcessId and InitiatingProcessFileName =~ p_Process_ImageFile_Name\\n\\t\\t\\t\\t\\t\\t\\t| summarize Count=count() by FileName\\n\\t\\t\\t\\t\\t\\t\\t| top 15 by Count desc\\n\\t\\t\\t\\t\\t\\t\\t| project File_Name=FileName\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tBlockedUnsignedFile(\u0027\u003cv_Process_ProcessId\u003e\u0027,\u0027\u003cv_Process_ImageFile\u003e\u0027)\",\"inputFields\":[\"processId\",\"ImageFile\"],\"outputEntityTypes\":[\"File\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/77f9839a-1c03-49e2-803e-72b97042fc05\",\"name\":\"77f9839a-1c03-49e2-803e-72b97042fc05\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent inbound WireData connections\",\"queryTemplate\":\"let GetWireDataInboundWithProcess = (v_Process_CommandLine:string){\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath = tostring(split(v_Process_CommandLine, \u0027 \u0027)[0]);\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath2 = iff(tempFullPath startswith \u0027\\\"\u0027, substring(tempFullPath, 1, strlen(tempFullPath)-2), tempFullPath);\\n\\t\\t\\t\\t\\t\\t\\tlet v_Process_ImageFile_FullPath = iff(tempFullPath2 startswith \u0027\\\\\\\\??\\\\\\\\\u0027, substring(tempFullPath2, 4, strlen(tempFullPath2)-1), tempFullPath2);\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Inbound\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where ProcessName has v_Process_ImageFile_FullPath\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027ProcessName\u0027, ProcessName, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027RemoteIP\u0027, RemoteIP, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(SessionStartTime), count(), IP_Aux_info = makeset(info) by Computer, LocalIP\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_Aux_info = IP_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\n\\t\\t\\t\\t\\t\\t\\t| project min_SessionStartTime, Computer, LocalIP, IP_Aux_info, Host_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=LocalIP, Host_UnstructuredName=Computer, Host_Aux_min_SessionStartTime=min_SessionStartTime\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataInboundWithProcess(\u0027\u003ccommandLine\u003e\u0027)\",\"inputFields\":[\"commandLine\"],\"outputEntityTypes\":[\"IP\",\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/def383f2-dff3-4f5b-9416-aca8dca39812\",\"name\":\"def383f2-dff3-4f5b-9416-aca8dca39812\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent Linux hosts with this process\",\"queryTemplate\":\"let GetSysLogEventsWithProcess = (v_Process_CommandLine:string){\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath = tostring(split(v_Process_CommandLine, \u0027 \u0027)[0]);\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath2 = iff(tempFullPath startswith \u0027\\\"\u0027, substring(tempFullPath, 1, strlen(tempFullPath)-2), tempFullPath);\\n\\t\\t\\t\\t\\t\\t\\tlet v_Process_ImageFile_FullPath = iff(tempFullPath2 startswith \u0027\\\\\\\\??\\\\\\\\\u0027, substring(tempFullPath2, 4, strlen(tempFullPath2)-1), tempFullPath2);\\n\\t\\t\\t\\t\\t\\t\\tSyslog\\n\\t\\t\\t\\t\\t\\t\\t| where ProcessName has v_Process_ImageFile_FullPath\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027HostName\u0027, HostName, \u0027HostIP\u0027, HostIP, \u0027ProcessName\u0027, ProcessName, \u0027SyslogMessage\u0027, SyslogMessage)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(EventTime), max(EventTime), count(), Host_Aux_info = makeset(info) by Computer\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project Host_Aux_StartTime=min_EventTime, Host_Aux_EndTime=max_EventTime, Computer, Host_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetSysLogEventsWithProcess(\u0027\u003ccommandLine\u003e\u0027)\",\"inputFields\":[\"commandLine\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"Syslog\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/39df618a-684d-402d-b096-6f505a8e741e\",\"name\":\"39df618a-684d-402d-b096-6f505a8e741e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent outbound WireData connections\",\"queryTemplate\":\"let GetWireDataOutboundWithProcess = (v_Process_CommandLine:string){\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath = tostring(split(v_Process_CommandLine, \u0027 \u0027)[0]);\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath2 = iff(tempFullPath startswith \u0027\\\"\u0027, substring(tempFullPath, 1, strlen(tempFullPath)-2), tempFullPath);\\n\\t\\t\\t\\t\\t\\t\\tlet v_Process_ImageFile_FullPath = iff(tempFullPath2 startswith \u0027\\\\\\\\??\\\\\\\\\u0027, substring(tempFullPath2, 4, strlen(tempFullPath2)-1), tempFullPath2);\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Outbound\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where ProcessName has v_Process_ImageFile_FullPath\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027ProcessName\u0027, ProcessName, \u0027LocalIP\u0027, LocalIP, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(SessionStartTime), count(), IP_Aux_info = makeset(info) by Computer, RemoteIP\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_Aux_info = IP_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\n\\t\\t\\t\\t\\t\\t\\t| project min_SessionStartTime, Computer, RemoteIP, IP_Aux_info, Host_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=RemoteIP, Host_UnstructuredName=Computer, Host_Aux_min_SessionStartTime=min_SessionStartTime\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataOutboundWithProcess(\u0027\u003ccommandLine\u003e\u0027)\",\"inputFields\":[\"commandLine\"],\"outputEntityTypes\":[\"IP\",\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/e32a48a9-bf82-4cec-ba94-9ec406a69ef8\",\"name\":\"e32a48a9-bf82-4cec-ba94-9ec406a69ef8\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"10 most recent VM configuration changes based on process\",\"queryTemplate\":\"let exclude = dynamic([\u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sppsvc.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wuauclt.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\Install\\\\\\\\\u0027, \u0027:\\\\\\\\WindowsAzure\\\\\\\\GuestAgent_\u0027, \u0027:\\\\\\\\WindowsAzure\\\\\\\\WindowsAzureNetAgent_\u0027, \\n\\t\\t\\t\\t\\t\\t\\t\u0027:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\platform\\\\\\\\\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\u0027, \u0027\\\\\\\\MpSigStub.exe\u0027,\u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\trustedinstaller.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t\\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Active Setup\\\\\\\\Installed Components\\\\\\\\\\\"]);\\n\\t\\t\\t\\t\\t\\t\\tlet ConfigChange = (v_Process_ImageFile:string ) \\n\\t\\t\\t\\t\\t\\t\\t{let Process_ImageFile_Name = tostring(parse_json(v_Process_ImageFile)[\u0027Name\u0027]);\\n\\t\\t\\t\\t\\t\\t\\tConfigurationChange\\n\\t\\t\\t\\t\\t\\t\\t| where ConfigChangeType != \\\"Software\\\"\\n\\t\\t\\t\\t\\t\\t\\t| where isnotempty(ValueData) or isnotempty(SvcPath) or isnotempty(FileSystemPath)\\n\\t\\t\\t\\t\\t\\t\\t| extend Process = case(\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Registry\\\" and (ValueData has \\\".exe\\\" or ValueData has \\\".bat\\\" or ValueData has \\\".cmd\\\"), ValueData,\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"WindowsServices\\\", SvcPath,\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Files\\\" and ((FileSystemPath has \\\".exe\\\" or FileSystemPath has \\\".bat\\\" or FileSystemPath has \\\".cmd\\\") or FileSystemPath has \u0027/\u0027), FileSystemPath,\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Daemons\\\", SvcPath,\\n\\t\\t\\t\\t\\t\\t\\t\\\"ProcessNotAvailable\\\"\\n\\t\\t\\t\\t\\t\\t\\t)\\n\\t\\t\\t\\t\\t\\t\\t| where not(Process has_any (exclude)) and (Process !has \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework\u0027 and not(Process has_any (\u0027\\\\\\\\ngentask.exe\u0027, \u0027\\\\\\\\ngen.exe\u0027)))\\n\\t\\t\\t\\t\\t\\t\\t| where iff(Process_ImageFile_Name == \\\"\\\", false, Process has Process_ImageFile_Name) \\n\\t\\t\\t\\t\\t\\t\\t| parse FileContentChecksum with * \\\"Hash=\\\" Hash \\\" \\\" *\\n\\t\\t\\t\\t\\t\\t\\t| parse PreviousFileContentChecksum with * \\\"Hash=\\\" Hash \\\" \\\" *\\n\\t\\t\\t\\t\\t\\t\\t| extend Changes = case( \\n\\t\\t\\t\\t\\t\\t\\t ConfigChangeType == \\\"Registry\\\" and ChangeCategory == \\\"Modified\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"RegistryKey\\\" , RegistryKey, \\\"ValueName\\\", ValueName, \\\"ValueData\\\", ValueData, \\\"PreviousValueData\\\", PreviousValueData),\\n\\t\\t\\t\\t\\t\\t\\t ConfigChangeType == \\\"Registry\\\" and ChangeCategory == \\\"Added\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"RegistryKey\\\" , RegistryKey, \\\"ValueName\\\", ValueName, \\\"ValueData\\\", ValueData),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Registry\\\" and ChangeCategory == \\\"Removed\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"RegistryKey\\\" , RegistryKey, \\\"ValueName\\\", ValueName, \\\"PreviousValueData\\\", PreviousValueData),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"Path\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcPreviousPath\\\", SvcPreviousPath),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"Runlevels\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcRunlevels\\\", SvcRunlevels,\\\"SvcPreviousRunlevels\\\", SvcPreviousRunlevels),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"StartupType\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcStartupType\\\", SvcStartupType, \\\"SvcPreviousStartupType\\\", SvcPreviousStartupType),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"State\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcState\\\", SvcState, \\\"SvcPreviousState\\\", SvcPreviousState),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"State StartupType\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcState\\\", SvcState, \\\"SvcPreviousState\\\", SvcPreviousState, \\\"SvcStartupType\\\", SvcStartupType, \\\"SvcPreviousStartupType\\\", SvcPreviousStartupType),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Added\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcState\\\", SvcState, \\\"SvcStartupType\\\", SvcStartupType),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Removed\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcName\\\", SvcName, \\\"SvcPreviousPath\\\", SvcPreviousPath, \\\"SvcPreviousState\\\", SvcPreviousState, \\\"SvcPreviousStartupType\\\", SvcPreviousStartupType),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Files\\\" and ChangeCategory == \\\"Added\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"FileSystemPath\\\", FileSystemPath, \\\"DateCreated\\\", DateCreated, \\\"DateModified\\\", DateModified, \\\"Hash\\\", Hash),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Files\\\" and ChangeCategory == \\\"Removed\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"FileSystemPath\\\", FileSystemPath, \\\"DateCreated\\\", PreviousDateCreated, \\\"DateModified\\\", PreviousDateModified, \\\"Hash\\\", Hash),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Files\\\" and ChangeCategory == \\\"Modified\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"FileSystemPath\\\", FileSystemPath, \\\"FieldsChanged\\\", FieldsChanged, \\\"DateCreated\\\", PreviousDateCreated, \\\"DateModified\\\", PreviousDateModified, \\\"Hash\\\", Hash),\\n\\t\\t\\t\\t\\t\\t\\t\\\"\\\")\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_HostName = tostring(split(Computer, \\\".\\\")[0]), Host_DnsDomain = strcat_array(array_slice(split(Computer,\u0027.\u0027),1,256),\u0027.\u0027)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_StartTimeUtc = min(TimeGenerated), Host_Aux_EndTimeUtc = max(TimeGenerated), Host_Aux_ConfigChangeDetail = makeset(Changes) by Host_HostName, Host_DnsDomain\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_StartTimeUtc desc};\\n\\t\\t\\t\\t\\t\\t\\tConfigChange(\u0027\u003cImageFile\u003e\u0027)\",\"inputFields\":[\"ImageFile\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"ConfigurationChange\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/0880a6d7-d914-40f6-91bc-150de4810e4e\",\"name\":\"0880a6d7-d914-40f6-91bc-150de4810e4e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Windows hosts with this process\",\"queryTemplate\":\"let GetHostsWithProcess = (v_Process_CommandLine:string){\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath = tostring(split(v_Process_CommandLine, \u0027 \u0027)[0]);\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath2 = iff(tempFullPath startswith \u0027\\\"\u0027, substring(tempFullPath, 1, strlen(tempFullPath)-2), tempFullPath);\\n\\t\\t\\t\\t\\t\\t\\tlet v_Process_ImageFile_FullPath = iff(tempFullPath2 startswith \u0027\\\\\\\\??\\\\\\\\\u0027, substring(tempFullPath2, 4, strlen(tempFullPath2)-1), tempFullPath2);\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4688\\n\\t\\t\\t\\t\\t\\t\\t| where NewProcessName has v_Process_ImageFile_FullPath\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027Account\u0027, Account, \u0027NewProcessName\u0027, NewProcessName, \u0027CommandLine\u0027, CommandLine)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer, SourceComputerId, _ResourceId\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, Computer, Host_Aux_info, Host_OMSAgentID=SourceComputerId\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by min_TimeGenerated asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetHostsWithProcess(\u0027\u003ccommandLine\u003e\u0027)\",\"inputFields\":[\"commandLine\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/c07c8936-d2a7-41a7-97d2-d3afdf267da4\",\"name\":\"c07c8936-d2a7-41a7-97d2-d3afdf267da4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - Hosts communicating the most amount of data with this IoT Device\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIoTDevice2Host = (v_IoTDevice_DeviceId:string) {\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent \\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceGUID == v_IoTDevice_DeviceId or ServerDeviceGUID == v_IoTDevice_DeviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceGUID == v_IoTDevice_DeviceId, \\\"Outbound\\\", \\\"Inbound\\\")\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID), \\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\n\\t\\t\\t\\t\\t\\t\\tDeviceName = iff(Direction == \\\"Outbound\\\", ServerDeviceName, ClientDeviceName),\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by DeviceGUID, DeviceName, IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType)\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\n\\t\\t\\t\\t\\t\\t\\t| extend TotalBandwidth_MB = floor(todecimal(TotalBandwidth_MB / 1000), 0.1)\\n\\t\\t\\t\\t\\t\\t\\t| project Host_HostName = DeviceName, Host_Aux_IpAddress = IpAddress, Host_Aux_Type = IoTDevice_DeviceType, Host_Aux_LastActivity = LastActivity, Host_Aux_Protocols = Protocols, Host_Aux_ServerPorts = ServerPorts, Host_Aux_TotalBandwidth_MB = TotalBandwidth_MB\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_TotalBandwidth_MB\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIoTDevice2Host(\u0027\u003cdeviceId\u003e\u0027)\",\"inputFields\":[\"deviceId\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IoTDevice\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/f1cce474-7a4f-435c-a7ee-3d5a800a6df4\",\"name\":\"f1cce474-7a4f-435c-a7ee-3d5a800a6df4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - IP Addresses communicating the most amount of data with this IoT Device\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIoTDevice2IP = (v_IoTDevice_DeviceId:string) {\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent \\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceGUID == v_IoTDevice_DeviceId or ServerDeviceGUID == v_IoTDevice_DeviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceGUID == v_IoTDevice_DeviceId, \\\"Outbound\\\", \\\"Inbound\\\")\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID), \\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\n\\t\\t\\t\\t\\t\\t\\tDeviceIsExternal = iff(Direction == \\\"Outbound\\\", ServerisExternal, ClientisExternal),\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by DeviceGUID, IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType), DeviceIsExternal = tostring(DeviceIsExternal)\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Address = IpAddress, IP_Aux_DeviceType = IoTDevice_DeviceType, IP_Aux_LastActivity = LastActivity, IP_Aux_Protocols = Protocols, IP_Aux_ServerPorts = ServerPorts, IP_Aux_TotalBandwidth_MB = TotalBandwidth_MB, IP_Aux_IsExternal = DeviceIsExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_TotalBandwidth_MB = floor(todecimal(IP_Aux_TotalBandwidth_MB / 1000), 0.1)\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_TotalBandwidth_MB\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIoTDevice2IP(\u0027\u003cdeviceId\u003e\u0027)\",\"inputFields\":[\"deviceId\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IoTDevice\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/1f3ecde7-5c69-4d44-ac93-5feac6d1cd2f\",\"name\":\"1f3ecde7-5c69-4d44-ac93-5feac6d1cd2f\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Most frequent command executions on the device\",\"queryTemplate\":\"let Process_byIoTDevice = (v_IotDevice_DeviceId:string, v_IoTDevice_IoTHub:string){\\n\\t\\t\\t\\t\\t\\t\\tSecurityIoTRawEvent \\n\\t\\t\\t\\t\\t\\t\\t| where RawEventName =~ \u0027ProcessCreate\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where AssociatedResourceId =~ parse_json(v_IoTDevice_IoTHub)[\u0027ResourceId\u0027] and DeviceId =~ v_IotDevice_DeviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_CommandLine = tostring(parse_json(EventDetails)[\u0027CommandLine\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_ProcessId = tostring(parse_json(EventDetails)[\u0027ProcessId\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_ParentProcess_ProcessId = tostring(parse_json(EventDetails)[\u0027ParentProcessId\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_CreationTimeUtc = TimeStamp\\n\\t\\t\\t\\t\\t\\t\\t| summarize procCount = count() by Process_CommandLine, Process_ProcessId, Process_ParentProcess_ProcessId, Process_CreationTimeUtc\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by procCount\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_Count = procCount\\n\\t\\t\\t\\t\\t\\t\\t| project-away procCount\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tProcess_byIoTDevice(\u0027\u003cdeviceId\u003e\u0027, \u0027\u003cIoTHub\u003e\u0027)\",\"inputFields\":[\"deviceId\",\"IoTHub\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IoTDevice\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/98b974fd-cc64-48b8-9bd0-3a209f5b944b\",\"name\":\"98b974fd-cc64-48b8-9bd0-3a209f5b944b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related entities\",\"queryTemplate\":\"let GetAlertRelatedEntities = (v_SecurityAlert_SystemAlertId:string){\\r\\n SecurityAlert\\r\\n | where SystemAlertId == v_SecurityAlert_SystemAlertId\\r\\n | project entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities};\\r\\n GetAlertRelatedEntities(\u0027\u003csystemAlertId\u003e\u0027)\",\"inputFields\":[\"systemAlertId\"],\"outputEntityTypes\":[],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"SecurityAlert\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/27f76e63-c41b-480f-bb18-12ad2e011d49\",\"name\":\"27f76e63-c41b-480f-bb18-12ad2e011d49\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related entities\",\"queryTemplate\":\"\",\"inputFields\":[],\"outputEntityTypes\":[],\"dataSources\":[],\"inputEntityType\":\"HuntingBookmark\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/055a5692-555f-42bd-ac17-923a5a9994ed\",\"name\":\"055a5692-555f-42bd-ac17-923a5a9994ed\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetHostRelatedAlerts = (v_Host_HostName:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027host\u0027 and entity[\u0027HostName\u0027] =~ v_Host_HostName\\r\\n | project-away entity};\\r\\n GetHostRelatedAlerts(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/e36c2ceb-4caf-4919-8433-d61dbc3e294a\",\"name\":\"e36c2ceb-4caf-4919-8433-d61dbc3e294a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related bookmarks\",\"queryTemplate\":\"\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"HuntingBookmark\"],\"dataSources\":[],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/a77992f3-25e9-4d01-99a4-5ff606cc410a\",\"name\":\"a77992f3-25e9-4d01-99a4-5ff606cc410a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetAccountRelatedAlerts = (v_Account_Name:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027account\u0027 and entity[\u0027Name\u0027] =~ v_Account_Name\\r\\n | project-away entity};\\r\\n GetAccountRelatedAlerts(\u0027\u003caccountName\u003e\u0027)\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/504ea455-3bf7-47ef-8555-dc747b465f99\",\"name\":\"504ea455-3bf7-47ef-8555-dc747b465f99\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related bookmarks\",\"queryTemplate\":\"\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"HuntingBookmark\"],\"dataSources\":[],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/4a014a1b-c5a1-499f-9f54-3f7b99b0a675\",\"name\":\"4a014a1b-c5a1-499f-9f54-3f7b99b0a675\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetAzureResourceRelatedAlerts = (v_AzureResource_ResourceId:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027azure-resource\u0027 and entity[\u0027ResourceId\u0027] =~ v_AzureResource_ResourceId\\r\\n | project-away entity};\\r\\n GetAzureResourceRelatedAlerts(\u0027\u003cresourceId\u003e\u0027)\",\"inputFields\":[\"resourceId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"AzureResource\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/f74ad13a-ae93-47b9-8782-b1142b95d046\",\"name\":\"f74ad13a-ae93-47b9-8782-b1142b95d046\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetCloudApplicationRelatedAlerts = (v_CloudApplication_AppId:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027cloud-application\u0027 and entity[\u0027AppId\u0027] =~ v_CloudApplication_AppId\\r\\n | project-away entity};\\r\\n GetCloudApplicationRelatedAlerts(\u0027\u003cappId\u003e\u0027)\",\"inputFields\":[\"appId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"CloudApplication\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/80218599-45b4-4402-95cc-86f9929dd43d\",\"name\":\"80218599-45b4-4402-95cc-86f9929dd43d\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetDNSRelatedAlerts = (v_DNS_DomainName:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027dns\u0027 and entity[\u0027DomainName\u0027] =~ v_DNS_DomainName\\r\\n | project-away entity};\\r\\n GetDNSRelatedAlerts(\u0027\u003cdomainName\u003e\u0027)\",\"inputFields\":[\"domainName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"DNS\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/0f0bccef-4512-4530-a866-27056a39dcd6\",\"name\":\"0f0bccef-4512-4530-a866-27056a39dcd6\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetFileRelatedAlerts = (v_File_Name:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027file\u0027 and entity[\u0027Name\u0027] =~ v_File_Name\\r\\n | project-away entity};\\r\\n GetFileRelatedAlerts(\u0027\u003cfileName\u003e\u0027)\",\"inputFields\":[\"fileName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"File\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/b6eaa3ad-e69b-437e-9c13-bb5273dd34ab\",\"name\":\"b6eaa3ad-e69b-437e-9c13-bb5273dd34ab\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetFileHashRelatedAlerts = (v_FileHash_Value:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027filehash\u0027 and entity[\u0027Value\u0027] =~ v_FileHash_Value\\r\\n | project-away entity};\\r\\n GetFileHashRelatedAlerts(\u0027\u003chashValue\u003e\u0027)\",\"inputFields\":[\"hashValue\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"FileHash\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/58c1516f-b78a-4d78-9e71-77c40849c27b\",\"name\":\"58c1516f-b78a-4d78-9e71-77c40849c27b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetIPRelatedAlerts = (v_IP_Address:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027ip\u0027 and entity[\u0027Address\u0027] =~ v_IP_Address\\r\\n | project-away entity};\\r\\n GetIPRelatedAlerts(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/6a6a5dcb-605c-4dad-8bb6-c8c439db4f0a\",\"name\":\"6a6a5dcb-605c-4dad-8bb6-c8c439db4f0a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related bookmarks\",\"queryTemplate\":\"\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"HuntingBookmark\"],\"dataSources\":[],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/b8407195-b9a3-4565-bf08-7b23e5c57e3a\",\"name\":\"b8407195-b9a3-4565-bf08-7b23e5c57e3a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetMalwareRelatedAlerts = (v_Malware_Name:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027malware\u0027 and entity[\u0027Name\u0027] =~ v_Malware_Name\\r\\n | project-away entity};\\r\\n GetMalwareRelatedAlerts(\u0027\u003cmalwareName\u003e\u0027)\",\"inputFields\":[\"malwareName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Malware\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/63a4fa2f-f89d-4cf5-96a2-cb2479e49731\",\"name\":\"63a4fa2f-f89d-4cf5-96a2-cb2479e49731\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetProcessRelatedAlerts = (v_Process_ProcessId:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027process\u0027 and entity[\u0027ProcessId\u0027] =~ v_Process_ProcessId\\r\\n | project-away entity};\\r\\n GetProcessRelatedAlerts(\u0027\u003cprocessId\u003e\u0027)\",\"inputFields\":[\"processId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/d788cd65-a7ef-448e-aa34-81185ac0e611\",\"name\":\"d788cd65-a7ef-448e-aa34-81185ac0e611\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetRegistryKeyRelatedAlerts = (v_RegistryKey_Key:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027registry-key\u0027 and entity[\u0027Key\u0027] =~ v_RegistryKey_Key\\r\\n | project-away entity};\\r\\n GetRegistryKeyRelatedAlerts(\u0027\u003ckey\u003e\u0027)\",\"inputFields\":[\"key\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"RegistryKey\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/3a45a7e3-80e0-4e05-84db-b97bd1ae452b\",\"name\":\"3a45a7e3-80e0-4e05-84db-b97bd1ae452b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetRegistryValueRelatedAlerts = (v_RegistryValue_Name:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027registry-value\u0027 and entity[\u0027Name\u0027] =~ v_RegistryValue_Name\\r\\n | project-away entity};\\r\\n GetRegistryValueRelatedAlerts(\u0027\u003cvalueName\u003e\u0027)\",\"inputFields\":[\"valueName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"RegistryValue\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/43c07636-6be0-4c62-8c62-9a6040a98821\",\"name\":\"43c07636-6be0-4c62-8c62-9a6040a98821\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetSecurityGroupRelatedAlerts = (v_SecurityGroup_DistinguishedName:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027security-group\u0027 and entity[\u0027DistinguishedName\u0027] =~ v_SecurityGroup_DistinguishedName\\r\\n | project-away entity};\\r\\n GetSecurityGroupRelatedAlerts(\u0027\u003cdistinguishedName\u003e\u0027)\",\"inputFields\":[\"distinguishedName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"SecurityGroup\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/7b61d5e2-4b66-40a7-bb0f-9145b445104e\",\"name\":\"7b61d5e2-4b66-40a7-bb0f-9145b445104e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetURLRelatedAlerts = (v_URL_Url:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027url\u0027 and entity[\u0027Url\u0027] =~ v_URL_Url\\r\\n | project-away entity};\\r\\n GetURLRelatedAlerts(\u0027\u003curl\u003e\u0027)\",\"inputFields\":[\"url\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"URL\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/855ea9fe-2fdd-4890-8daa-c895c136eef3\",\"name\":\"855ea9fe-2fdd-4890-8daa-c895c136eef3\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related bookmarks\",\"queryTemplate\":\"\",\"inputFields\":[\"url\"],\"outputEntityTypes\":[\"HuntingBookmark\"],\"dataSources\":[],\"inputEntityType\":\"URL\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/4daeed0e-0e74-4f2d-990c-a958210e9dd7\",\"name\":\"4daeed0e-0e74-4f2d-990c-a958210e9dd7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetIoTDeviceRelatedAlerts = (v_IoTDevice_DeviceId:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027iotdevice\u0027 and entity[\u0027DeviceId\u0027] =~ v_IoTDevice_DeviceId\\r\\n | project-away entity};\\r\\n GetIoTDeviceRelatedAlerts(\u0027\u003cdeviceId\u003e\u0027)\",\"inputFields\":[\"deviceId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"IoTDevice\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/fb123681-fb7e-4684-86fd-3866df84ac2f\",\"name\":\"fb123681-fb7e-4684-86fd-3866df84ac2f\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Assigned IPs\",\"queryTemplate\":\"let GetIPsForHost = (v_Host_HostName:string){\\r\\n Heartbeat\\r\\n | where Computer =~ v_Host_HostName\\r\\n | summarize arg_max(TimeGenerated, *) by ComputerIP\\r\\n };\\r\\n GetIPsForHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/fa16a940-53cc-4e45-9e6f-d8409cb42390\",\"name\":\"fa16a940-53cc-4e45-9e6f-d8409cb42390\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Host assigned with IP\",\"queryTemplate\":\"let GetHostsForIp = (v_IP_Address:string){\\r\\n Heartbeat\\r\\n | where ComputerIP =~ v_IP_Address\\r\\n | summarize arg_max(TimeGenerated, *) by Computer\\r\\n };\\r\\n GetHostsForIp(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/0a691e7d-a9bb-4a80-8591-2cc0b5094298\",\"name\":\"0a691e7d-a9bb-4a80-8591-2cc0b5094298\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetMailboxRelatedAlerts = (v_Mailbox_MailboxPrimaryAddress:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027mailbox\u0027 and entity[\u0027MailboxPrimaryAddress\u0027] =~ v_Mailbox_MailboxPrimaryAddress\\r\\n | project-away entity};\\r\\n GetMailboxRelatedAlerts(\u0027\u003cmailboxPrimaryAddress\u003e\u0027)\",\"inputFields\":[\"mailboxPrimaryAddress\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Mailbox\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/cf68388a-a0db-41d5-969f-919f7a2e47bc\",\"name\":\"cf68388a-a0db-41d5-969f-919f7a2e47bc\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetMailClusterRelatedAlerts = (v_MailCluster_Query:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027mailCluster\u0027 and entity[\u0027Query\u0027] =~ v_MailCluster_Query\\r\\n | project-away entity};\\r\\n GetMailClusterRelatedAlerts(\u0027\u003cquery\u003e\u0027)\",\"inputFields\":[\"query\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"MailCluster\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/33fbca35-93cf-45f8-864f-eb3d553d5bb8\",\"name\":\"33fbca35-93cf-45f8-864f-eb3d553d5bb8\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetMailMessageRelatedAlerts = (v_MailMessage_NetworkMessageId:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027mailMessage\u0027 and entity[\u0027NetworkMessageId\u0027] =~ v_MailMessage_NetworkMessageId\\r\\n | project-away entity};\\r\\n GetMailMessageRelatedAlerts(\u0027\u003cnetworkMessageId\u003e\u0027)\",\"inputFields\":[\"networkMessageId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"MailMessage\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/d215b047-259d-40b4-843c-4d509b013525\",\"name\":\"d215b047-259d-40b4-843c-4d509b013525\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetSubmissionMailRelatedAlerts = (v_SubmissionMail_SubmissionId:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027SubmissionMail\u0027 and entity[\u0027SubmissionId\u0027] =~ v_SubmissionMail_SubmissionId\\r\\n | project-away entity};\\r\\n GetSubmissionMailRelatedAlerts(\u0027\u003csubmissionId\u003e\u0027)\",\"inputFields\":[\"submissionId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"SubmissionMail\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/6168f65c-448f-4732-8b6c-10e5693de946\",\"name\":\"6168f65c-448f-4732-8b6c-10e5693de946\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"IoTDevice related Nics\",\"queryTemplate\":\"let GetIoTDeviceRelatedNics = (v_IoTDevice_DeviceId:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027iotdevice\u0027\\r\\n and entity[\u0027DeviceId\u0027] =~ v_IoTDevice_DeviceId\\r\\n | project Nic = entity[\u0027Nics\u0027]\\r\\n | mv-expand Nic\\r\\n | where isnotempty(Nic)\\r\\n };\\r\\n GetIoTDeviceRelatedNics(\u0027\u003cdeviceId\u003e\u0027)\",\"inputFields\":[\"deviceId\"],\"outputEntityTypes\":[\"Nic\"],\"dataSources\":[],\"inputEntityType\":\"IoTDevice\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/887b5f82-f5a8-4735-bec9-1e563ced0f9f\",\"name\":\"887b5f82-f5a8-4735-bec9-1e563ced0f9f\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"IoTDevice related Azure Resources\",\"queryTemplate\":\"let GetIoTDeviceRelatedIoTHub = (v_IoTDevice_DeviceId:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] =~ \u0027iotdevice\u0027\\r\\n and entity[\u0027DeviceId\u0027] =~ v_IoTDevice_DeviceId\\r\\n | project IoTHub = entity[\u0027IoTHub\u0027]\\r\\n | mv-expand IoTHub\\r\\n | where isnotempty(IoTHub)\\r\\n };\\r\\n GetIoTDeviceRelatedIoTHub(\u0027\u003cdeviceId\u003e\u0027)\",\"inputFields\":[\"deviceId\"],\"outputEntityTypes\":[\"AzureResource\"],\"dataSources\":[],\"inputEntityType\":\"IoTDevice\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/f70e333a-fc67-445f-88db-e4665a3425e4\",\"name\":\"f70e333a-fc67-445f-88db-e4665a3425e4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Nic related Ip\",\"queryTemplate\":\"let GetNicRelatedIpAddress = (v_Nic_MacAddress:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] =~ \u0027nic\u0027\\r\\n and entity[\u0027MacAddress\u0027] =~ v_Nic_MacAddress\\r\\n | project IpAddress = entity[\u0027IpAddress\u0027]\\r\\n | mv-expand IpAddress\\r\\n | where isnotempty(IpAddress)\\r\\n };\\r\\n GetNicRelatedIpAddress(\u0027\u003cMacAddress\u003e\u0027)\",\"inputFields\":[\"MacAddress\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[],\"inputEntityType\":\"Nic\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/4c541df8-a680-4da5-96c9-74456927213f\",\"name\":\"4c541df8-a680-4da5-96c9-74456927213f\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts the account failed to log in to the most\",\"queryTemplate\":\"let FailedLoginEventId = 4625;\\r\\n let SuccessfulLoginEventId = 4624;\\n\\t\\t\\t\\t\\t\\t\\tlet isimAuthenticationInstalled=toscalar(union isfuzzy=true (datatable(Test:string)[]), (imAuthentication| take 0) | getschema | count | project Exists=(Count\u003e1));\\n\\t\\t\\t\\t\\t\\t\\tlet Legacy = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_UPNSuffix:string){\\n\\t\\t\\t\\t\\t\\t\\t (datatable(exists:int)[1] | where not(isimAuthenticationInstalled)) | join\\n\\t\\t\\t\\t\\t\\t\\t ( \\n\\t\\t\\t\\t\\t\\t\\t SecurityEvent\\n\\t\\t\\t\\t\\t\\t\\t | extend p_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t )\\n\\t\\t\\t\\t\\t\\t\\t | extend p_Account_UPNSuffix = case(\\n\\t\\t\\t\\t\\t\\t\\t v_Account_UPNSuffix has \u0027@\u0027, tostring(split(v_Account_UPNSuffix, \u0027@\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_UPNSuffix has \u0027\\\\\\\\\u0027, tostring(split(v_Account_UPNSuffix, \u0027\\\\\\\\\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_UPNSuffix\\n\\t\\t\\t\\t\\t\\t\\t )\\n\\t\\t\\t\\t\\t\\t\\t | extend p_Account_NTDomain = case(\\n\\t\\t\\t\\t\\t\\t\\t v_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_UPNSuffix, \u0027\\\\\\\\\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_NTDomain\\n\\t\\t\\t\\t\\t\\t\\t ) \\n\\t\\t\\t\\t\\t\\t\\t | extend Account_UPNSuffix = iff(Account has \u0027@\u0027, tostring(split(Account,\u0027@\u0027)[1]),\u0027\u0027)\\n\\t\\t\\t\\t\\t\\t\\t | extend Account_NTDomain = iff(Account has \u0027\\\\\\\\\u0027, tostring(split(Account,\u0027\\\\\\\\\u0027)[0]),\u0027\u0027)\\n\\t\\t\\t\\t\\t\\t\\t | extend Account_Name = extract(@\u0027^([^\\\\\\\\]*\\\\\\\\)?([^@]+)@?\u0027,2,Account)\\n\\t\\t\\t\\t\\t\\t\\t | where ( (isnotempty(Account_Name) and Account_Name==p_Account_Name) \\n\\t\\t\\t\\t\\t\\t\\t and \\n\\t\\t\\t\\t\\t\\t\\t iff(isnotempty(p_Account_NTDomain) and isnotempty(Account_NTDomain) ,p_Account_NTDomain==Account_NTDomain,true )\\n\\t\\t\\t\\t\\t\\t\\t and\\n\\t\\t\\t\\t\\t\\t\\t iff(isnotempty(p_Account_UPNSuffix) and isnotempty(Account_UPNSuffix) ,p_Account_UPNSuffix==Account_UPNSuffix,true )\\n\\t\\t\\t\\t\\t\\t\\t )\\n\\t\\t\\t\\t\\t\\t\\t | summarize Host_Aux_SuccessfulLoginCount = countif(EventID==SuccessfulLoginEventId)\\n\\t\\t\\t\\t\\t\\t\\t , Host_Aux_FailedLoginsCount\\t= countif(EventID==FailedLoginEventId)\\n\\t\\t\\t\\t\\t\\t\\t , Host_Aux_LogonTypes=make_set(LogonType)\\n\\t\\t\\t\\t\\t\\t\\t by Computer, Account, SourceComputerId, _ResourceId\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Host_Aux_FailedLoginsCount\\n\\t\\t\\t\\t\\t\\t\\t | parse Computer with Host_NTDomain \u0027\\\\\\\\\u0027 *\\n\\t\\t\\t\\t\\t\\t\\t | extend Host_HostName = tostring(split(Computer,\u0027.\u0027)[0]), \\n\\t\\t\\t\\t\\t\\t\\t Host_DnsDomain = strcat_array(array_slice(split(Computer,\u0027.\u0027),1,256),\u0027.\u0027)\\n\\t\\t\\t\\t\\t\\t\\t , Host_OMSAgentID=SourceComputerId, Host_AzureID = _ResourceId\\n\\t\\t\\t\\t\\t\\t\\t | project-away Computer, Account, _ResourceId, SourceComputerId\\n\\t\\t\\t\\t\\t\\t\\t | extend exists=int(1) ) on exists | project-away exists, exists1 \\n\\t\\t\\t\\t\\t\\t\\t };\\n\\t\\t\\t\\t\\t\\t\\t let Normalized = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_UPNSuffix:string){\\n\\t\\t\\t\\t\\t\\t\\t (datatable(exists:int)[1] | where isimAuthenticationInstalled) | join \\n\\t\\t\\t\\t\\t\\t\\t (\\n\\t\\t\\t\\t\\t\\t\\t imAuthentication(starttime=ago(24h),targetusername_has=v_Account_Name) \\n\\t\\t\\t\\t\\t\\t\\t | where isnotempty(TargetDvcHostname)\\n\\t\\t\\t\\t\\t\\t\\t //* postfiltering *\\n\\t\\t\\t\\t\\t\\t\\t | where TargetUsername has v_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t | summarize Host_Aux_SuccessfulLoginCount = countif(EventResult==\u0027Success\u0027)\\n\\t\\t\\t\\t\\t\\t\\t , Host_Aux_FailedLoginsCount\\t= countif(EventResult==\u0027Failure\u0027)\\n\\t\\t\\t\\t\\t\\t\\t , Host_Aux_LogonTypes=make_set(EventSubType)\\n\\t\\t\\t\\t\\t\\t\\t by TargetDvcHostname, TargetDvcId\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Host_Aux_FailedLoginsCount\\n\\t\\t\\t\\t\\t\\t\\t | parse TargetDvcHostname with Host_NTDomain \u0027\\\\\\\\\u0027 *\\n\\t\\t\\t\\t\\t\\t\\t | extend Host_UnstructuredName = TargetDvcHostname\\n\\t\\t\\t\\t\\t\\t\\t | project-keep Host_*\\n\\t\\t\\t\\t\\t\\t\\t | extend exists=int(1) ) on exists | project-away exists, exists1 \\n\\t\\t\\t\\t\\t\\t\\t };\\n\\t\\t\\t\\t\\t\\t\\t union isfuzzy=true Legacy(\u0027\u003caccountName\u003e\u0027,\u0027\u003cntDomain\u003e\u0027,\u0027\u003cupnSuffix\u003e\u0027),Normalized(\u0027\u003caccountName\u003e\u0027,\u0027\u003cntDomain\u003e\u0027,\u0027\u003cupnSuffix\u003e\u0027)\",\"inputFields\":[\"accountName\",\"upnSuffix\",\"ntDomain\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/2db8cac9-d2ce-4494-93bf-4678cd872ce4\",\"name\":\"2db8cac9-d2ce-4494-93bf-4678cd872ce4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"IPs from rare locations used by account\",\"queryTemplate\":\"let IPsFromRareLocations = (v_Account_Name:string, v_Account_UPNSuffix:string, v_Account_AadUserId:string){\\n\\t\\t\\t\\t\\t\\t\\tlet LocationPrevalence =\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t)\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_UPNSuffix = case(\\n\\t\\t\\t\\t\\t\\t\\tv_Account_UPNSuffix has \u0027@\u0027, tostring(split(v_Account_UPNSuffix, \u0027@\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_UPNSuffix has \u0027\\\\\\\\\u0027, tostring(split(v_Account_UPNSuffix, \u0027\\\\\\\\\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_UPNSuffix\\n\\t\\t\\t\\t\\t\\t\\t)\\n\\t\\t\\t\\t\\t\\t\\t| parse UserPrincipalName with Account_Name \u0027@\u0027 Account_UPNSuffix\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_AadUserId = toguid(UserId)\\n\\t\\t\\t\\t\\t\\t\\t| where (isnotempty(Account_Name) and Account_Name =~ p_Account_Name and isnotempty(Account_UPNSuffix) and Account_UPNSuffix =~ p_Account_UPNSuffix)\\n\\t\\t\\t\\t\\t\\t\\tor (isnotempty(Account_AadUserId) and Account_AadUserId == toguid(v_Account_AadUserId))\\n\\t\\t\\t\\t\\t\\t\\t| extend FullLocation = strcat(Location,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\n\\t\\t\\t\\t\\t\\t\\t| summarize ConnectionCount = count() by FullLocation, UserPrincipalName, IPAddress, Account_Name, Account_UPNSuffix, Account_AadUserId;\\n\\t\\t\\t\\t\\t\\t\\tLocationPrevalence\\n\\t\\t\\t\\t\\t\\t\\t| summarize make_list(IPAddress), make_list(FullLocation), make_list(ConnectionCount), dcount(FullLocation), totalActivity = sum(ConnectionCount) by UserPrincipalName, Account_Name, Account_UPNSuffix, Account_AadUserId\\n\\t\\t\\t\\t\\t\\t\\t| mvexpand Location = list_FullLocation, ConnectionCount = list_ConnectionCount, IPAddress = list_IPAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend Location = tostring(Location), ConnectionCount = toint(ConnectionCount), IPAddress = tostring(IPAddress)\\n\\t\\t\\t\\t\\t\\t\\t| extend percentOfActivity = 100*round(todouble(ConnectionCount)/totalActivity,4)\\n\\t\\t\\t\\t\\t\\t\\t| where percentOfActivity \u003c 10\\n\\t\\t\\t\\t\\t\\t\\t| project UserPrincipalName, Account_Name, Account_UPNSuffix, Account_AadUserId, IPAddress, Location, ConnectionCount, percentOfActivity\\n\\t\\t\\t\\t\\t\\t\\t| sort by percentOfActivity asc, ConnectionCount desc\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by percentOfActivity asc\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Location_Country = tostring(split(Location,\u0027|\u0027)[0]), IP_Location_Region = tostring(split(Location,\u0027|\u0027)[1]), IP_Location_City = tostring(split(Location,\u0027|\u0027)[2])\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_Aux_info = pack(\u0027PercentOfActivity\u0027, percentOfActivity, \u0027ConnectionCount\u0027, ConnectionCount)\\n\\t\\t\\t\\t\\t\\t\\t| parse UserPrincipalName with Account_NTDomain \u0027\\\\\\\\\u0027 *\\n\\t\\t\\t\\t\\t\\t\\t| project Account_UnstructuredName = UserPrincipalName, Account_Name, Account_NTDomain, Account_UPNSuffix, Account_AadUserId, IP_Address = IPAddress, IP_Location_Country, IP_Location_Region, IP_Location_City, Account_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tIPsFromRareLocations(\u0027\u003caccountName\u003e\u0027, \u0027\u003cupnSuffix\u003e\u0027, \u0027\u003caadUserId\u003e\u0027)\",\"inputFields\":[\"accountName\",\"upnSuffix\",\"aadUserId\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/160c7513-f704-46b7-adf9-d9c4176a44a3\",\"name\":\"160c7513-f704-46b7-adf9-d9c4176a44a3\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts triggering Microsoft Defender Application Control\",\"queryTemplate\":\"let AppControlEvents=(v_Account_Name:string, v_Account_UPNSuffix:string, v_Account_Sid:string){\\n\\t\\t\\t\\t\\t\\t\\tlet p_Account_UPN = iff(isnotempty(v_Account_Name) and isnotempty(v_Account_UPNSuffix), strcat(v_Account_Name,\u0027@\u0027,v_Account_UPNSuffix), \\\"\\\");\\n\\t\\t\\t\\t\\t\\t\\tlet AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string)\\n\\t\\t\\t\\t\\t\\t\\t [\\\"AppControlAppInstallationAudited\\\", \\\"Application control detected the installation of an untrusted app.\\\",\\\"Untrusted app installed\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlAppInstallationBlocked\\\", \\\"Application control blocked the installation of an untrusted app.\\\", \\\"Untrusted app installation blocked\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlCodeIntegrityDriverRevoked\\\", \\\"Application control found a driver with a revoked certificate.\\\", \\\"Driver with revoked certificate detected\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlCodeIntegrityImageRevoked\\\", \\\"Application control found an executable file with a revoked certificate.\\\", \\\"Executable with revoked certificate detected\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlExecutableAudited\\\",\\\"Application control detected the use of an untrusted executable.\\\",\\\"Untrusted executable used\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlExecutableClocked\\\",\\\"Application control blocked the use of an untrusted executable.\\\",\\\"Untrusted executable blocked\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlScriptAudited\\\", \\\"Application control detected the use of an untrusted script.\\\", \\\"Untrusted script detected\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlScriptBlocked\\\", \\\"Application control blocked the use of an untrusted script.\\\", \\\"Untrusted script blocked\\\" ];\\n\\t\\t\\t\\t\\t\\t\\tDeviceEvents\\n\\t\\t\\t\\t\\t\\t\\t| where ActionType in (AppControls) \\n\\t\\t\\t\\t\\t\\t\\t| where isnotempty(p_Account_UPN) and p_Account_UPN =~ InitiatingProcessAccountUpn \\n\\t\\t\\t\\t\\t\\t\\t or\\n\\t\\t\\t\\t\\t\\t\\t isnotempty(v_Account_Sid) and v_Account_Sid =~ InitiatingProcessAccountSid\\n\\t\\t\\t\\t\\t\\t\\t| project Host_UnstructuredName = DeviceName\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_AppConCount=count() by Host_UnstructuredName\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_AppConCount desc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tAppControlEvents(\u0027\u003caccountName\u003e\u0027,\u0027\u003cupnSuffix\u003e\u0027,\u0027\u003csid\u003e\u0027)\",\"inputFields\":[\"accountName\",\"upnSuffix\",\"sid\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/f89061dd-e6d6-4553-9c88-301a7360fc14\",\"name\":\"f89061dd-e6d6-4553-9c88-301a7360fc14\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent processes for this account\",\"queryTemplate\":\"let GetSysLogEventsByAccount = (v_Account_Name:string){\\n\\t\\t\\t\\t\\t\\t\\tSyslog\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t)\\n\\t\\t\\t\\t\\t\\t\\t| where SyslogMessage has v_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027HostName\u0027, HostName, \u0027HostIP\u0027, HostIP)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_StartTime=min(EventTime), Process_Aux_EndTime=max(EventTime), count(), Process_Aux_info = makeset(info) by Computer, ProcessName, ProcessID\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_StartTime, Process_Aux_EndTime, Process_Host_UnstructuredName=Computer, Process_ImageFile_FullPath=ProcessName, Process_ProcessId=tostring(ProcessID), Process_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetSysLogEventsByAccount(\u0027\u003caccountName\u003e\u0027)\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"Syslog\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/dd8f30e4-8171-452e-84a0-99bcd570bd08\",\"name\":\"dd8f30e4-8171-452e-84a0-99bcd570bd08\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Services created by account\",\"queryTemplate\":\"let GetServiceCreationsByAccount = (v_Account_Name:string, v_Account_NTDomain:string){\\n\\t\\t\\t\\t\\t\\t\\tEvent\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 7045\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t)\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_NTDomain = case(\\n\\t\\t\\t\\t\\t\\t\\tv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_NTDomain\\n\\t\\t\\t\\t\\t\\t\\t)\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Account_Name = tostring(split(UserName, \u0027\\\\\\\\\u0027)[1]), Process_Account_NTDomain = tostring(split(UserName, \u0027\\\\\\\\\u0027)[0])\\n\\t\\t\\t\\t\\t\\t\\t| where Process_Account_Name =~ p_Account_Name and Process_Account_NTDomain =~ p_Account_NTDomain\\n\\t\\t\\t\\t\\t\\t\\t| extend EventDataParse = parse_xml(EventData)\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceName = tostring(EventDataParse.DataItem.EventData.Data[0][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend ImagePath = tostring(EventDataParse.DataItem.EventData.Data[1][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceType = tostring(EventDataParse.DataItem.EventData.Data[2][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend StartType = tostring(EventDataParse.DataItem.EventData.Data[3][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceAccount = tostring(EventDataParse.DataItem.EventData.Data[4][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| where ImagePath !has \u0027\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Definition Updates\\\\\\\\\u0027\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_Account_info = pack(\u0027ServiceName\u0027, ServiceName, \u0027ServiceType\u0027, ServiceType, \u0027StartType\u0027, StartType, \u0027ServiceAccount\u0027, ServiceAccount)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Host_Aux_StartTimeUtc = min(TimeGenerated), Process_Host_Aux_EndTimeUtc = max(TimeGenerated) by Process_Host_UnstructuredName = Computer, Process_Account_Name, \\n\\t\\t\\t\\t\\t\\t\\tProcess_Account_NTDomain, Process_Account_UnstructuredName = UserName, Process_ImageFile_FullPath = ImagePath, tostring(Process_Aux_Account_info)\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_Host_Aux_StartTimeUtc desc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetServiceCreationsByAccount(\u0027\u003caccountName\u003e\u0027, \u0027\u003cntDomain\u003e\u0027)\",\"inputFields\":[\"accountName\",\"ntDomain\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/84375346-c3f0-4926-ae48-a156010c67e3\",\"name\":\"84375346-c3f0-4926-ae48-a156010c67e3\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account failed logons\",\"queryTemplate\":\"let GetAllLogonsForUser = (v_Account_Name:string){\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t)\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4625\\n\\t\\t\\t\\t\\t\\t\\t| where AccountType == \u0027User\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where tolower(Account) contains tolower(v_Account_Name)\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027EventID\u0027, EventID, \u0027Account\u0027, Account, \u0027LogonTypeName\u0027, LogonTypeName, \u0027SubStatus\u0027, SubStatus, \u0027AccountType\u0027, AccountType, \u0027WorkstationName\u0027, WorkstationName, \u0027IpAddress\u0027, IpAddress)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer, SourceComputerId\\n\\t\\t\\t\\t\\t\\t\\t| project Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime = max_TimeGenerated, Host_UnstructuredName=Computer, Host_Aux_info, Host_OMSAgentID=SourceComputerId\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_StartTime asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetAllLogonsForUser(tolower(\u0027\u003caccountName\u003e\u0027))\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/7f3989bf-1558-4d3c-bb5e-e17ac2a67a87\",\"name\":\"7f3989bf-1558-4d3c-bb5e-e17ac2a67a87\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Office activity IPs for this account\",\"queryTemplate\":\"let isimAuthenticationInstalled=toscalar(union isfuzzy=true (datatable(Test:string)[]), (imAuthentication| take 0) | getschema | count | project Exists=(Count\u003e1));\\n\\t\\t\\t\\t\\t\\t\\tlet Legacy = (v_Account_Name:string){\\n\\t\\t\\t\\t\\t\\t\\t(datatable(exists:int)[1] | where not(isimAuthenticationInstalled)) \\n\\t\\t\\t\\t\\t\\t\\t| join\\n\\t\\t\\t\\t\\t\\t\\t(OfficeActivity\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t )\\n\\t\\t\\t\\t\\t\\t\\t| where UserId contains v_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027ClientIP\u0027, ClientIP, \u0027UserType\u0027, UserType, \u0027Operation\u0027, Operation, \u0027OfficeWorkload\u0027, OfficeWorkload, \u0027ResultStatus\u0027, ResultStatus)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), IP_Aux_info = makeset(info) by ClientIP\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Aux_StartTime = min_TimeGenerated, IP_Aux_EndTime = max_TimeGenerated, ClientIP, IP_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=ClientIP\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_StartTime desc nulls last | extend exists=int(1)) on exists\\n\\t\\t\\t\\t\\t\\t\\t| project-away exists, exists1 \\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tlet Normalized = (v_Account_Name:string){\\n\\t\\t\\t\\t\\t\\t\\t(datatable(exists:int)[1] | where isimAuthenticationInstalled)\\n\\t\\t\\t\\t\\t\\t\\t| join (\\n\\t\\t\\t\\t\\t\\t\\t imAuthentication(targetusername_has=v_Account_Name)\\n\\t\\t\\t\\t\\t\\t\\t| summarize IP_Aux_StartTime=min(TimeGenerated), IP_Aux_EndTime=max(TimeGenerated) by SrcDvcIpAddr\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=SrcDvcIpAddr\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_StartTime desc nulls last | extend exists=int(1)) on exists | project-away exists, exists1 \\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tunion isfuzzy=true Legacy(\u0027\u003caccountName\u003e\u0027), Normalized(\u0027\u003caccountName\u003e\u0027)\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"OfficeActivity\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/6d1c2ca8-8efe-4fa2-bea6-fa582c03637c\",\"name\":\"6d1c2ca8-8efe-4fa2-bea6-fa582c03637c\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account interactive logon to new devices\",\"queryTemplate\":\"let GetNewInteractiveLogonsForUser = (v_Account_Name:string, v_Account_Sid:string, v_Account_AadUserId:string)\\n\\t\\t\\t\\t\\t\\t\\t{\\n\\t\\t\\t\\t\\t\\t\\t BehaviorAnalytics\\n\\t\\t\\t\\t\\t\\t\\t | extend v_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name)\\n\\t\\t\\t\\t\\t\\t\\t | where ActionType == \\\"InteractiveLogon\\\" and \\n\\t\\t\\t\\t\\t\\t\\t tobool(ActivityInsights.FirstTimeUserLoggedOnToDevice) and \\n\\t\\t\\t\\t\\t\\t\\t (\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UserName) and UserName =~ v_Account_Name) or \\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.AccountObjectID) and UsersInsights.AccountObjectID == v_Account_AadUserId) or\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.OnPremisesSID) and UsersInsights.OnPremisesSID =~ v_Account_Sid)\\n\\t\\t\\t\\t\\t\\t\\t )\\n\\t\\t\\t\\t\\t\\t\\t | extend device_info = pack(\u0027DevicesInsights\u0027, DevicesInsights, \u0027ActivityInsights\u0027, ActivityInsights)\\n\\t\\t\\t\\t\\t\\t\\t | project Host_Aux_TimeGenerated = TimeGenerated,\\n\\t\\t\\t\\t\\t\\t\\t Host_UnstructuredName = DestinationDevice,\\n\\t\\t\\t\\t\\t\\t\\t Host_Aux_Insights = device_info,\\n\\t\\t\\t\\t\\t\\t\\t Account_Name = UserName,\\n\\t\\t\\t\\t\\t\\t\\t Account_Sid = v_Account_Sid,\\n\\t\\t\\t\\t\\t\\t\\t Account_AadUserId = toguid(UsersInsights.AccountObjectID),\\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_Insights = UsersInsights\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Host_Aux_TimeGenerated asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetNewInteractiveLogonsForUser(\u0027\u003caccountName\u003e\u0027, \u0027\u003csid\u003e\u0027, \u0027\u003caadUserId\u003e\u0027)\",\"inputFields\":[\"accountName\",\"sid\",\"aadUserId\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"BehaviorAnalytics\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/b66ab2aa-cd31-43b9-82a2-dd5f0ee9ca81\",\"name\":\"b66ab2aa-cd31-43b9-82a2-dd5f0ee9ca81\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account remote interactive logon to new devices\",\"queryTemplate\":\"let GetAllNewRemoteInteractiveLogonForUser = (v_Account_Name:string, v_Account_Sid:string, v_Account_AadUserId:string)\\n\\t\\t\\t\\t\\t\\t\\t{\\n\\t\\t\\t\\t\\t\\t\\t BehaviorAnalytics\\n\\t\\t\\t\\t\\t\\t\\t | extend v_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name)\\n\\t\\t\\t\\t\\t\\t\\t | where ActionType == \\\"RemoteInteractiveLogon\\\" and \\n\\t\\t\\t\\t\\t\\t\\t tobool(ActivityInsights.FirstTimeUserLoggedOnToDevice) and \\n\\t\\t\\t\\t\\t\\t\\t (\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UserName) and UserName =~ v_Account_Name) or \\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.AccountObjectID) and UsersInsights.AccountObjectID == v_Account_AadUserId) or\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.OnPremisesSID) and UsersInsights.OnPremisesSID =~ v_Account_Sid)\\n\\t\\t\\t\\t\\t\\t\\t )\\n\\t\\t\\t\\t\\t\\t\\t | extend device_info = pack(\u0027DevicesInsights\u0027, DevicesInsights, \u0027ActivityInsights\u0027, ActivityInsights)\\n\\t\\t\\t\\t\\t\\t\\t | project Host_Aux_TimeGenerated = TimeGenerated,\\n\\t\\t\\t\\t\\t\\t\\t Host_UnstructuredName = DestinationDevice,\\n\\t\\t\\t\\t\\t\\t\\t Host_Aux_Insights = device_info,\\n\\t\\t\\t\\t\\t\\t\\t Account_Name = UserName,\\n\\t\\t\\t\\t\\t\\t\\t Account_Sid = v_Account_Sid,\\n\\t\\t\\t\\t\\t\\t\\t Account_AadUserId = toguid(UsersInsights.AccountObjectID),\\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_Insights = UsersInsights\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Host_Aux_TimeGenerated asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetAllNewRemoteInteractiveLogonForUser(\u0027\u003caccountName\u003e\u0027, \u0027\u003csid\u003e\u0027, \u0027\u003caadUserId\u003e\u0027)\",\"inputFields\":[\"accountName\",\"sid\",\"aadUserId\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"BehaviorAnalytics\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/82cdcee5-cc2e-4e9f-a235-357159c60c8c\",\"name\":\"82cdcee5-cc2e-4e9f-a235-357159c60c8c\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account access to new resources\",\"queryTemplate\":\"let GetAllNewResourceAccessForUser = (v_Account_Name:string, v_Account_Sid:string, v_Account_AadUserId:string)\\n\\t\\t\\t\\t\\t\\t\\t{\\n\\t\\t\\t\\t\\t\\t\\t BehaviorAnalytics\\n\\t\\t\\t\\t\\t\\t\\t | extend v_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name)\\n\\t\\t\\t\\t\\t\\t\\t | where ActionType == \\\"ResourceAccess\\\" and \\n\\t\\t\\t\\t\\t\\t\\t tobool(ActivityInsights.FirstTimeUserLoggedOnToDevice) and \\n\\t\\t\\t\\t\\t\\t\\t (\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UserName) and UserName =~ v_Account_Name) or \\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.AccountObjectID) and UsersInsights.AccountObjectID == v_Account_AadUserId) or\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.OnPremisesSID) and UsersInsights.OnPremisesSID =~ v_Account_Sid)\\n\\t\\t\\t\\t\\t\\t\\t )\\n\\t\\t\\t\\t\\t\\t\\t | extend device_info = pack(\u0027DevicesInsights\u0027, DevicesInsights, \u0027ActivityInsights\u0027, ActivityInsights)\\n\\t\\t\\t\\t\\t\\t\\t | project Host_Aux_TimeGenerated = TimeGenerated,\\n\\t\\t\\t\\t\\t\\t\\t Host_UnstructuredName = DestinationDevice,\\n\\t\\t\\t\\t\\t\\t\\t Host_Aux_Insights = device_info,\\n\\t\\t\\t\\t\\t\\t\\t Account_Name = UserName,\\n\\t\\t\\t\\t\\t\\t\\t Account_Sid = v_Account_Sid,\\n\\t\\t\\t\\t\\t\\t\\t Account_AadUserId = UsersInsights.AccountObjectID,\\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_Insights = UsersInsights\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Host_Aux_TimeGenerated asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetAllNewResourceAccessForUser(\u0027\u003caccountName\u003e\u0027, \u0027\u003csid\u003e\u0027, \u0027\u003caadUserId\u003e\u0027)\",\"inputFields\":[\"accountName\",\"sid\",\"aadUserId\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"BehaviorAnalytics\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/18b7e4e3-5b57-4924-b3cd-7e9a5a143521\",\"name\":\"18b7e4e3-5b57-4924-b3cd-7e9a5a143521\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Peers with a recent alert\",\"queryTemplate\":\"let GetUserPeersWithAlerts = (v_Account_Name:string, v_Account_UPNSuffix:string, v_Account_AadUserId:string) { \\n\\t\\t\\t\\t\\t\\t\\t let Account_UPN = strcat(v_Account_Name, \u0027@\u0027,v_Account_UPNSuffix);\\n\\t\\t\\t\\t\\t\\t\\t let Peers= UserPeerAnalytics \\n\\t\\t\\t\\t\\t\\t\\t | where UserPrincipalName =~ Account_UPN or UserId =~ v_Account_AadUserId\\n\\t\\t\\t\\t\\t\\t\\t | where TimeGenerated == toscalar (UserPeerAnalytics | summarize max(TimeGenerated))\\n\\t\\t\\t\\t\\t\\t\\t | project PeerUserPrincipalName, PeerUserId, Rank\\n\\t\\t\\t\\t\\t\\t\\t | extend PeerUserPrincipalName=tolower(PeerUserPrincipalName)\\n\\t\\t\\t\\t\\t\\t\\t | parse PeerUserPrincipalName with Account_Name \u0027@\u0027 Account_UPNSuffix;\\n\\t\\t\\t\\t\\t\\t\\t let PeerNames= Peers | summarize make_set_if(Account_Name, isnotempty(Account_Name));\\n\\t\\t\\t\\t\\t\\t\\t let PeerIds = Peers | summarize make_set_if(PeerUserId , isnotempty(PeerUserId));\\n\\t\\t\\t\\t\\t\\t\\t let PeersWithSecAlert=SecurityAlert\\n\\t\\t\\t\\t\\t\\t\\t | where Entities has \\\"account\\\"\\n\\t\\t\\t\\t\\t\\t\\t | where Entities has_any (PeerNames) or Entities has_any (PeerIds)\\n\\t\\t\\t\\t\\t\\t\\t | mvexpand todynamic(Entities) \\n\\t\\t\\t\\t\\t\\t\\t | where tostring(parse_json(Entities).Type) ==\\\"account\\\" \\n\\t\\t\\t\\t\\t\\t\\t | where tostring(parse_json(Entities).Name) has_any (PeerNames) or tostring(parse_json(Entities).AadUserId) has_any (PeerIds)\\n\\t\\t\\t\\t\\t\\t\\t | summarize Account_Aux_AlertCount = count() \\n\\t\\t\\t\\t\\t\\t\\t by Account_Name=tolower(tostring(parse_json(Entities).Name))\\n\\t\\t\\t\\t\\t\\t\\t , Account_UPNSuffix=tolower(tostring(parse_json(Entities).UPNSuffix));\\n\\t\\t\\t\\t\\t\\t\\t PeersWithSecAlert \\n\\t\\t\\t\\t\\t\\t\\t | join kind=innerunique\\n\\t\\t\\t\\t\\t\\t\\t Peers \\n\\t\\t\\t\\t\\t\\t\\t on Account_Name, Account_UPNSuffix\\n\\t\\t\\t\\t\\t\\t\\t | project Account_Name, Account_UPNSuffix, Account_Aux_AlertCount\\n\\t\\t\\t\\t\\t\\t\\t };\\n\\t\\t\\t\\t\\t\\t\\t GetUserPeersWithAlerts(\\\"{{Account_Name}}\\\",\\\"{{Account_UPNSuffix}}\\\", \\\"{{Account_AadUserId}}\\\")\",\"inputFields\":[\"accountName\",\"upnSuffix\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"UserPeerAnalytics SecurityAlert\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/c34bf507-cedf-4120-bf41-f835dd68b0d9\",\"name\":\"c34bf507-cedf-4120-bf41-f835dd68b0d9\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts which the account logged on to\",\"queryTemplate\":\"let GetAllHostsbyAccount = (v_Account_Name:string){\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t)\\n\\t\\t\\t\\t\\t\\t\\t| where UserPrincipalName contains v_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t| extend RemoteHost = tolower(tostring(parsejson(DeviceDetail[\u0027displayName\u0027])))\\n\\t\\t\\t\\t\\t\\t\\t| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n\\t\\t\\t\\t\\t\\t\\t| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027UserDisplayName\u0027, UserDisplayName, \u0027UserPrincipalName\u0027, UserPrincipalName, \u0027AppDisplayName\u0027, AppDisplayName, \u0027ClientAppUsed\u0027, ClientAppUsed, \u0027Browser\u0027, tostring(Browser), \u0027IPAddress\u0027, IPAddress, \u0027ResultType\u0027, ResultType, \u0027ResultDescription\u0027, ResultDescription, \u0027Location\u0027, Location, \u0027State\u0027, State, \u0027City\u0027, City, \u0027StatusCode\u0027, StatusCode, \u0027StatusDetails\u0027, StatusDetails)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by RemoteHost , tostring(OS)\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, RemoteHost, OS, Host_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by min_TimeGenerated desc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=RemoteHost, Host_OSVersion=OS, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetAllHostsbyAccount(\u0027\u003caccountName\u003e\u0027)\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/81d63625-6617-455d-b1e3-ee5ed989e5f8\",\"name\":\"81d63625-6617-455d-b1e3-ee5ed989e5f8\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Screenshots taken\",\"queryTemplate\":\"let HostScreenshot= (Account_Name:string, Account_UPNSuffix:string){\\n\\t\\t\\t\\t\\t\\t\\t let p_Account_UPN = strcat(Account_Name,\u0027@\u0027,Account_UPNSuffix);\\n\\t\\t\\t\\t\\t\\t\\t DeviceEvents \\n\\t\\t\\t\\t\\t\\t\\t | where ActionType ==\u0027ScreenshotTaken\u0027 \\n\\t\\t\\t\\t\\t\\t\\t | where InitiatingProcessAccountUpn =~ p_Account_UPN\\n\\t\\t\\t\\t\\t\\t\\t | summarize Count=count() by DeviceName\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Count desc\\n\\t\\t\\t\\t\\t\\t\\t | project Host_UnstructuredName=DeviceName\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tHostScreenshot(\u0027\u003cAccount_Name\u003e\u0027, \u0027\u003cAccount_UPNSuffix\u003e\u0027)\",\"inputFields\":[\"accountName\",\"upnSuffix\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/8a697f4c-04af-4198-a6d3-ce5dc3acc8dd\",\"name\":\"8a697f4c-04af-4198-a6d3-ce5dc3acc8dd\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account successful logons\",\"queryTemplate\":\"let GetAllLogonsForUser = (v_Account_Name:string){\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t)\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4624\\n\\t\\t\\t\\t\\t\\t\\t| where AccountType == \u0027User\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where tolower(Account) contains tolower(v_Account_Name)\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027EventID\u0027, EventID, \u0027Account\u0027, Account, \u0027LogonTypeName\u0027, LogonTypeName, \u0027SubStatus\u0027, SubStatus, \u0027AccountType\u0027, AccountType, \u0027WorkstationName\u0027, WorkstationName, \u0027IpAddress\u0027, IpAddress)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer, SourceComputerId, _ResourceId\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, Computer, Host_Aux_info, Host_OMSAgentID=SourceComputerId, Host_AzureID=_ResourceId\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_StartTime asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetAllLogonsForUser(tolower(\u0027\u003caccountName\u003e\u0027))\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/62527635-bc5a-4233-bb93-e4eb4e60bb70\",\"name\":\"62527635-bc5a-4233-bb93-e4eb4e60bb70\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts where this file was mentioned\",\"queryTemplate\":\"let GetFilesHost = (v_File_Name:string){\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\n\\t\\t\\t\\t\\t\\t\\t| where CommandLine contains v_File_Name or ServiceFileName contains v_File_Name or ServiceName contains v_File_Name\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated) by Computer, Host_OMSAgentID=SourceComputerId, Host_AzureID = _ResourceId\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, Computer, Host_OMSAgentID, Host_AzureID\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_min_TimeGenerated=min_TimeGenerated, Host_Aux_max_TimeGenerated=max_TimeGenerated\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_min_TimeGenerated desc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetFilesHost(\u0027\u003cfileName\u003e\u0027)\",\"inputFields\":[\"fileName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"File\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/4e0d1f17-e3a9-4c1a-aa7d-3842828c10a2\",\"name\":\"4e0d1f17-e3a9-4c1a-aa7d-3842828c10a2\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - Hosts communicating the most amount of data with this Host\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetHost2Host = (v_Host_HostName:string) {\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent \\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceName == v_Host_HostName or ServerDeviceName == v_Host_HostName\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceName == v_Host_HostName, \\\"Outbound\\\", \\\"Inbound\\\")\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID), \\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\n\\t\\t\\t\\t\\t\\t\\tDeviceName = iff(Direction == \\\"Outbound\\\", ServerDeviceName, ClientDeviceName),\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by DeviceGUID, DeviceName, IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType)\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\n\\t\\t\\t\\t\\t\\t\\t| extend TotalBandwidth_MB = floor(todecimal(TotalBandwidth_MB / 1000), 0.1)\\n\\t\\t\\t\\t\\t\\t\\t| project Host_HostName = DeviceName, Host_Aux_IpAddress = IpAddress,Host_Aux_Type = IoTDevice_DeviceType, Host_Aux_LastActivity = LastActivity, Host_Aux_Protocols = Protocols, Host_Aux_ServerPorts = ServerPorts, Host_Aux_TotalBandwidth_MB = TotalBandwidth_MB\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_TotalBandwidth_MB\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetHost2Host(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/cc942838-2ce5-4a05-8bf9-25a00102a7b7\",\"name\":\"cc942838-2ce5-4a05-8bf9-25a00102a7b7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - IP Addresses communicating the most amount of data with this Host\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetHost2IP = (v_Host_HostName: string) {\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent \\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceName == v_Host_HostName or ServerDeviceName == v_Host_HostName\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceName == v_Host_HostName, \\\"Outbound\\\", \\\"Inbound\\\")\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID), \\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\n\\t\\t\\t\\t\\t\\t\\tDeviceIsExternal = iff(Direction == \\\"Outbound\\\", ServerisExternal, ClientisExternal),\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort, Direction\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by IoTDevice_DeviceId = DeviceGUID, IoTDevice_IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType), DeviceIsExternal = tostring(DeviceIsExternal)\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Address = IoTDevice_IpAddress, IP_Aux_DeviceType = IoTDevice_DeviceType, IP_Aux_LastActivity = LastActivity, IP_Aux_Protocols = Protocols, IP_Aux_ServerPorts = ServerPorts, IP_Aux_TotalBandwidth_MB = TotalBandwidth_MB, IP_Aux_IsExternal = DeviceIsExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_TotalBandwidth_MB = floor(todecimal(IP_Aux_TotalBandwidth_MB / 1000), 0.1)\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_TotalBandwidth_MB\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetHost2IP(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/98b2ce21-167d-43bd-a496-9f2c85c5f95b\",\"name\":\"98b2ce21-167d-43bd-a496-9f2c85c5f95b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Accounts with several failed logins immediately followed by a successful login\",\"queryTemplate\":\"let BRUTEFORCE_THRESHOLD = 10;\\n\\t\\t\\t\\t\\t\\t\\tlet SuccessfulLoginEventId = 4624;\\n\\t\\t\\t\\t\\t\\t\\tlet FailedLoginEventId = 4625;\\n\\t\\t\\t\\t\\t\\t\\tlet AccountsPossibleSuccessfulBruteForce = (v_Host_HostName:string, v_Host_DnsDomain:string){\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\n\\t\\t\\t\\t\\t\\t\\t| where AccountType == \u0027User\u0027\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Host_HostName=tostring(split(v_Host_HostName,\u0027.\u0027)[0])\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Host_DnsDomain=case (isnotempty(v_Host_DnsDomain),v_Host_DnsDomain\\n\\t\\t\\t\\t\\t\\t\\t ,v_Host_HostName has \u0027.\u0027, extract(@\u0027\\\\.(.+$)\u0027,1,v_Host_HostName)\\n\\t\\t\\t\\t\\t\\t\\t , \u0027\u0027)\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_HostName=tostring(split(Computer,\u0027.\u0027)[0])\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_DnsDomain=iff(Computer has \u0027.\u0027, extract(@\u0027\\\\.(.+$)\u0027,1,Computer) ,\\\"\\\")\\n\\t\\t\\t\\t\\t\\t\\t| where p_Host_HostName=~Host_HostName and (isempty(p_Host_DnsDomain) or isempty(Host_DnsDomain) or p_Host_DnsDomain=~Host_DnsDomain)\\n\\t\\t\\t\\t\\t\\t\\t| extend Fails = (EventID == FailedLoginEventId), Success = (EventID == SuccessfulLoginEventId)\\n\\t\\t\\t\\t\\t\\t\\t| extend Account = tolower(Account)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Account_Aux_SuccessPerMin = countif(Success), Account_Aux_FailPerMin = countif(Fails) by Account, bin(TimeGenerated, 1m) \\n\\t\\t\\t\\t\\t\\t\\t| where Account_Aux_FailPerMin\\t\u003e BRUTEFORCE_THRESHOLD and Account_Aux_SuccessPerMin \u003e 0\\n\\t\\t\\t\\t\\t\\t\\t| extend EventData = pack(\u0027FailPerMin\u0027,Account_Aux_FailPerMin, \u0027SuccessPerMin\u0027, Account_Aux_SuccessPerMin, \u0027Time\u0027, TimeGenerated )\\n\\t\\t\\t\\t\\t\\t\\t| summarize Max = max(Account_Aux_FailPerMin), Account_Aux_EventsData=makeset(EventData) by Account\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Max\\n\\t\\t\\t\\t\\t\\t\\t| parse Account with Account_NTDomain \u0027\\\\\\\\\u0027 *\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_Name = extract(@\u0027^([^\\\\\\\\]*\\\\\\\\)?([^@]+)(@.*)?$\u0027,2,Account), \\n\\t\\t\\t\\t\\t\\t\\t Account_UPNSuffix = extract(@\u0027^([^\\\\\\\\]*\\\\\\\\)?([^@]+)(@(.*))?$\u0027,4,Account)\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Name, Account_NTDomain, Account_UPNSuffix, Account_Aux_EventsData\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tAccountsPossibleSuccessfulBruteForce(\u0027\u003chostName\u003e\u0027, \u0027\u003cdnsDomain\u003e\u0027)\",\"inputFields\":[\"hostName\",\"dnsDomain\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/bb6100ee-ae38-41b5-8457-88d503a3bf8f\",\"name\":\"bb6100ee-ae38-41b5-8457-88d503a3bf8f\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent inbound WireData connections\",\"queryTemplate\":\"let GetWireDataInboundWithHost = (v_Host_HostName:string){\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Inbound\u0027 \\n\\t\\t\\t\\t\\t\\t\\t| where Computer has v_Host_HostName\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027Computer\u0027, Computer, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027RemoteIP\u0027, RemoteIP, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_Min_SessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by ProcessName , LocalIP, ProcessID\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_info = IP_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_Min_SessionStartTime, ProcessName , LocalIP, IP_Aux_info, Process_Aux_info, Process_ProcessId=tostring(ProcessID)\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=LocalIP, Process_ImageFile_FullPath=ProcessName\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataInboundWithHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"IP\",\"Process\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/8c00a2a0-43d3-45a9-aa2e-f73deb0abfbb\",\"name\":\"8c00a2a0-43d3-45a9-aa2e-f73deb0abfbb\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent outbound WireData connections\",\"queryTemplate\":\"let GetWireDataOutboundWithHost = (v_Host_HostName:string){\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Outbound\u0027 \\n\\t\\t\\t\\t\\t\\t\\t| where Computer has v_Host_HostName\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027Computer\u0027, Computer, \u0027LocalIP\u0027, LocalIP, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_Min_SessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by ProcessName, RemoteIP, ProcessID\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_info = IP_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_Min_SessionStartTime, ProcessName, RemoteIP, IP_Aux_info, Process_Aux_info, Process_ProcessId=tostring(ProcessID)\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=RemoteIP, Process_ImageFile_FullPath=ProcessName\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataOutboundWithHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"IP\",\"Process\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/ea747f91-23f9-425a-baa8-628f30193888\",\"name\":\"ea747f91-23f9-425a-baa8-628f30193888\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent processes for this host\",\"queryTemplate\":\"let GetSysLogEventsOnHost = (v_Host_HostName:string){\\n\\t\\t\\t\\t\\t\\t\\tSyslog\\n\\t\\t\\t\\t\\t\\t\\t| where Computer has v_Host_HostName\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027HostName\u0027, HostName, \u0027HostIP\u0027, HostIP)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_StartTime=min(EventTime), Process_Aux_EndTime=max(EventTime), count(), Process_Aux_info = makeset(info) by Computer, ProcessName, ProcessID\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_StartTime, Process_Aux_EndTime, Process_Host_UnstructuredName=Computer, Process_ProcessId=tostring(ProcessID), Process_ImageFile_FullPath=ProcessName, Process_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetSysLogEventsOnHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"Syslog\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/07da3cc8-c8ad-4710-a44e-334cdcb7882b\",\"name\":\"07da3cc8-c8ad-4710-a44e-334cdcb7882b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Parent processes running on host\",\"queryTemplate\":\"let GetParentProcessesOnHost = (v_Host_HostName:string){\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent \\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4688 \\n\\t\\t\\t\\t\\t\\t\\t| where isnotempty(ParentProcessName)\\n\\t\\t\\t\\t\\t\\t\\t| where NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\csc.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\csc.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\cvtres.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\cvtres.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName!contains \u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where(ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\u0027 and (NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\u0027 or NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\u0027))\\n\\t\\t\\t\\t\\t\\t\\t| where(ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\u0027 and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\TrustedInstaller.exe\u0027)\\n\\t\\t\\t\\t\\t\\t\\t| where toupper(Computer) contains v_Host_HostName or toupper(WorkstationName) contains v_Host_HostName\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027EventID\u0027, EventID, \u0027TargetAccount\u0027, TargetAccount)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Process_Aux_info = makeset(info) by Account, Computer, ParentProcessName, NewProcessName, CommandLine, ProcessId\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, Account, Computer, ParentProcessName, NewProcessName, CommandLine, ProcessId, Process_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Process_Host_UnstructuredName=Computer, Process_Account_UnstructuredName=Account, Process_CommandLine=CommandLine, Process_ProcessId=ProcessId, Process_ImageFile_FullPath=NewProcessName, Process_ParentProcess_ImageFile_FullPath=ParentProcessName, Process_Aux_StartTime = min_TimeGenerated, Process_Aux_EndTime= max_TimeGenerated\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_Aux_StartTime asc\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetParentProcessesOnHost(toupper(\u0027\u003chostName\u003e\u0027))\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/f87b2afb-068f-4734-88a0-94560309f9d7\",\"name\":\"f87b2afb-068f-4734-88a0-94560309f9d7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Processes on Host blocked from loading non-Microsoft-signed binaries\",\"queryTemplate\":\"let BlockedUnsigned = (v_Host_HostName:string){\\n\\t\\t\\t\\t\\t\\t\\tDeviceEvents\\n\\t\\t\\t\\t\\t\\t\\t| where ActionType == \\\"ExploitGuardNonMicrosoftSignedBlocked\\\" and FileName !hassuffix \\\".ni.dll\\\"\\n\\t\\t\\t\\t\\t\\t\\t| where v_Host_HostName =~ tostring(split(DeviceName, \u0027.\u0027)[0])\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_Count=count() by Process_ProcessId=InitiatingProcessId, Process_CommandLine=InitiatingProcessCommandLine, Process_Host_UnstructuredName=DeviceName\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_Aux_Count desc\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tBlockedUnsigned(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/d3393571-0533-4127-bfe1-6b1de4ab126e\",\"name\":\"d3393571-0533-4127-bfe1-6b1de4ab126e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Processes running on Host\",\"queryTemplate\":\"let GetActiveProcessesOnHost = (v_Host_HostName:string){\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent \\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4688\\n\\t\\t\\t\\t\\t\\t\\t| where NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\csc.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\csc.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\cvtres.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\cvtres.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName!contains \u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where (ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\u0027 and (NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\u0027 or NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\u0027))\\n\\t\\t\\t\\t\\t\\t\\t| where (ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\u0027 and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\TrustedInstaller.exe\u0027)\\n\\t\\t\\t\\t\\t\\t\\t| where toupper(Computer) contains v_Host_HostName or toupper(WorkstationName) contains v_Host_HostName\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_StartTime=min(TimeGenerated), Process_Aux_EndTime=max(TimeGenerated) by Computer, Account, NewProcessName, CommandLine, ProcessId, ParentProcessName\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_StartTime, Process_Aux_EndTime, Computer, Account, NewProcessName, CommandLine, ProcessId, Process_ParentProcess_ImageFile_FullPath=ParentProcessName\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Process_Host_UnstructuredName=Computer, Process_Account_UnstructuredName=Account, Process_CommandLine=CommandLine, Process_ProcessId=ProcessId, Process_ImageFile_FullPath=NewProcessName\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_Aux_StartTime desc\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetActiveProcessesOnHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/6537a8c3-a269-4b2f-8c70-3824c23fef7b\",\"name\":\"6537a8c3-a269-4b2f-8c70-3824c23fef7b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Services created on host\",\"queryTemplate\":\"let GetServiceCreationsOnHost = (v_Host_HostName:string){\\n\\t\\t\\t\\t\\t\\t\\tEvent \\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 7045\\n\\t\\t\\t\\t\\t\\t\\t| where Computer =~ v_Host_HostName\\n\\t\\t\\t\\t\\t\\t\\t| extend EventDataParse = parse_xml(EventData)\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_ServiceName = tostring(EventDataParse.DataItem.EventData.Data[0][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend ImagePath = tostring(EventDataParse.DataItem.EventData.Data[1][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceType = tostring(EventDataParse.DataItem.EventData.Data[2][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend StartType = tostring(EventDataParse.DataItem.EventData.Data[3][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceAccount = tostring(EventDataParse.DataItem.EventData.Data[4][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| where ImagePath !has \u0027\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Definition Updates\\\\\\\\\u0027 \\n\\t\\t\\t\\t\\t\\t\\tand ImagePath !has \u0027\\\\\\\\Packages\\\\\\\\Plugins\\\\\\\\Microsoft.EnterpriseCloud.Monitoring.MicrosoftMonitoringAgent\\\\\\\\\u0027\\n\\t\\t\\t\\t\\t\\t\\tand not(ImagePath has \u0027\\\\\\\\WindowsAzure\\\\\\\\GuestAgent_\u0027 and ImagePath has \u0027\\\\\\\\Telemetry\\\\\\\\WindowsAzureTelemetryService.exe\u0027) \\n\\t\\t\\t\\t\\t\\t\\tand not(ImagePath has \u0027\\\\\\\\WindowsAzure\\\\\\\\GuestAgent_\u0027 and ImagePath has \u0027\\\\\\\\GuestAgent\\\\\\\\WindowsAzureGuestAgent.exe\u0027)\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_Service_info = pack(\u0027ServiceName\u0027, Process_Aux_ServiceName, \u0027ServiceType\u0027, ServiceType, \u0027StartType\u0027, StartType, \u0027ServiceAccount\u0027, ServiceAccount)\\n\\t\\t\\t\\t\\t\\t\\t| project TimeGenerated, Computer, UserName, Process_Aux_ServiceName, ImagePath, Process_Aux_Service_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Process_Host_UnstructuredName=Computer, Process_Account_UnstructuredName=UserName, Process_ImageFile_FullPath=ImagePath, Process_CreationTimeUtc=TimeGenerated\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_CreationTimeUtc desc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetServiceCreationsOnHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"Event\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/3aed43db-e358-4952-a5cd-a10f00d90af4\",\"name\":\"3aed43db-e358-4952-a5cd-a10f00d90af4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User accounts created or deleted on host\",\"queryTemplate\":\"let GetAccountChangesOnHost = (v_Host_HostName:string){\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4720 or EventID == 4726\\n\\t\\t\\t\\t\\t\\t\\t| where AccountType == \u0027User\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where Computer contains v_Host_HostName or WorkstationName contains v_Host_HostName\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027TargetAccount\u0027, TargetAccount, \u0027SubjectAccount\u0027, SubjectAccount, \u0027Activity\u0027, Activity)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Account_Aux_info = makeset(info) by Computer, TargetAccount\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTime=min_TimeGenerated, Account_Aux_EndTime=max_TimeGenerated, Account_Host_UnstructuredName=Computer, Account_UnstructuredName=TargetAccount, Account_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Account_Aux_StartTime asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetAccountChangesOnHost(toupper(\u0027\u003chostName\u003e\u0027))\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/37fdc179-d35c-4dcd-b6ff-6cf02248d8f9\",\"name\":\"37fdc179-d35c-4dcd-b6ff-6cf02248d8f9\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Accounts which logged onto this host and their IPs\",\"queryTemplate\":\"let GetAccountsFromHost = (v_Host_HostName:string){\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\n\\t\\t\\t\\t\\t\\t\\t| extend RemoteHost = tolower(tostring(DeviceDetail.displayName))\\n\\t\\t\\t\\t\\t\\t\\t| where RemoteHost == tolower(v_Host_HostName)\\n\\t\\t\\t\\t\\t\\t\\t| extend OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser), TrustType = tostring(DeviceDetail.trustType)\\n\\t\\t\\t\\t\\t\\t\\t| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n\\t\\t\\t\\t\\t\\t\\t| extend Latitude = tostring(LocationDetails.geoCoordinates.latitude), Longitude = tostring(LocationDetails.geoCoordinates.longitude)\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027UserPrincipalName\u0027, UserPrincipalName, \u0027AppDisplayName\u0027, AppDisplayName, \u0027ClientAppUsed\u0027, ClientAppUsed, \u0027Browser\u0027, tostring(Browser), \u0027ResultType\u0027, ResultType, \u0027ResultDescription\u0027, ResultDescription, \u0027Location\u0027, Location, \u0027StatusCode\u0027, StatusCode, \u0027StatusDetails\u0027, StatusDetails)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), count(), Account_Aux_info = makeset(info) by RemoteHost , UserDisplayName, OS, IPAddress, State, City, Latitude, Longitude\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_info = Account_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTimeUtc = min_TimeGenerated, Account_Aux_EndTimeUtc = max_TimeGenerated, RemoteHost, UserDisplayName, OS, IPAddress, State, City, Latitude, Longitude, Account_Aux_info, IP_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Account_Aux_StartTimeUtc desc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project-rename Account_UnstructuredName=UserDisplayName, Account_Host_UnstructuredName=RemoteHost, Account_Host_OSVersion=OS, IP_Address=IPAddress, IP_Location_State=State, IP_Location_City=City, IP_Location_Latitude=Latitude, IP_Location_Longitude=Longitude\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetAccountsFromHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Account\",\"IP\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/b8de20fa-d96e-4fe0-84b3-8477ca29b04a\",\"name\":\"b8de20fa-d96e-4fe0-84b3-8477ca29b04a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Accounts triggering Microsoft Defender Application Control\",\"queryTemplate\":\"let AppControlEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n\\t\\t\\t\\t\\t\\t\\tlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\n\\t\\t\\t\\t\\t\\t\\tlet AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string)\\n\\t\\t\\t\\t\\t\\t\\t [\\\"AppControlAppInstallationAudited\\\", \\\"Application control detected the installation of an untrusted app.\\\",\\\"Untrusted app installed\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlAppInstallationBlocked\\\", \\\"Application control blocked the installation of an untrusted app.\\\", \\\"Untrusted app installation blocked\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlCodeIntegrityDriverRevoked\\\", \\\"Application control found a driver with a revoked certificate.\\\", \\\"Driver with revoked certificate detected\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlCodeIntegrityImageRevoked\\\", \\\"Application control found an executable file with a revoked certificate.\\\", \\\"Executable with revoked certificate detected\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlExecutableAudited\\\",\\\"Application control detected the use of an untrusted executable.\\\",\\\"Untrusted executable used\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlExecutableClocked\\\",\\\"Application control blocked the use of an untrusted executable.\\\",\\\"Untrusted executable blocked\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlScriptAudited\\\", \\\"Application control detected the use of an untrusted script.\\\", \\\"Untrusted script detected\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlScriptBlocked\\\", \\\"Application control blocked the use of an untrusted script.\\\", \\\"Untrusted script blocked\\\" ];\\n\\t\\t\\t\\t\\t\\t\\tDeviceEvents\\n\\t\\t\\t\\t\\t\\t\\t| where ActionType in (AppControls) \\n\\t\\t\\t\\t\\t\\t\\t| where DeviceName ==p_FullDeviceName\\n\\t\\t\\t\\t\\t\\t\\t| parse InitiatingProcessAccountUpn with Account_Name \u0027@\u0027 Account_UPNSuffix\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Name, Account_UPNSuffix, Account_Sid=InitiatingProcessAccountSid\\n\\t\\t\\t\\t\\t\\t\\t| summarize Account_Aux_AppConCount=count() by Account_Name, Account_UPNSuffix, Account_Sid\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Account_Aux_AppConCount desc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tAppControlEvents(\u0027\u003chostName\u003e\u0027,\u0027\u003cntDomain\u003e\u0027,\u0027\u003cdnsDomain\u003e\u0027)\",\"inputFields\":[\"hostName\",\"dnsDomain\",\"ntDomain\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/b66111f6-42ff-4f5a-8e3e-66ca1a71a758\",\"name\":\"b66111f6-42ff-4f5a-8e3e-66ca1a71a758\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - Hosts communicating the most amount of data with this IP Address\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIP2Host = (v_IP_Address:string) {\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent \\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\n\\t\\t\\t\\t\\t\\t\\t| where ClientIpAddress == v_IP_Address or ServerIpAddress == v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientIpAddress == v_IP_Address, \\\"Outbound\\\", \\\"Inbound\\\")\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID), \\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\n\\t\\t\\t\\t\\t\\t\\tDeviceName = iff(Direction == \\\"Outbound\\\", ServerDeviceName, ClientDeviceName),\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by DeviceGUID, DeviceName, IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType)\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\n\\t\\t\\t\\t\\t\\t\\t| extend TotalBandwidth_MB = floor(todecimal(TotalBandwidth_MB / 1000), 0.1)\\n\\t\\t\\t\\t\\t\\t\\t| project Host_HostName = DeviceName, Host_Aux_IpAddress = IpAddress, Host_Aux_Type = IoTDevice_DeviceType, Host_Aux_LastActivity = LastActivity, Host_Aux_Protocols = Protocols, Host_Aux_ServerPorts = ServerPorts, Host_Aux_TotalBandwidth_MB = TotalBandwidth_MB\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_TotalBandwidth_MB\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIP2Host(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/b7bd2812-f485-4430-bfac-6b0a1dd4c3f7\",\"name\":\"b7bd2812-f485-4430-bfac-6b0a1dd4c3f7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - IP Addresses communicating the most amount of data with this IP Address\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIP2IP = (v_IP_Address:string) {\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent \\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\n\\t\\t\\t\\t\\t\\t\\t| where ClientIpAddress == v_IP_Address or ServerIpAddress == v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientIpAddress == v_IP_Address, \\\"Outbound\\\", \\\"Inbound\\\")\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID), \\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\n\\t\\t\\t\\t\\t\\t\\tDeviceIsExternal = iff(Direction == \\\"Outbound\\\", ServerisExternal, ClientisExternal),\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort, Direction\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by IoTDevice_DeviceId = DeviceGUID, IoTDevice_IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType), DeviceIsExternal = tostring(DeviceIsExternal)\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Address = IoTDevice_IpAddress, IP_Aux_DeviceType = IoTDevice_DeviceType, IP_Aux_LastActivity = LastActivity, IP_Aux_Protocols = Protocols, IP_Aux_ServerPorts = ServerPorts, IP_Aux_TotalBandwidth_MB = TotalBandwidth_MB, IP_Aux_IsExternal = DeviceIsExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_TotalBandwidth_MB = floor(todecimal(IP_Aux_TotalBandwidth_MB / 1000), 0.1)\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_TotalBandwidth_MB\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIP2IP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/37ca3555-c135-4a73-a65e-9c1d00323f5d\",\"name\":\"37ca3555-c135-4a73-a65e-9c1d00323f5d\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"The least active accounts on Azure from this IP\",\"queryTemplate\":\"let AccountActivity_byIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tAzureActivity\\n\\t\\t\\t\\t\\t\\t\\t| where Caller != \u0027\u0027 and CallerIpAddress =~ v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| summarize Account_Aux_StartTime = min(TimeGenerated), \\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_EndTime = max(TimeGenerated), \\n\\t\\t\\t\\t\\t\\t\\t Count = count() by \\n\\t\\t\\t\\t\\t\\t\\t Caller, TenantId\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Count asc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| extend UPN = iff(Caller contains \u0027@\u0027, Caller, \u0027\u0027), Account_AadUserId = toguid(iff(Caller !contains \u0027@\u0027, Caller,\u0027\u0027))\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_Name = split(UPN,\u0027@\u0027)[0] , Account_UPNSuffix = split(UPN,\u0027@\u0027)[1]\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Name, Account_UPNSuffix, Account_AadUserId, Account_AadTenantId=TenantId, Account_Aux_StartTime , Account_Aux_EndTime \\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tAccountActivity_byIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"AzureActivity\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/97a1d515-abf2-4231-9a35-985f9de0bb91\",\"name\":\"97a1d515-abf2-4231-9a35-985f9de0bb91\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"The most active accounts on Azure from this IP\",\"queryTemplate\":\"let AccountActivity_byIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tAzureActivity\\n\\t\\t\\t\\t\\t\\t\\t| where Caller != \u0027\u0027 and CallerIpAddress =~ v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| summarize Account_Aux_StartTime = min(TimeGenerated), \\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_EndTime = max(TimeGenerated), \\n\\t\\t\\t\\t\\t\\t\\t Count = count() by \\n\\t\\t\\t\\t\\t\\t\\t Caller, TenantId\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Count desc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| extend UPN = iff(Caller contains \u0027@\u0027, Caller, \u0027\u0027), Account_AadUserId = toguid(iff(Caller !contains \u0027@\u0027, Caller,\u0027\u0027))\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_Name = split(UPN,\u0027@\u0027)[0] , Account_UPNSuffix = split(UPN,\u0027@\u0027)[1]\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Name, Account_UPNSuffix, Account_AadUserId, Account_AadTenantId=TenantId, Account_Aux_StartTime , Account_Aux_EndTime \\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tAccountActivity_byIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"AzureActivity\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/aa497951-c779-4ea2-be2a-127ea66c5fba\",\"name\":\"aa497951-c779-4ea2-be2a-127ea66c5fba\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts receiving the least amount of data from this IP\",\"queryTemplate\":\"let HostsReceivingDatafromIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| parse Computer with HostName \u0027.\u0027 Host_DnsDomain\\n\\t\\t\\t\\t\\t\\t\\t| where SessionState == \u0027Disconnected\u0027 \\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP =~ v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_HostName = iff(Computer has \u0027.\u0027, HostName, Computer)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_BytesReceived = sum(ReceivedBytes), Host_Aux_LocalIPs=make_set(LocalIP) by Host_HostName, Host_DnsDomain\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_BytesReceived asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tHostsReceivingDatafromIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/73fb9b8d-fd13-4c43-8136-6d693cafaa23\",\"name\":\"73fb9b8d-fd13-4c43-8136-6d693cafaa23\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts receiving the most amount of data from this IP\",\"queryTemplate\":\"let HostsReceivingDatafromIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| parse Computer with HostName \u0027.\u0027 Host_DnsDomain\\n\\t\\t\\t\\t\\t\\t\\t| where SessionState == \u0027Disconnected\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP =~ v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_HostName = iff(Computer has \u0027.\u0027, HostName, Computer)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_BytesReceived = sum(ReceivedBytes), Host_Aux_LocalIPs=make_set(LocalIP) by Host_HostName, Host_DnsDomain\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_BytesReceived desc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tHostsReceivingDatafromIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/ab597a67-352e-4914-b2e6-d64919a910a8\",\"name\":\"ab597a67-352e-4914-b2e6-d64919a910a8\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts sending the least amount of data to this IP\",\"queryTemplate\":\"let HostsSendingDatatoIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| where SessionState == \u0027Disconnected\u0027 \\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP =~ v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_BytesSent = sum(SentBytes) by Computer, LocalIP\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_BytesSent asc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_LocalIP=LocalIP\\n\\t\\t\\t\\t\\t\\t\\t };\\n\\t\\t\\t\\t\\t\\t\\tHostsSendingDatatoIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/5b57680b-d60a-42a5-9cd5-17e499834f8e\",\"name\":\"5b57680b-d60a-42a5-9cd5-17e499834f8e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts sending the most amount of data to this IP\",\"queryTemplate\":\"let HostsSendingDatatoIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| where SessionState == \u0027Disconnected\u0027 \\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP =~ v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_BytesSent = sum(SentBytes) by Computer, LocalIP\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_BytesSent desc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_LocalIP=LocalIP \\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tHostsSendingDatatoIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/980762f8-014e-4439-8840-5f0a90285dce\",\"name\":\"980762f8-014e-4439-8840-5f0a90285dce\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Destination IPs with the greatest number of dropped sessions\",\"queryTemplate\":\"let MostDroppedDestIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tWindowsFirewall\\n\\t\\t\\t\\t\\t\\t\\t| where FirewallAction == \u0027DROP\u0027\\n\\t\\t\\t\\t\\t\\t\\t and SourceIP =~ v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| summarize DropCount = count(), Ports = makeset(DestinationPort) by DestinationIP\\n\\t\\t\\t\\t\\t\\t\\t| sort by array_length(Ports), DropCount\\n\\t\\t\\t\\t\\t\\t\\t| serialize rn=row_number()\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by rn asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address = DestinationIP, IP_Aux_DropCount = DropCount, IP_Aux_DroppedSessionPorts = Ports\\n\\t\\t\\t\\t\\t\\t\\t| project-away rn\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tMostDroppedDestIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"WindowsFirewall\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/935ab312-cb52-42a5-b296-548f21786102\",\"name\":\"935ab312-cb52-42a5-b296-548f21786102\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Source IPs with the greatest number of dropped sessions\",\"queryTemplate\":\"let MostDroppedSourceIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tWindowsFirewall\\n\\t\\t\\t\\t\\t\\t\\t| where FirewallAction == \u0027DROP\u0027\\n\\t\\t\\t\\t\\t\\t\\t and DestinationIP =~ v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| summarize IP_Aux_DropCount = count(), IP_Aux_DestPorts = makeset(DestinationPort) by SourceIP\\n\\t\\t\\t\\t\\t\\t\\t| sort by IP_Aux_DropCount\\n\\t\\t\\t\\t\\t\\t\\t| serialize rn=row_number()\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by rn asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Address = SourceIP, IP_Aux_DropCount, IP_Aux_DestPorts\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tMostDroppedSourceIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"WindowsFirewall\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/588f5d9f-3380-4eff-9983-e61d62fdd172\",\"name\":\"588f5d9f-3380-4eff-9983-e61d62fdd172\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Office activity accounts with this IP\",\"queryTemplate\":\"let GetAllAccountByIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tOfficeActivity \\n\\t\\t\\t\\t\\t\\t\\t| where ClientIP =~ v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027ClientIP\u0027, ClientIP, \u0027UserType\u0027, UserType, \u0027Operation\u0027, Operation, \u0027OfficeWorkload\u0027, OfficeWorkload, \u0027ResultStatus\u0027, ResultStatus)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Account_Aux_Count=count(), Account_Aux_info = makeset(info) by UserId\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTime = min_TimeGenerated, Account_Aux_EndTime = max_TimeGenerated, UserId, Account_Aux_Count, Account_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Account_UnstructuredName=UserId\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Account_Aux_Count desc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetAllAccountByIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"OfficeActivity\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/801bacb0-612a-4195-a84f-7939cca63b92\",\"name\":\"801bacb0-612a-4195-a84f-7939cca63b92\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent client IPs with DNS name lookup query for this IP\",\"queryTemplate\":\"let GetAllIPByClientIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\t _Im_Dns(response_has_ipv4=v_IP_Address)\\n\\t\\t\\t\\t\\t\\t\\t | extend IP_Address=SrcIpAddr\\n\\t\\t\\t\\t\\t\\t\\t | summarize IP_Aux_StartTime=min(TimeGenerated), IP_Aux_EndTime=max(TimeGenerated), IP_Aux_DomainNames=make_set(DnsQuery), IP_Aux_Count= count() by IP_Address\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by IP_Aux_Count asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t };\\n\\t\\t\\t\\t\\t\\t\\t GetAllIPByClientIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"DnsEvents\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/188ff904-e3c3-4253-9326-e0190b4b7a01\",\"name\":\"188ff904-e3c3-4253-9326-e0190b4b7a01\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent inbound WireData connections\",\"queryTemplate\":\"let GetWireDataInboundWithIp = (v_IPAddress:string){\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Inbound\u0027 \\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP has v_IPAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027LocalPortNumber\u0027, LocalPortNumber, \u0027RemoteIP\u0027, RemoteIP, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_EarliestSessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by Computer, ProcessName , LocalIP, ProcessID\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_info = IP_Aux_info, Host_Aux_info = IP_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_EarliestSessionStartTime, Computer, ProcessName , LocalIP, Process_ProcessId=tostring(ProcessID), IP_Aux_info, Process_Aux_info, Host_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=LocalIP, Process_ImageFile_FullPath=ProcessName, Host_UnstructuredName=Computer\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataInboundWithIp(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\",\"Process\",\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/897267e4-68e1-4827-b318-7fb055b52fc0\",\"name\":\"897267e4-68e1-4827-b318-7fb055b52fc0\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent outbound WireData connections\",\"queryTemplate\":\"let GetWireDataOutboundWithIp = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Outbound\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where LocalIP has v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027LocalIP\u0027, LocalIP, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\n\\t\\t\\t\\t\\t\\t\\t| summarize count(), IP_Aux_info = makeset(info) by Computer, ProcessName, RemoteIP, ProcessID\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_info = IP_Aux_info, Host_Aux_info = IP_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\n\\t\\t\\t\\t\\t\\t\\t| project Computer, ProcessName, RemoteIP, Process_ProcessId=tostring(ProcessID), IP_Aux_info, Process_Aux_info, Host_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=RemoteIP, Process_ImageFile_FullPath=ProcessName, Host_UnstructuredName=Computer\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataOutboundWithIp(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\",\"Process\",\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/fdb3e714-c036-4708-a0eb-6ae10a1912a1\",\"name\":\"fdb3e714-c036-4708-a0eb-6ae10a1912a1\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent accounts associated with this IP\",\"queryTemplate\":\"let GetLeastPrevUsersbyIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\n\\t\\t\\t\\t\\t\\t\\t| where IPAddress contains v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| extend RemoteHost = tolower(tostring(parse_json(DeviceDetail[\u0027displayName\u0027])))\\n\\t\\t\\t\\t\\t\\t\\t| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n\\t\\t\\t\\t\\t\\t\\t| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027AppDisplayName\u0027, AppDisplayName, \u0027ClientAppUsed\u0027, ClientAppUsed, \u0027Browser\u0027, tostring(Browser), \u0027IPAddress\u0027, IPAddress, \u0027ResultType\u0027, ResultType, \u0027ResultDescription\u0027, ResultDescription, \u0027Location\u0027, Location, \u0027State\u0027, State, \u0027City\u0027, City, \u0027StatusCode\u0027, StatusCode, \u0027StatusDetails\u0027, StatusDetails)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), count(), Account_Aux_info = makeset(info) by RemoteHost , UserDisplayName, tostring(OS), UserPrincipalName, AADTenantId, UserId\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTime = min_TimeGenerated, Account_Aux_EndTime = max_TimeGenerated, RemoteHost, UserDisplayName, OS, UserPrincipalName, AADTenantId, Account_AadUserId=toguid(UserId), Account_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Account_UnstructuredName=UserPrincipalName, Account_DisplayName=UserDisplayName, Account_AadTenantId=AADTenantId , Account_Host_UnstructuredName=RemoteHost, Account_Host_OSVersion=OS };\\n\\t\\t\\t\\t\\t\\t\\tGetLeastPrevUsersbyIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/0cb64e03-8534-47b6-9094-7de2d018fd7a\",\"name\":\"0cb64e03-8534-47b6-9094-7de2d018fd7a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Most prevalent client IPs with DNS name lookup query for this IP\",\"queryTemplate\":\"let GetAllIPByClientIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\t _Im_Dns(response_has_ipv4=v_IP_Address)\\n\\t\\t\\t\\t\\t\\t\\t | extend IP_Address=SrcIpAddr\\n\\t\\t\\t\\t\\t\\t\\t | summarize IP_Aux_StartTime=min(TimeGenerated), IP_Aux_EndTime=max(TimeGenerated), IP_Aux_DomainNames=make_set(DnsQuery), IP_Aux_Count= count() by IP_Address\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by IP_Aux_Count desc nulls last\\n\\t\\t\\t\\t\\t\\t\\t };\\n\\t\\t\\t\\t\\t\\t\\t GetAllIPByClientIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"DnsEvents\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/41146c58-ffc6-47ff-975e-f85013629dfd\",\"name\":\"41146c58-ffc6-47ff-975e-f85013629dfd\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Most prevalent Linux hosts with this IP\",\"queryTemplate\":\"let GetSysLogEventsWithIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tSyslog\\n\\t\\t\\t\\t\\t\\t\\t| where HostIP has v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027HostIP\u0027, HostIP, \u0027ProcessName\u0027, ProcessName, \u0027SeverityLevel\u0027, SeverityLevel)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(EventTime), max(EventTime), count(), Host_Aux_info = makeset(info) by Computer\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ desc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project Host_Aux_StartTime = min_EventTime, Host_Aux_EndTime = max_EventTime, Computer, Host_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetSysLogEventsWithIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"Syslog\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/bc6c7cc9-da18-4afd-8fda-d201f13b54a4\",\"name\":\"bc6c7cc9-da18-4afd-8fda-d201f13b54a4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Most prevalent accounts associated with this IP\",\"queryTemplate\":\"let GetMostPrevUsersbyIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\n\\t\\t\\t\\t\\t\\t\\t| where IPAddress contains v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| extend RemoteHost = tolower(tostring(parse_json(DeviceDetail[\u0027displayName\u0027])))\\n\\t\\t\\t\\t\\t\\t\\t| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n\\t\\t\\t\\t\\t\\t\\t| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027AppDisplayName\u0027, AppDisplayName, \u0027ClientAppUsed\u0027, ClientAppUsed, \u0027Browser\u0027, tostring(Browser), \u0027IPAddress\u0027, IPAddress, \u0027ResultType\u0027, ResultType, \u0027ResultDescription\u0027, ResultDescription, \u0027Location\u0027, Location, \u0027State\u0027, State, \u0027City\u0027, City, \u0027StatusCode\u0027, StatusCode, \u0027StatusDetails\u0027, StatusDetails)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), count(), Account_Aux_info = makeset(info) by RemoteHost , UserDisplayName, tostring(OS), UserPrincipalName, AADTenantId, UserId\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ desc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTimeUtc = min_TimeGenerated, Account_Aux_EndTimeUtc = max_TimeGenerated, RemoteHost, UserDisplayName, OS, UserPrincipalName, AADTenantId, Account_Aux_info, Account_AadUserId=toguid(UserId)\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Account_UnstructuredName=UserPrincipalName, Account_DisplayName=UserDisplayName, Account_AadTenantId=AADTenantId, Account_Host_UnstructuredName=RemoteHost, Account_Host_OSVersion=OS\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetMostPrevUsersbyIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/f87b2afb-068f-4734-88a0-94560309f9c7\",\"name\":\"f87b2afb-068f-4734-88a0-94560309f9c7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Processes blocked from loading non-Microsoft-signed binaries\",\"queryTemplate\":\"let BlockedUnsignedFile = (v_Process_ProcessId:int, v_Process_ImageFile:string){\\n\\t\\t\\t\\t\\t\\t\\tlet p_Process_ImageFile_Name = tostring(parse_json(v_Process_ImageFile)[\u0027Name\u0027]);\\n\\t\\t\\t\\t\\t\\t\\tDeviceEvents\\n\\t\\t\\t\\t\\t\\t\\t| where ActionType == \\\"ExploitGuardNonMicrosoftSignedBlocked\\\" and FileName !hassuffix \\\".ni.dll\\\"\\n\\t\\t\\t\\t\\t\\t\\t| where InitiatingProcessId == v_Process_ProcessId and InitiatingProcessFileName =~ p_Process_ImageFile_Name\\n\\t\\t\\t\\t\\t\\t\\t| summarize Count=count() by FileName\\n\\t\\t\\t\\t\\t\\t\\t| top 15 by Count desc\\n\\t\\t\\t\\t\\t\\t\\t| project File_Name=FileName\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tBlockedUnsignedFile(\u0027\u003cv_Process_ProcessId\u003e\u0027,\u0027\u003cv_Process_ImageFile\u003e\u0027)\",\"inputFields\":[\"processId\",\"ImageFile\"],\"outputEntityTypes\":[\"File\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/77f9839a-1c03-49e2-803e-72b97042fc05\",\"name\":\"77f9839a-1c03-49e2-803e-72b97042fc05\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent inbound WireData connections\",\"queryTemplate\":\"let GetWireDataInboundWithProcess = (v_Process_CommandLine:string){\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath = tostring(split(v_Process_CommandLine, \u0027 \u0027)[0]);\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath2 = iff(tempFullPath startswith \u0027\\\"\u0027, substring(tempFullPath, 1, strlen(tempFullPath)-2), tempFullPath);\\n\\t\\t\\t\\t\\t\\t\\tlet v_Process_ImageFile_FullPath = iff(tempFullPath2 startswith \u0027\\\\\\\\??\\\\\\\\\u0027, substring(tempFullPath2, 4, strlen(tempFullPath2)-1), tempFullPath2);\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Inbound\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where ProcessName has v_Process_ImageFile_FullPath\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027ProcessName\u0027, ProcessName, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027RemoteIP\u0027, RemoteIP, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(SessionStartTime), count(), IP_Aux_info = makeset(info) by Computer, LocalIP\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_Aux_info = IP_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\n\\t\\t\\t\\t\\t\\t\\t| project min_SessionStartTime, Computer, LocalIP, IP_Aux_info, Host_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=LocalIP, Host_UnstructuredName=Computer, Host_Aux_min_SessionStartTime=min_SessionStartTime\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataInboundWithProcess(\u0027\u003ccommandLine\u003e\u0027)\",\"inputFields\":[\"commandLine\"],\"outputEntityTypes\":[\"IP\",\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/def383f2-dff3-4f5b-9416-aca8dca39812\",\"name\":\"def383f2-dff3-4f5b-9416-aca8dca39812\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent Linux hosts with this process\",\"queryTemplate\":\"let GetSysLogEventsWithProcess = (v_Process_CommandLine:string){\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath = tostring(split(v_Process_CommandLine, \u0027 \u0027)[0]);\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath2 = iff(tempFullPath startswith \u0027\\\"\u0027, substring(tempFullPath, 1, strlen(tempFullPath)-2), tempFullPath);\\n\\t\\t\\t\\t\\t\\t\\tlet v_Process_ImageFile_FullPath = iff(tempFullPath2 startswith \u0027\\\\\\\\??\\\\\\\\\u0027, substring(tempFullPath2, 4, strlen(tempFullPath2)-1), tempFullPath2);\\n\\t\\t\\t\\t\\t\\t\\tSyslog\\n\\t\\t\\t\\t\\t\\t\\t| where ProcessName has v_Process_ImageFile_FullPath\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027HostName\u0027, HostName, \u0027HostIP\u0027, HostIP, \u0027ProcessName\u0027, ProcessName, \u0027SyslogMessage\u0027, SyslogMessage)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(EventTime), max(EventTime), count(), Host_Aux_info = makeset(info) by Computer\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project Host_Aux_StartTime=min_EventTime, Host_Aux_EndTime=max_EventTime, Computer, Host_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetSysLogEventsWithProcess(\u0027\u003ccommandLine\u003e\u0027)\",\"inputFields\":[\"commandLine\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"Syslog\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/39df618a-684d-402d-b096-6f505a8e741e\",\"name\":\"39df618a-684d-402d-b096-6f505a8e741e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent outbound WireData connections\",\"queryTemplate\":\"let GetWireDataOutboundWithProcess = (v_Process_CommandLine:string){\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath = tostring(split(v_Process_CommandLine, \u0027 \u0027)[0]);\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath2 = iff(tempFullPath startswith \u0027\\\"\u0027, substring(tempFullPath, 1, strlen(tempFullPath)-2), tempFullPath);\\n\\t\\t\\t\\t\\t\\t\\tlet v_Process_ImageFile_FullPath = iff(tempFullPath2 startswith \u0027\\\\\\\\??\\\\\\\\\u0027, substring(tempFullPath2, 4, strlen(tempFullPath2)-1), tempFullPath2);\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Outbound\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where ProcessName has v_Process_ImageFile_FullPath\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027ProcessName\u0027, ProcessName, \u0027LocalIP\u0027, LocalIP, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(SessionStartTime), count(), IP_Aux_info = makeset(info) by Computer, RemoteIP\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_Aux_info = IP_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\n\\t\\t\\t\\t\\t\\t\\t| project min_SessionStartTime, Computer, RemoteIP, IP_Aux_info, Host_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=RemoteIP, Host_UnstructuredName=Computer, Host_Aux_min_SessionStartTime=min_SessionStartTime\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataOutboundWithProcess(\u0027\u003ccommandLine\u003e\u0027)\",\"inputFields\":[\"commandLine\"],\"outputEntityTypes\":[\"IP\",\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/e32a48a9-bf82-4cec-ba94-9ec406a69ef8\",\"name\":\"e32a48a9-bf82-4cec-ba94-9ec406a69ef8\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"10 most recent VM configuration changes based on process\",\"queryTemplate\":\"let exclude = dynamic([\u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sppsvc.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wuauclt.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\Install\\\\\\\\\u0027, \u0027:\\\\\\\\WindowsAzure\\\\\\\\GuestAgent_\u0027, \u0027:\\\\\\\\WindowsAzure\\\\\\\\WindowsAzureNetAgent_\u0027, \\n\\t\\t\\t\\t\\t\\t\\t\u0027:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\platform\\\\\\\\\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\u0027, \u0027\\\\\\\\MpSigStub.exe\u0027,\u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\trustedinstaller.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t\\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Active Setup\\\\\\\\Installed Components\\\\\\\\\\\"]);\\n\\t\\t\\t\\t\\t\\t\\tlet ConfigChange = (v_Process_ImageFile:string ) \\n\\t\\t\\t\\t\\t\\t\\t{let Process_ImageFile_Name = tostring(parse_json(v_Process_ImageFile)[\u0027Name\u0027]);\\n\\t\\t\\t\\t\\t\\t\\tConfigurationChange\\n\\t\\t\\t\\t\\t\\t\\t| where ConfigChangeType != \\\"Software\\\"\\n\\t\\t\\t\\t\\t\\t\\t| where isnotempty(ValueData) or isnotempty(SvcPath) or isnotempty(FileSystemPath)\\n\\t\\t\\t\\t\\t\\t\\t| extend Process = case(\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Registry\\\" and (ValueData has \\\".exe\\\" or ValueData has \\\".bat\\\" or ValueData has \\\".cmd\\\"), ValueData,\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"WindowsServices\\\", SvcPath,\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Files\\\" and ((FileSystemPath has \\\".exe\\\" or FileSystemPath has \\\".bat\\\" or FileSystemPath has \\\".cmd\\\") or FileSystemPath has \u0027/\u0027), FileSystemPath,\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Daemons\\\", SvcPath,\\n\\t\\t\\t\\t\\t\\t\\t\\\"ProcessNotAvailable\\\"\\n\\t\\t\\t\\t\\t\\t\\t)\\n\\t\\t\\t\\t\\t\\t\\t| where not(Process has_any (exclude)) and (Process !has \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework\u0027 and not(Process has_any (\u0027\\\\\\\\ngentask.exe\u0027, \u0027\\\\\\\\ngen.exe\u0027)))\\n\\t\\t\\t\\t\\t\\t\\t| where iff(Process_ImageFile_Name == \\\"\\\", false, Process has Process_ImageFile_Name) \\n\\t\\t\\t\\t\\t\\t\\t| parse FileContentChecksum with * \\\"Hash=\\\" Hash \\\" \\\" *\\n\\t\\t\\t\\t\\t\\t\\t| parse PreviousFileContentChecksum with * \\\"Hash=\\\" Hash \\\" \\\" *\\n\\t\\t\\t\\t\\t\\t\\t| extend Changes = case( \\n\\t\\t\\t\\t\\t\\t\\t ConfigChangeType == \\\"Registry\\\" and ChangeCategory == \\\"Modified\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"RegistryKey\\\" , RegistryKey, \\\"ValueName\\\", ValueName, \\\"ValueData\\\", ValueData, \\\"PreviousValueData\\\", PreviousValueData),\\n\\t\\t\\t\\t\\t\\t\\t ConfigChangeType == \\\"Registry\\\" and ChangeCategory == \\\"Added\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"RegistryKey\\\" , RegistryKey, \\\"ValueName\\\", ValueName, \\\"ValueData\\\", ValueData),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Registry\\\" and ChangeCategory == \\\"Removed\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"RegistryKey\\\" , RegistryKey, \\\"ValueName\\\", ValueName, \\\"PreviousValueData\\\", PreviousValueData),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"Path\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcPreviousPath\\\", SvcPreviousPath),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"Runlevels\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcRunlevels\\\", SvcRunlevels,\\\"SvcPreviousRunlevels\\\", SvcPreviousRunlevels),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"StartupType\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcStartupType\\\", SvcStartupType, \\\"SvcPreviousStartupType\\\", SvcPreviousStartupType),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"State\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcState\\\", SvcState, \\\"SvcPreviousState\\\", SvcPreviousState),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"State StartupType\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcState\\\", SvcState, \\\"SvcPreviousState\\\", SvcPreviousState, \\\"SvcStartupType\\\", SvcStartupType, \\\"SvcPreviousStartupType\\\", SvcPreviousStartupType),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Added\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcState\\\", SvcState, \\\"SvcStartupType\\\", SvcStartupType),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Removed\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcName\\\", SvcName, \\\"SvcPreviousPath\\\", SvcPreviousPath, \\\"SvcPreviousState\\\", SvcPreviousState, \\\"SvcPreviousStartupType\\\", SvcPreviousStartupType),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Files\\\" and ChangeCategory == \\\"Added\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"FileSystemPath\\\", FileSystemPath, \\\"DateCreated\\\", DateCreated, \\\"DateModified\\\", DateModified, \\\"Hash\\\", Hash),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Files\\\" and ChangeCategory == \\\"Removed\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"FileSystemPath\\\", FileSystemPath, \\\"DateCreated\\\", PreviousDateCreated, \\\"DateModified\\\", PreviousDateModified, \\\"Hash\\\", Hash),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Files\\\" and ChangeCategory == \\\"Modified\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"FileSystemPath\\\", FileSystemPath, \\\"FieldsChanged\\\", FieldsChanged, \\\"DateCreated\\\", PreviousDateCreated, \\\"DateModified\\\", PreviousDateModified, \\\"Hash\\\", Hash),\\n\\t\\t\\t\\t\\t\\t\\t\\\"\\\")\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_HostName = tostring(split(Computer, \\\".\\\")[0]), Host_DnsDomain = strcat_array(array_slice(split(Computer,\u0027.\u0027),1,256),\u0027.\u0027)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_StartTimeUtc = min(TimeGenerated), Host_Aux_EndTimeUtc = max(TimeGenerated), Host_Aux_ConfigChangeDetail = makeset(Changes) by Host_HostName, Host_DnsDomain\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_StartTimeUtc desc};\\n\\t\\t\\t\\t\\t\\t\\tConfigChange(\u0027\u003cImageFile\u003e\u0027)\",\"inputFields\":[\"ImageFile\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"ConfigurationChange\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/0880a6d7-d914-40f6-91bc-150de4810e4e\",\"name\":\"0880a6d7-d914-40f6-91bc-150de4810e4e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Windows hosts with this process\",\"queryTemplate\":\"let GetHostsWithProcess = (v_Process_CommandLine:string){\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath = tostring(split(v_Process_CommandLine, \u0027 \u0027)[0]);\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath2 = iff(tempFullPath startswith \u0027\\\"\u0027, substring(tempFullPath, 1, strlen(tempFullPath)-2), tempFullPath);\\n\\t\\t\\t\\t\\t\\t\\tlet v_Process_ImageFile_FullPath = iff(tempFullPath2 startswith \u0027\\\\\\\\??\\\\\\\\\u0027, substring(tempFullPath2, 4, strlen(tempFullPath2)-1), tempFullPath2);\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4688\\n\\t\\t\\t\\t\\t\\t\\t| where NewProcessName has v_Process_ImageFile_FullPath\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027Account\u0027, Account, \u0027NewProcessName\u0027, NewProcessName, \u0027CommandLine\u0027, CommandLine)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer, SourceComputerId, _ResourceId\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, Computer, Host_Aux_info, Host_OMSAgentID=SourceComputerId\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by min_TimeGenerated asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetHostsWithProcess(\u0027\u003ccommandLine\u003e\u0027)\",\"inputFields\":[\"commandLine\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/c07c8936-d2a7-41a7-97d2-d3afdf267da4\",\"name\":\"c07c8936-d2a7-41a7-97d2-d3afdf267da4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - Hosts communicating the most amount of data with this IoT Device\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIoTDevice2Host = (v_IoTDevice_DeviceId:string) {\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent \\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceGUID == v_IoTDevice_DeviceId or ServerDeviceGUID == v_IoTDevice_DeviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceGUID == v_IoTDevice_DeviceId, \\\"Outbound\\\", \\\"Inbound\\\")\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID), \\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\n\\t\\t\\t\\t\\t\\t\\tDeviceName = iff(Direction == \\\"Outbound\\\", ServerDeviceName, ClientDeviceName),\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by DeviceGUID, DeviceName, IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType)\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\n\\t\\t\\t\\t\\t\\t\\t| extend TotalBandwidth_MB = floor(todecimal(TotalBandwidth_MB / 1000), 0.1)\\n\\t\\t\\t\\t\\t\\t\\t| project Host_HostName = DeviceName, Host_Aux_IpAddress = IpAddress, Host_Aux_Type = IoTDevice_DeviceType, Host_Aux_LastActivity = LastActivity, Host_Aux_Protocols = Protocols, Host_Aux_ServerPorts = ServerPorts, Host_Aux_TotalBandwidth_MB = TotalBandwidth_MB\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_TotalBandwidth_MB\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIoTDevice2Host(\u0027\u003cdeviceId\u003e\u0027)\",\"inputFields\":[\"deviceId\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IoTDevice\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/f1cce474-7a4f-435c-a7ee-3d5a800a6df4\",\"name\":\"f1cce474-7a4f-435c-a7ee-3d5a800a6df4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - IP Addresses communicating the most amount of data with this IoT Device\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIoTDevice2IP = (v_IoTDevice_DeviceId:string) {\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent \\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceGUID == v_IoTDevice_DeviceId or ServerDeviceGUID == v_IoTDevice_DeviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceGUID == v_IoTDevice_DeviceId, \\\"Outbound\\\", \\\"Inbound\\\")\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID), \\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\n\\t\\t\\t\\t\\t\\t\\tDeviceIsExternal = iff(Direction == \\\"Outbound\\\", ServerisExternal, ClientisExternal),\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by DeviceGUID, IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType), DeviceIsExternal = tostring(DeviceIsExternal)\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Address = IpAddress, IP_Aux_DeviceType = IoTDevice_DeviceType, IP_Aux_LastActivity = LastActivity, IP_Aux_Protocols = Protocols, IP_Aux_ServerPorts = ServerPorts, IP_Aux_TotalBandwidth_MB = TotalBandwidth_MB, IP_Aux_IsExternal = DeviceIsExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_TotalBandwidth_MB = floor(todecimal(IP_Aux_TotalBandwidth_MB / 1000), 0.1)\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_TotalBandwidth_MB\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIoTDevice2IP(\u0027\u003cdeviceId\u003e\u0027)\",\"inputFields\":[\"deviceId\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IoTDevice\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/1f3ecde7-5c69-4d44-ac93-5feac6d1cd2f\",\"name\":\"1f3ecde7-5c69-4d44-ac93-5feac6d1cd2f\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Most frequent command executions on the device\",\"queryTemplate\":\"let Process_byIoTDevice = (v_IotDevice_DeviceId:string, v_IoTDevice_IoTHub:string){\\n\\t\\t\\t\\t\\t\\t\\tSecurityIoTRawEvent \\n\\t\\t\\t\\t\\t\\t\\t| where RawEventName =~ \u0027ProcessCreate\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where AssociatedResourceId =~ parse_json(v_IoTDevice_IoTHub)[\u0027ResourceId\u0027] and DeviceId =~ v_IotDevice_DeviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_CommandLine = tostring(parse_json(EventDetails)[\u0027CommandLine\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_ProcessId = tostring(parse_json(EventDetails)[\u0027ProcessId\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_ParentProcess_ProcessId = tostring(parse_json(EventDetails)[\u0027ParentProcessId\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_CreationTimeUtc = TimeStamp\\n\\t\\t\\t\\t\\t\\t\\t| summarize procCount = count() by Process_CommandLine, Process_ProcessId, Process_ParentProcess_ProcessId, Process_CreationTimeUtc\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by procCount\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_Count = procCount\\n\\t\\t\\t\\t\\t\\t\\t| project-away procCount\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tProcess_byIoTDevice(\u0027\u003cdeviceId\u003e\u0027, \u0027\u003cIoTHub\u003e\u0027)\",\"inputFields\":[\"deviceId\",\"IoTHub\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IoTDevice\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelEntityQuery+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/5f4b614d-f1e7-46f5-a0f4-41e428c2237e?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntityQuery+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/0893dbbc-9df7-4f10-bcff-01694c52ecb7?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/5f4b614d-f1e7-46f5-a0f4-41e428c2237e?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/0893dbbc-9df7-4f10-bcff-01694c52ecb7?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "199" ], - "x-ms-client-request-id": [ "e6f0b7db-1283-44b4-9e6f-50aed99b0ad3" ], + "x-ms-unique-id": [ "42" ], + "x-ms-client-request-id": [ "7c33e118-d5d1-4667-b97c-9044a8faea52" ], "CommandName": [ "Get-AzSentinelentityQuery" ], "FullCommandName": [ "Get-AzSentinelEntityQuery_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,37 +67,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11966" ], - "x-ms-request-id": [ "659ad9d1-ba11-4159-9c16-96d69ae46497" ], - "x-ms-correlation-request-id": [ "659ad9d1-ba11-4159-9c16-96d69ae46497" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160720Z:659ad9d1-ba11-4159-9c16-96d69ae46497" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/e21c2edb-b16c-464e-938b-5e66faec015f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "f92df29f-ee6e-4292-a5e7-276bb5a03df9" ], + "x-ms-correlation-request-id": [ "f92df29f-ee6e-4292-a5e7-276bb5a03df9" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074443Z:f92df29f-ee6e-4292-a5e7-276bb5a03df9" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:19 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 872BD8EBB7A84D7C8BE14F02FC27CBEA Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:42Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:42 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2326" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/5f4b614d-f1e7-46f5-a0f4-41e428c2237e\",\"name\":\"5f4b614d-f1e7-46f5-a0f4-41e428c2237e\",\"etag\":\"\\\"0c00410f-0000-0100-0000-62fbbde70000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2022-08-16T15:55:19.0590224Z\",\"lastModifiedTimeUtc\":\"2022-08-16T15:55:19.0590224Z\",\"inputEntityType\":\"Host\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/0893dbbc-9df7-4f10-bcff-01694c52ecb7\",\"name\":\"0893dbbc-9df7-4f10-bcff-01694c52ecb7\",\"etag\":\"\\\"0c008f8a-0000-0100-0000-69c38eb40000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2026-03-25T07:28:52.8740307Z\",\"lastModifiedTimeUtc\":\"2026-03-25T07:28:52.8740307Z\",\"inputEntityType\":\"Host\"}}", "isContentBase64": false } }, - "Get-AzSentinelEntityQuery+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/5f4b614d-f1e7-46f5-a0f4-41e428c2237e?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntityQuery+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/0893dbbc-9df7-4f10-bcff-01694c52ecb7?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/5f4b614d-f1e7-46f5-a0f4-41e428c2237e?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/0893dbbc-9df7-4f10-bcff-01694c52ecb7?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "200" ], - "x-ms-client-request-id": [ "ca3cf826-7170-40bc-b0ca-7bf819f6cc8f" ], + "x-ms-unique-id": [ "43" ], + "x-ms-client-request-id": [ "d9047b35-4969-415e-9e06-d014ac493b93" ], "CommandName": [ "Get-AzSentinelentityQuery" ], "FullCommandName": [ "Get-AzSentinelEntityQuery_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -104,37 +112,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11965" ], - "x-ms-request-id": [ "ff0b1bab-3289-40bd-a488-a8c23ec159e8" ], - "x-ms-correlation-request-id": [ "ff0b1bab-3289-40bd-a488-a8c23ec159e8" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160720Z:ff0b1bab-3289-40bd-a488-a8c23ec159e8" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/f791a68b-3e49-442e-8538-cd097b670e1e" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "db617224-6952-4e68-917a-6fea3d229f22" ], + "x-ms-correlation-request-id": [ "db617224-6952-4e68-917a-6fea3d229f22" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074443Z:db617224-6952-4e68-917a-6fea3d229f22" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:20 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: B95796D55310439BB5C3F1F0B9E26F22 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:43Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:43 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2326" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/5f4b614d-f1e7-46f5-a0f4-41e428c2237e\",\"name\":\"5f4b614d-f1e7-46f5-a0f4-41e428c2237e\",\"etag\":\"\\\"0c00410f-0000-0100-0000-62fbbde70000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2022-08-16T15:55:19.0590224Z\",\"lastModifiedTimeUtc\":\"2022-08-16T15:55:19.0590224Z\",\"inputEntityType\":\"Host\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/0893dbbc-9df7-4f10-bcff-01694c52ecb7\",\"name\":\"0893dbbc-9df7-4f10-bcff-01694c52ecb7\",\"etag\":\"\\\"0c008f8a-0000-0100-0000-69c38eb40000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2026-03-25T07:28:52.8740307Z\",\"lastModifiedTimeUtc\":\"2026-03-25T07:28:52.8740307Z\",\"inputEntityType\":\"Host\"}}", "isContentBase64": false } }, - "Get-AzSentinelEntityQuery+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/5f4b614d-f1e7-46f5-a0f4-41e428c2237e?api-version=2021-09-01-preview+2": { + "Get-AzSentinelEntityQuery+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/0893dbbc-9df7-4f10-bcff-01694c52ecb7?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/5f4b614d-f1e7-46f5-a0f4-41e428c2237e?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/0893dbbc-9df7-4f10-bcff-01694c52ecb7?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "201" ], - "x-ms-client-request-id": [ "27b71b02-e082-4fef-a923-2a770ba6ffbd" ], + "x-ms-unique-id": [ "44" ], + "x-ms-client-request-id": [ "34235ff4-6492-4fcd-a51d-5a062ec0d67c" ], "CommandName": [ "Get-AzSentinelentityQuery" ], "FullCommandName": [ "Get-AzSentinelEntityQuery_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -145,21 +157,25 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11964" ], - "x-ms-request-id": [ "54f244cd-5caf-4657-b1d8-e0e082daadfa" ], - "x-ms-correlation-request-id": [ "54f244cd-5caf-4657-b1d8-e0e082daadfa" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160720Z:54f244cd-5caf-4657-b1d8-e0e082daadfa" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/3bbb0da1-2aa6-41db-b110-9144ea499439" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "43c784f1-f818-433f-8a9c-8a3af024437d" ], + "x-ms-correlation-request-id": [ "43c784f1-f818-433f-8a9c-8a3af024437d" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074444Z:43c784f1-f818-433f-8a9c-8a3af024437d" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:20 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: CD35A9ED43A24169B43FB6CE655033C7 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:43Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:43 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2326" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/5f4b614d-f1e7-46f5-a0f4-41e428c2237e\",\"name\":\"5f4b614d-f1e7-46f5-a0f4-41e428c2237e\",\"etag\":\"\\\"0c00410f-0000-0100-0000-62fbbde70000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2022-08-16T15:55:19.0590224Z\",\"lastModifiedTimeUtc\":\"2022-08-16T15:55:19.0590224Z\",\"inputEntityType\":\"Host\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/0893dbbc-9df7-4f10-bcff-01694c52ecb7\",\"name\":\"0893dbbc-9df7-4f10-bcff-01694c52ecb7\",\"etag\":\"\\\"0c008f8a-0000-0100-0000-69c38eb40000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2026-03-25T07:28:52.8740307Z\",\"lastModifiedTimeUtc\":\"2026-03-25T07:28:52.8740307Z\",\"inputEntityType\":\"Host\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityQueryTemplate.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityQueryTemplate.Recording.json index 8fbc2a62bf04..3bc8fce4bd35 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityQueryTemplate.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityQueryTemplate.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelEntityQueryTemplate+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntityQueryTemplate+[NoContext]+List+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "202" ], - "x-ms-client-request-id": [ "bcf85ca0-1554-47cd-beb1-0954b8ba89f8" ], + "x-ms-unique-id": [ "45" ], + "x-ms-client-request-id": [ "909c0d3c-4ce2-421b-9047-e2df0aa9a2d7" ], "CommandName": [ "Get-AzSentinelentityQueryTemplate" ], "FullCommandName": [ "Get-AzSentinelEntityQueryTemplate_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,37 +22,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11963" ], - "x-ms-request-id": [ "7b428a9a-eecf-45be-a006-30bd246b703a" ], - "x-ms-correlation-request-id": [ "7b428a9a-eecf-45be-a006-30bd246b703a" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160724Z:7b428a9a-eecf-45be-a006-30bd246b703a" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/19eac245-5793-46d4-a863-fd095c783b80" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "7849dc70-f619-4faf-bb61-e7bebded67a7" ], + "x-ms-correlation-request-id": [ "7849dc70-f619-4faf-bb61-e7bebded67a7" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074446Z:7849dc70-f619-4faf-bb61-e7bebded67a7" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:24 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 484107BEA2734F54A3636BF31D5E5BC3 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:45Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:45 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "191910" ], + "Content-Length": [ "193809" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"name\":\"d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has created an account\",\"content\":\"The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account creation events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"name\":\"e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has deleted an account\",\"content\":\"The user {{InitiatedByAccount}} has deleted the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account deletion events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"name\":\"ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has reset an account\u0027s password\",\"content\":\"The password for account {{TargetAccount}} was reset by the user {{InitiatedByAccount}} {{Count}} time(s)\",\"description\":\"This activity displays password reset events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274724\u0027, \u00274723\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/fde1b9cc-9480-4418-ae21-91723d16b24d\",\"name\":\"fde1b9cc-9480-4418-ae21-91723d16b24d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was created\",\"content\":\"The user account {{TargetAccount}} was created\",\"description\":\"This activity displays the user account events for when it was created\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/b15901ba-8679-4f6a-b312-722031ab58f2\",\"name\":\"b15901ba-8679-4f6a-b312-722031ab58f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was deleted\",\"content\":\"The user account {{TargetAccount}} was deleted\",\"description\":\"This activity displays the user account events for when it was deleted\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"name\":\"c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account password was reset\",\"content\":\"The user account {{TargetAccount}} had a password reset\",\"description\":\"This activity displays the user account events for when the password was reset\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274723\u0027, \u00274724\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"name\":\"5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user consented to OAuth application\",\"content\":\"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s consents to an OAuth applications.\",\"queryDefinitions\":{\"query\":\"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\" );\\nAuditLogs\\n| where OperationName == \\\"Consent to application\\\"\\n| extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\n| where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\nor (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\n| extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\n};\\nUserConsentToApplication(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/cab4058a-0707-4a02-b76f-cf96270823ed\",\"name\":\"cab4058a-0707-4a02-b76f-cf96270823ed\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User performed operation on azure resource from IP\",\"content\":\"User performed operation {{OperationNameValue}} on azure resource: {{shortResourceId}} from IP {{Source_IP_Address}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s activities on Azure.\",\"queryDefinitions\":{\"query\":\"let AzureRunProcess = (Account_Name:string, Account_UPNSuffix:string,Account_AadUserId:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nAzureActivity\\n| where (isnotempty(Account_AadUserId) and Caller =~ Account_AadUserId) or Caller =~ upn\\n| where OperationNameValue contains \\\"Run Command on Virtual Machine\\\"\\n or (OperationNameValue == \\\"List Storage Account Keys\\\" and ActivityStatusValue == \\\"Succeeded\\\")\\n or OperationNameValue == \\\"Create or Update Virtual Machine\\\"\\n or OperationNameValue == \\\"Create Deployment\\\"\\n or OperationNameValue == \\\"Create role assignment\\\"\\n| project-rename Target_AzureResource_ResourceId = _ResourceId, Source_IP_Address = CallerIpAddress\\n| extend shortResourceId = tostring(split(ResourceId,\u0027/\u0027)[-1])\\n};\\nAzureRunProcess(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_AzureResource_ResourceId, Source_IP_Address, shortResourceId, OperationNameValue, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"name\":\"febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a local privileged group\",\"content\":\"The user has added accounts to the local privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"name\":\"0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a domain privileged group\",\"content\":\"The user has added accounts to the domain privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/0caf9819-3269-48ac-b162-eeee638e4aa9\",\"name\":\"0caf9819-3269-48ac-b162-eeee638e4aa9\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a local privileged group\",\"content\":\"This user was added to the local privileged group {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"name\":\"d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a domain privileged group\",\"content\":\"This user was added to the domain privileged group {{TargetAccount}}\",\"description\":\"This activity displays that this user was added to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"name\":\"5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to the Remote Desktop Users group\",\"content\":\"The user has added accounts to the {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"name\":\"60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to the Remote Desktop Users group\",\"content\":\"This user was added to the {{TargetAccount}} group\",\"description\":\"This activity displays that this user was added to the Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"name\":\"bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added an account to a security group\",\"content\":\"The user has added {{MemberAdded}} to the {{TargetAccount}} group\",\"description\":\"This activity displays the user that added an account and the account that was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, MemberAdded, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"name\":\"252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a security group\",\"content\":\"This user was added to the {{TargetAccount}} group, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"name\":\"1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user acted on another accounts mailbox\",\"content\":\"The user acted on mailbox {{MailboxOwnerUPN}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s activities on others\u0027 mailbox\",\"queryDefinitions\":{\"query\":\"let TLQ_UserActedOnForeignMailbox = (Account_Name:string, Account_UPNSuffix:string, account_sid:string){\\nlet account_upn = iff(Account_Name!=\\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n,strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\");\\nOfficeActivity\\n| where RecordType == \\\"ExchangeItem\\\" and UserType ==\\\"Regular\\\" and Operation !contains \\\"InboxRule\\\"\\n| where LogonUserSid != MailboxOwnerSid \\n| where ((account_sid != \\\"\\\" and LogonUserSid =~ account_sid)\\n or ( account_upn != \\\"\\\" and UserId =~ account_upn ))\\n};\\nTLQ_UserActedOnForeignMailbox(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/e480efd0-016d-428e-b892-84b9d586d004\",\"name\":\"e480efd0-016d-428e-b892-84b9d586d004\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user modified inbox rules on another accounts mailbox\",\"content\":\"User Modified {{Count}} inbox rules on {{MailboxOwnerUPN}}\u0027s Mailbox\",\"description\":\"User modified inbox rules on a mailbox\",\"queryDefinitions\":{\"query\":\"let ruleChangeRecordTypes = dynamic( [\\\"ExchangeAdmin\\\", \\\"ExchangeItem\\\"]);\\nlet TLQ_UserModifiedinboxRules = (Account_Name: string, Account_UPNSuffix: string, Account_Sid: string){\\nlet upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name, \\\"@\\\", Account_UPNSuffix)\\n, \\\"\\\");\\nOfficeActivity\\n| where RecordType in~ (ruleChangeRecordTypes) and Operation contains \\\"InboxRule\\\"\\n| where((Account_Sid != \\\"\\\" and LogonUserSid == Account_Sid)\\nor(upn != \\\"\\\" and UserId == upn )\\n)\\n};\\nTLQ_UserModifiedinboxRules(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/0eabec03-51e7-4909-b0cb-1adc76759e93\",\"name\":\"0eabec03-51e7-4909-b0cb-1adc76759e93\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User uploaded files to SharePoint\",\"content\":\"User uploaded {{Count}} file(s) To SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint uploads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileUploaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"name\":\"df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User downloaded files from SharePoint\",\"content\":\"User downloaded {{Count}} File(s) from SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint downloads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileDownloaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/0f328f28-7e21-4596-b71c-54309fee5551\",\"name\":\"0f328f28-7e21-4596-b71c-54309fee5551\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user signed in to an Azure resource\",\"content\":\"The user signed in to {{shortResourceId}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s sign ins to Azure Resources\",\"queryDefinitions\":{\"query\":\"let SignInsByResource = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet acc_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\" ,strcat(Account_Name,\\\"@\\\" ,Account_UPNSuffix),\\\"\\\");\\nSigninLogs\\n| where (acc_upn != \\\"\\\" and UserPrincipalName =~ acc_upn) or\\n   (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ UserId) // UserPrincipalName, UserId\\n| extend shortResourceId = tostring(split(ResourceId,\\\"/\\\")[-1])\\n};\\nSignInsByResource(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project shortResourceId, ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SigninLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"name\":\"0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID==4624 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"name\":\"c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"name\":\"8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u002710 - RemoteInteractive\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"name\":\"ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"New credentials log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s log-ins with new credentials, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00279 - NewCredentials\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"name\":\"e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Privileged log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s privileged log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID == 4672 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"name\":\"a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/11449689-6542-4867-86dc-56264abbd90c\",\"name\":\"11449689-6542-4867-86dc-56264abbd90c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/686cf7e8-87c7-4391-8898-25adf1033a54\",\"name\":\"686cf7e8-87c7-4391-8898-25adf1033a54\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} failed to logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u002710 - RemoteInteractive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/c6523929-5696-4e94-8a61-61aeb1c953d1\",\"name\":\"c6523929-5696-4e94-8a61-61aeb1c953d1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Custom Script Extension execution (Preview)\",\"content\":\"The account {{Caller}} ran the custom script extension {{extName}} {{Count}} time(s)\",\"description\":\"This activity indicated Custom Script Extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = tostring(resBody.name), extType = resBody.properties.type\\n| where extType in (\\\"CustomScriptExtension\\\", \\\"CustomScript\\\", \\\"CustomScriptForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource, extType, extName \\n| project Caller, _ResourceId, extName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/5a2b8371-8708-4e41-8613-b64bbcbd0199\",\"name\":\"5a2b8371-8708-4e41-8613-b64bbcbd0199\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Azure Key Vault sensitive operation\",\"content\":\"The operation {{OperationName}} was observed from the IP {{CallerIPAddress}} {{Count}} time(s)\",\"description\":\"This activity indicated sensitive operation of Azure Key Valut\",\"queryDefinitions\":{\"query\":\"let SensitiveOperationList = dynamic([\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\n AzureDiagnostics\\n | where ResourceType == \\\"VAULTS\\\"\\n | where Category == \\\"AuditEvent\\\"\\n | where ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n | extend Result = columnifexists(\\\"ResultType\\\", \\\"NoResult\\\")\\n | extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n | extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n | where Result !~ \\\"None\\\" and isnotempty(Result)\\n | where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n | where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n | where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n | where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n | where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n | where ResourceType =~ \\\"VAULTS\\\" and Result =~ \\\"Success\\\"\\n | where OperationName in~ (SensitiveOperationList)\\n | project TimeGenerated, ResourceId, Result, OperationName, CallerIPAddress \\n| project ResourceId, OperationName, CallerIPAddress, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureDiagnostics\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/a8b50062-f80e-4331-a247-de0e10d7b83f\",\"name\":\"a8b50062-f80e-4331-a247-de0e10d7b83f\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list (Preview)\",\"content\":\"The account {{Caller}} retrieved the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list operation\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24d372a-ce9a-424e-99ba-5894177365a0\",\"name\":\"e24d372a-ce9a-424e-99ba-5894177365a0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list were regenerated (Preview)\",\"content\":\"The account {{Caller}} regenerated the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list regeneration\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/2276eacb-9400-47e9-88c9-600b9b04ad81\",\"name\":\"2276eacb-9400-47e9-88c9-600b9b04ad81\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM Run Command execution (Preview)\",\"content\":\"The account {{Caller}} used Run Command on the VM {{Count}} time(s)\",\"description\":\"This activity indicates usage of Run Command\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/0aa3626b-30dd-4731-9d1e-39872a73949c\",\"name\":\"0aa3626b-30dd-4731-9d1e-39872a73949c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM access extension execution (Preview)\",\"content\":\"The account {{Caller}} ran VM Access extension on the VM {{Count}} time(s)\",\"description\":\"This activity indicated VM access extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = resBody.name, extType = resBody.properties.type\\n| where extType in (\\\"VMAccessAgent\\\", \\\"VMAccessForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"name\":\"307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was created by \u0027{{AddedBy}}\u0027\",\"description\":\"Account created on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4720 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/31529548-dbd2-4d5d-8270-710330cdcec7\",\"name\":\"31529548-dbd2-4d5d-8270-710330cdcec7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \u0027{{AddedBy}}\u0027\",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4726 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"name\":\"2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Security Event log cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Security Event log cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName =~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"name\":\"3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Event log(s) cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Event logs cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName !~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"name\":\"b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the local Administrators group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to local Administrators group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid == \u0027S-1-5-32-544\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/aaad22c3-be50-465f-b258-8570d629c3db\",\"name\":\"aaad22c3-be50-465f-b258-8570d629c3db\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Domain Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Domain Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/cf3469b3-f64c-4ae2-9900-289617443d74\",\"name\":\"cf3469b3-f64c-4ae2-9900-289617443d74\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Enterprise Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Enterprise Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"name\":\"5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Account added to a privileged group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to privileged group.\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where (TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID) and TargetSid != \u0027S-1-5-32-544\u0027 and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027) and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027) \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/290032e9-c52e-4e66-841a-7428f0b356bb\",\"name\":\"290032e9-c52e-4e66-841a-7428f0b356bb\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was created by sudo\",\"description\":\"Account created on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027new user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"name\":\"ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was deleted by sudo\",\"description\":\"Account deleted on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027delete user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"name\":\"46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account added to the sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027added to\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"name\":\"e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was removed from the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account removed from sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027removed from\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"name\":\"c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Application Control activities on this host\",\"content\":\"{{FriendlyActivityName}} by {{InitiatingProcessAccountUpn}} {{Count}} time(s)\",\"description\":\"Microsoft Defender Application Control activities\",\"queryDefinitions\":{\"query\":\"let AppControlEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nlet AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string)\\n [\\\"AppControlAppInstallationAudited\\\", \\\"Application control detected the installation of an untrusted app.\\\",\\\"Untrusted app installed\\\"\\n ,\\\"AppControlAppInstallationBlocked\\\", \\\"Application control blocked the installation of an untrusted app.\\\", \\\"Untrusted app installation blocked\\\"\\n ,\\\"AppControlCodeIntegrityDriverRevoked\\\", \\\"Application control found a driver with a revoked certificate.\\\", \\\"Driver with revoked certificate detected\\\"\\n ,\\\"AppControlCodeIntegrityImageRevoked\\\", \\\"Application control found an executable file with a revoked certificate.\\\", \\\"Executable with revoked certificate detected\\\"\\n ,\\\"AppControlExecutableAudited\\\",\\\"Application control detected the use of an untrusted executable.\\\",\\\"Untrusted executable used\\\"\\n ,\\\"AppControlExecutableBlocked\\\",\\\"Application control blocked the use of an untrusted executable.\\\",\\\"Untrusted executable blocked\\\"\\n ,\\\"AppControlScriptAudited\\\", \\\"Application control detected the use of an untrusted script.\\\", \\\"Untrusted script detected\\\"\\n ,\\\"AppControlScriptBlocked\\\", \\\"Application control blocked the use of an untrusted script.\\\", \\\"Untrusted script blocked\\\" ];\\nDeviceEvents\\n| where ActionType in (AppControls) \\n| where DeviceName ==p_FullDeviceName\\n| lookup AppControls on ActionType\\n};\\nAppControlEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| project DeviceName, ActionType, FriendlyActivityName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"name\":\"c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Screenshot taken\",\"content\":\"The user \u0027{{InitiatingProcessAccountUpn}}\u0027 has taken {{Count}} screenshot(s) on the host\",\"description\":\"A screenshot was taken on the host\",\"queryDefinitions\":{\"query\":\"let ScreenshotTakers= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents \\n | where ActionType ==\u0027ScreenshotTaken\u0027 \\n | where DeviceName =~ p_FullDeviceName\\n};\\nScreenshotTakers(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where 1==1 \\n| project InitiatingProcessAccountName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"name\":\"8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was blocked. \",\"description\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedBlocked\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff80327-7c54-449d-95d4-613848f7d60b\",\"name\":\"3ff80327-7c54-449d-95d4-613848f7d60b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was audited.\",\"description\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedAudited\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"name\":\"3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Antivirus activities on this host\",\"content\":\"Window Defender Antivirus \u0027{{ActionType}}\u0027 activity was spotted on Host {{Host_HostName}}\",\"description\":\"Windows Defender Antivirus activities\",\"queryDefinitions\":{\"query\":\"let AntivirusEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet Severity= datatable(ActionType:string, Severity:int)[\\\"AntivirusMalwareActionFailed\\\",1,\\\"AntivirusDetection\\\",2,\\\"AntivirusScanFailed\\\",3, \\\"AntivirusError\\\",4, \\\"AntivirusDefinitionsUpdateFailed\\\",5];\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nDeviceEvents\\n| where ActionType hasprefix \\\"Antivirus\\\" and ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\")\\n| where DeviceName ==p_FullDeviceName\\n| lookup Severity on ActionType};\\nAntivirusEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\") \\n| project ActionType, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"name\":\"d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has created an account\",\"content\":\"The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account creation events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"name\":\"e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has deleted an account\",\"content\":\"The user {{InitiatedByAccount}} has deleted the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account deletion events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"name\":\"ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has reset an account\u0027s password\",\"content\":\"The password for account {{TargetAccount}} was reset by the user {{InitiatedByAccount}} {{Count}} time(s)\",\"description\":\"This activity displays password reset events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274724\u0027, \u00274723\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/fde1b9cc-9480-4418-ae21-91723d16b24d\",\"name\":\"fde1b9cc-9480-4418-ae21-91723d16b24d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was created\",\"content\":\"The user account {{TargetAccount}} was created\",\"description\":\"This activity displays the user account events for when it was created\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/b15901ba-8679-4f6a-b312-722031ab58f2\",\"name\":\"b15901ba-8679-4f6a-b312-722031ab58f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was deleted\",\"content\":\"The user account {{TargetAccount}} was deleted\",\"description\":\"This activity displays the user account events for when it was deleted\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"name\":\"c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account password was reset\",\"content\":\"The user account {{TargetAccount}} had a password reset\",\"description\":\"This activity displays the user account events for when the password was reset\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274723\u0027, \u00274724\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"name\":\"5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user consented to OAuth application\",\"content\":\"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s consents to an OAuth applications.\",\"queryDefinitions\":{\"query\":\"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\" );\\nAuditLogs\\n| where OperationName == \\\"Consent to application\\\"\\n| extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\n| where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\nor (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\n| extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\n};\\nUserConsentToApplication(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/cab4058a-0707-4a02-b76f-cf96270823ed\",\"name\":\"cab4058a-0707-4a02-b76f-cf96270823ed\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User performed operation on azure resource from IP\",\"content\":\"User performed operation {{OperationNameValue}} on azure resource: {{shortResourceId}} from IP {{Source_IP_Address}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s activities on Azure.\",\"queryDefinitions\":{\"query\":\"let AzureRunProcess = (Account_Name:string, Account_UPNSuffix:string,Account_AadUserId:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nAzureActivity\\n| where (isnotempty(Account_AadUserId) and Caller =~ Account_AadUserId) or Caller =~ upn\\n| where OperationNameValue contains \\\"Run Command on Virtual Machine\\\"\\n or (OperationNameValue == \\\"List Storage Account Keys\\\" and ActivityStatusValue == \\\"Succeeded\\\")\\n or OperationNameValue == \\\"Create or Update Virtual Machine\\\"\\n or OperationNameValue == \\\"Create Deployment\\\"\\n or OperationNameValue == \\\"Create role assignment\\\"\\n| project-rename Target_AzureResource_ResourceId = _ResourceId, Source_IP_Address = CallerIpAddress\\n| extend shortResourceId = tostring(split(ResourceId,\u0027/\u0027)[-1])\\n};\\nAzureRunProcess(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_AzureResource_ResourceId, Source_IP_Address, shortResourceId, OperationNameValue, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"name\":\"febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a local privileged group\",\"content\":\"The user has added accounts to the local privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_Sid:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_Sid) and MemberSid =~ v_Account_Sid, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_Sid) and SubjectUserSid has v_Account_Sid, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true\\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID,\\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch\\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"name\":\"0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a domain privileged group\",\"content\":\"The user has added accounts to the domain privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_Sid:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_Sid) and MemberSid =~ v_Account_Sid, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_Sid) and SubjectUserSid has v_Account_Sid, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true\\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID,\\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch\\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/0caf9819-3269-48ac-b162-eeee638e4aa9\",\"name\":\"0caf9819-3269-48ac-b162-eeee638e4aa9\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a local privileged group\",\"content\":\"This user was added to the local privileged group {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_Sid:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_Sid) and MemberSid =~ v_Account_Sid, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_Sid) and SubjectUserSid has v_Account_Sid, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true\\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID,\\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch\\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"name\":\"d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a domain privileged group\",\"content\":\"This user was added to the domain privileged group {{TargetAccount}}\",\"description\":\"This activity displays that this user was added to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_Sid:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_Sid) and MemberSid =~ v_Account_Sid, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_Sid) and SubjectUserSid has v_Account_Sid, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true\\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID,\\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch\\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"name\":\"5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to the Remote Desktop Users group\",\"content\":\"The user has added accounts to the {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_Sid:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_Sid) and MemberSid =~ v_Account_Sid, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_Sid) and SubjectUserSid has v_Account_Sid, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true\\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID,\\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch\\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"name\":\"60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to the Remote Desktop Users group\",\"content\":\"This user was added to the {{TargetAccount}} group\",\"description\":\"This activity displays that this user was added to the Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_Sid:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_Sid) and MemberSid =~ v_Account_Sid, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_Sid) and SubjectUserSid has v_Account_Sid, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true\\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID,\\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch\\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"name\":\"bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added an account to a security group\",\"content\":\"The user has added {{MemberAdded}} to the {{TargetAccount}} group\",\"description\":\"This activity displays the user that added an account and the account that was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_Sid:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_Sid) and MemberSid =~ v_Account_Sid, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_Sid) and SubjectUserSid has v_Account_Sid, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true\\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID,\\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch\\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where ((SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, MemberAdded, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"name\":\"252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a security group\",\"content\":\"This user was added to the {{TargetAccount}} group, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_Sid:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_Sid) and MemberSid =~ v_Account_Sid, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_Sid) and SubjectUserSid has v_Account_Sid, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true\\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID,\\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch\\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"name\":\"1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user acted on another accounts mailbox\",\"content\":\"The user acted on mailbox {{MailboxOwnerUPN}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s activities on others\u0027 mailbox\",\"queryDefinitions\":{\"query\":\"let TLQ_UserActedOnForeignMailbox = (Account_Name:string, Account_UPNSuffix:string, account_sid:string){\\nlet account_upn = iff(Account_Name!=\\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n,strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\");\\nOfficeActivity\\n| where RecordType == \\\"ExchangeItem\\\" and UserType ==\\\"Regular\\\" and Operation !contains \\\"InboxRule\\\"\\n| where LogonUserSid != MailboxOwnerSid \\n| where ((account_sid != \\\"\\\" and LogonUserSid =~ account_sid)\\n or ( account_upn != \\\"\\\" and UserId =~ account_upn ))\\n};\\nTLQ_UserActedOnForeignMailbox(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/e480efd0-016d-428e-b892-84b9d586d004\",\"name\":\"e480efd0-016d-428e-b892-84b9d586d004\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user modified inbox rules on another accounts mailbox\",\"content\":\"User Modified {{Count}} inbox rules on {{MailboxOwnerUPN}}\u0027s Mailbox\",\"description\":\"User modified inbox rules on a mailbox\",\"queryDefinitions\":{\"query\":\"let ruleChangeRecordTypes = dynamic( [\\\"ExchangeAdmin\\\", \\\"ExchangeItem\\\"]);\\nlet TLQ_UserModifiedinboxRules = (Account_Name: string, Account_UPNSuffix: string, Account_Sid: string){\\nlet upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name, \\\"@\\\", Account_UPNSuffix)\\n, \\\"\\\");\\nOfficeActivity\\n| where RecordType in~ (ruleChangeRecordTypes) and Operation contains \\\"InboxRule\\\"\\n| where((Account_Sid != \\\"\\\" and LogonUserSid == Account_Sid)\\nor(upn != \\\"\\\" and UserId == upn )\\n)\\n};\\nTLQ_UserModifiedinboxRules(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/0eabec03-51e7-4909-b0cb-1adc76759e93\",\"name\":\"0eabec03-51e7-4909-b0cb-1adc76759e93\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User uploaded files to SharePoint\",\"content\":\"User uploaded {{Count}} file(s) To SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint uploads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileUploaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"name\":\"df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User downloaded files from SharePoint\",\"content\":\"User downloaded {{Count}} File(s) from SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint downloads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileDownloaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/0f328f28-7e21-4596-b71c-54309fee5551\",\"name\":\"0f328f28-7e21-4596-b71c-54309fee5551\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user signed in to an Azure resource\",\"content\":\"The user signed in to {{shortResourceId}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s sign ins to Azure Resources\",\"queryDefinitions\":{\"query\":\"let SignInsByResource = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet acc_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\" ,strcat(Account_Name,\\\"@\\\" ,Account_UPNSuffix),\\\"\\\");\\nSigninLogs\\n| where (acc_upn != \\\"\\\" and UserPrincipalName =~ acc_upn) or\\n   (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ UserId) // UserPrincipalName, UserId\\n| extend shortResourceId = tostring(split(ResourceId,\\\"/\\\")[-1])\\n};\\nSignInsByResource(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project shortResourceId, ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SigninLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"name\":\"0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID==4624 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"name\":\"c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"name\":\"8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u002710 - RemoteInteractive\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"name\":\"ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"New credentials log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s log-ins with new credentials, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00279 - NewCredentials\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"name\":\"e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Privileged log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s privileged log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID == 4672 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"name\":\"a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/11449689-6542-4867-86dc-56264abbd90c\",\"name\":\"11449689-6542-4867-86dc-56264abbd90c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/686cf7e8-87c7-4391-8898-25adf1033a54\",\"name\":\"686cf7e8-87c7-4391-8898-25adf1033a54\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} failed to logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u002710 - RemoteInteractive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/c6523929-5696-4e94-8a61-61aeb1c953d1\",\"name\":\"c6523929-5696-4e94-8a61-61aeb1c953d1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Custom Script Extension execution (Preview)\",\"content\":\"The account {{Caller}} ran the custom script extension {{extName}} {{Count}} time(s)\",\"description\":\"This activity indicated Custom Script Extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = tostring(resBody.name), extType = resBody.properties.type\\n| where extType in (\\\"CustomScriptExtension\\\", \\\"CustomScript\\\", \\\"CustomScriptForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource, extType, extName \\n| project Caller, _ResourceId, extName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/5a2b8371-8708-4e41-8613-b64bbcbd0199\",\"name\":\"5a2b8371-8708-4e41-8613-b64bbcbd0199\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Azure Key Vault sensitive operation\",\"content\":\"The operation {{OperationName}} was observed from the IP {{CallerIPAddress}} {{Count}} time(s)\",\"description\":\"This activity indicated sensitive operation of Azure Key Valut\",\"queryDefinitions\":{\"query\":\"let SensitiveOperationList = dynamic([\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\n AzureDiagnostics\\n | where ResourceType == \\\"VAULTS\\\"\\n | where Category == \\\"AuditEvent\\\"\\n | where ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n | extend Result = columnifexists(\\\"ResultType\\\", \\\"NoResult\\\")\\n | extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n | extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n | where Result !~ \\\"None\\\" and isnotempty(Result)\\n | where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n | where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n | where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n | where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n | where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n | where ResourceType =~ \\\"VAULTS\\\" and Result =~ \\\"Success\\\"\\n | where OperationName in~ (SensitiveOperationList)\\n | project TimeGenerated, ResourceId, Result, OperationName, CallerIPAddress \\n| project ResourceId, OperationName, CallerIPAddress, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureDiagnostics\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/a8b50062-f80e-4331-a247-de0e10d7b83f\",\"name\":\"a8b50062-f80e-4331-a247-de0e10d7b83f\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list (Preview)\",\"content\":\"The account {{Caller}} retrieved the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list operation\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24d372a-ce9a-424e-99ba-5894177365a0\",\"name\":\"e24d372a-ce9a-424e-99ba-5894177365a0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list were regenerated (Preview)\",\"content\":\"The account {{Caller}} regenerated the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list regeneration\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/2276eacb-9400-47e9-88c9-600b9b04ad81\",\"name\":\"2276eacb-9400-47e9-88c9-600b9b04ad81\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM Run Command execution (Preview)\",\"content\":\"The account {{Caller}} used Run Command on the VM {{Count}} time(s)\",\"description\":\"This activity indicates usage of Run Command\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/0aa3626b-30dd-4731-9d1e-39872a73949c\",\"name\":\"0aa3626b-30dd-4731-9d1e-39872a73949c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM access extension execution (Preview)\",\"content\":\"The account {{Caller}} ran VM Access extension on the VM {{Count}} time(s)\",\"description\":\"This activity indicated VM access extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = resBody.name, extType = resBody.properties.type\\n| where extType in (\\\"VMAccessAgent\\\", \\\"VMAccessForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"name\":\"307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was created by \u0027{{AddedBy}}\u0027\",\"description\":\"Account created on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4720 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/31529548-dbd2-4d5d-8270-710330cdcec7\",\"name\":\"31529548-dbd2-4d5d-8270-710330cdcec7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \u0027{{AddedBy}}\u0027\",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4726 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/37d8da04-1fe3-406f-a1a0-a3763f7ec16c\",\"name\":\"37d8da04-1fe3-406f-a1a0-a3763f7ec16c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Dropped, blocked, or denied network traffic on this host\",\"content\":\"\u0027{{DeviceAction}}\u0027 network traffic from \u0027{{SourceIP}}\u0027 to \u0027{{DestinationIP}}\u0027 via port \u0027{{DestinationPort}}\u0027\",\"description\":\"Dropped, blocked, or denied network traffic originating from a specific host.\",\"queryDefinitions\":{\"query\":\"let CommonSecurityEvents = (v_Host_HostName:string) {\\nCommonSecurityLog\\n| where DeviceVendor in~ (\\\"drop\\\", \\\"dropped\\\", \\\"deny\\\", \\\"denied\\\", \\\"block\\\", \\\"blocked\\\")\\n| extend hostname = iff(\\n DeviceVendor =~ \\\"zscalar\\\",\\n extract(@\\\"devicehostname=([^;]+)\\\", 1, AdditionalExtensions),\\n iff(DeviceVendor in~ (\\\"palo alto\\\", \\\"fortinet\\\", \\\"check point\\\") and isnotempty(SourceHostName), SourceHostName, \\\"Unknown\\\"))\\n| where hostname != \\\"Unknown\\\" and hostname != \\\"NA\\\"\\n| extend hostname = case(\\nSourceHostName has \u0027@\u0027, tostring(split(SourceHostName, \u0027@\u0027)[0]),\\nSourceHostName has \u0027\\\\\\\\\u0027, tostring(split(SourceHostName, \u0027\\\\\\\\\u0027)[1]),\\nSourceHostName has \u0027.\u0027, tostring(split(SourceHostName, \u0027.\u0027)[0]),\\nhostname\\n)\\n| where hostname == v_Host_HostName // Use the provided hostname parameter for filtering\\n| project DestinationIP, DestinationPort, SourceIP, DeviceAction, TimeGenerated\\n};\\n// Calling the function with the input hostname parameter\\nCommonSecurityEvents(\u0027{{Host_HostName}}\u0027) \\n| project DestinationIP, DestinationPort, SourceIP, DeviceAction, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"CommonSecurityLog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"name\":\"2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Security Event log cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Security Event log cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName =~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"name\":\"3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Event log(s) cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Event logs cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName !~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"name\":\"b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the local Administrators group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to local Administrators group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid == \u0027S-1-5-32-544\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/aaad22c3-be50-465f-b258-8570d629c3db\",\"name\":\"aaad22c3-be50-465f-b258-8570d629c3db\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Domain Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Domain Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/cf3469b3-f64c-4ae2-9900-289617443d74\",\"name\":\"cf3469b3-f64c-4ae2-9900-289617443d74\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Enterprise Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Enterprise Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"name\":\"5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Account added to a privileged group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to privileged group.\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where (TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID) and TargetSid != \u0027S-1-5-32-544\u0027 and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027) and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027) \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/290032e9-c52e-4e66-841a-7428f0b356bb\",\"name\":\"290032e9-c52e-4e66-841a-7428f0b356bb\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was created by sudo\",\"description\":\"Account created on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027new user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"name\":\"ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was deleted by sudo\",\"description\":\"Account deleted on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027delete user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"name\":\"46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account added to the sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027added to\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"name\":\"e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was removed from the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account removed from sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027removed from\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"name\":\"c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Application Control activities on this host\",\"content\":\"{{FriendlyActivityName}} by {{InitiatingProcessAccountUpn}} {{Count}} time(s)\",\"description\":\"Microsoft Defender Application Control activities\",\"queryDefinitions\":{\"query\":\"let AppControlEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nlet AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string)\\n [\\\"AppControlAppInstallationAudited\\\", \\\"Application control detected the installation of an untrusted app.\\\",\\\"Untrusted app installed\\\"\\n ,\\\"AppControlAppInstallationBlocked\\\", \\\"Application control blocked the installation of an untrusted app.\\\", \\\"Untrusted app installation blocked\\\"\\n ,\\\"AppControlCodeIntegrityDriverRevoked\\\", \\\"Application control found a driver with a revoked certificate.\\\", \\\"Driver with revoked certificate detected\\\"\\n ,\\\"AppControlCodeIntegrityImageRevoked\\\", \\\"Application control found an executable file with a revoked certificate.\\\", \\\"Executable with revoked certificate detected\\\"\\n ,\\\"AppControlExecutableAudited\\\",\\\"Application control detected the use of an untrusted executable.\\\",\\\"Untrusted executable used\\\"\\n ,\\\"AppControlExecutableBlocked\\\",\\\"Application control blocked the use of an untrusted executable.\\\",\\\"Untrusted executable blocked\\\"\\n ,\\\"AppControlScriptAudited\\\", \\\"Application control detected the use of an untrusted script.\\\", \\\"Untrusted script detected\\\"\\n ,\\\"AppControlScriptBlocked\\\", \\\"Application control blocked the use of an untrusted script.\\\", \\\"Untrusted script blocked\\\" ];\\nDeviceEvents\\n| where ActionType in (AppControls) \\n| where DeviceName ==p_FullDeviceName\\n| lookup AppControls on ActionType\\n};\\nAppControlEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| project DeviceName, ActionType, FriendlyActivityName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"name\":\"c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Screenshot taken\",\"content\":\"The user \u0027{{InitiatingProcessAccountUpn}}\u0027 has taken {{Count}} screenshot(s) on the host\",\"description\":\"A screenshot was taken on the host\",\"queryDefinitions\":{\"query\":\"let ScreenshotTakers= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents \\n | where ActionType ==\u0027ScreenshotTaken\u0027 \\n | where DeviceName =~ p_FullDeviceName\\n};\\nScreenshotTakers(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where 1==1 \\n| project InitiatingProcessAccountName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"name\":\"8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was blocked. \",\"description\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedBlocked\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff80327-7c54-449d-95d4-613848f7d60b\",\"name\":\"3ff80327-7c54-449d-95d4-613848f7d60b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was audited.\",\"description\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedAudited\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"name\":\"3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Antivirus activities on this host\",\"content\":\"Window Defender Antivirus \u0027{{ActionType}}\u0027 activity was spotted on Host {{Host_HostName}}\",\"description\":\"Windows Defender Antivirus activities\",\"queryDefinitions\":{\"query\":\"let AntivirusEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet Severity= datatable(ActionType:string, Severity:int)[\\\"AntivirusMalwareActionFailed\\\",1,\\\"AntivirusDetection\\\",2,\\\"AntivirusScanFailed\\\",3, \\\"AntivirusError\\\",4, \\\"AntivirusDefinitionsUpdateFailed\\\",5];\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nDeviceEvents\\n| where ActionType hasprefix \\\"Antivirus\\\" and ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\")\\n| where DeviceName ==p_FullDeviceName\\n| lookup Severity on ActionType};\\nAntivirusEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\") \\n| project ActionType, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}}]}", "isContentBase64": false } }, - "Get-AzSentinelEntityQueryTemplate+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntityQueryTemplate+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "203" ], - "x-ms-client-request-id": [ "193b8b1a-f0fa-4622-a86a-52814dcae365" ], + "x-ms-unique-id": [ "46" ], + "x-ms-client-request-id": [ "2fc2e3c6-badf-4186-9b10-4c6f9fa5b73e" ], "CommandName": [ "Get-AzSentinelentityQueryTemplate" ], "FullCommandName": [ "Get-AzSentinelEntityQueryTemplate_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,37 +67,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11962" ], - "x-ms-request-id": [ "f0002f43-7c08-4eeb-b796-e0af78396477" ], - "x-ms-correlation-request-id": [ "f0002f43-7c08-4eeb-b796-e0af78396477" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160726Z:f0002f43-7c08-4eeb-b796-e0af78396477" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/ee491c08-9677-4a58-a255-1e25f620b691" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "c469f15f-665c-4409-80f0-1ced9e0cb08a" ], + "x-ms-correlation-request-id": [ "c469f15f-665c-4409-80f0-1ced9e0cb08a" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074447Z:c469f15f-665c-4409-80f0-1ced9e0cb08a" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:26 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: DB3530F9FACA4B49B05D792B41C91733 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:46Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:47 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "191910" ], + "Content-Length": [ "193809" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"name\":\"d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has created an account\",\"content\":\"The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account creation events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"name\":\"e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has deleted an account\",\"content\":\"The user {{InitiatedByAccount}} has deleted the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account deletion events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"name\":\"ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has reset an account\u0027s password\",\"content\":\"The password for account {{TargetAccount}} was reset by the user {{InitiatedByAccount}} {{Count}} time(s)\",\"description\":\"This activity displays password reset events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274724\u0027, \u00274723\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/fde1b9cc-9480-4418-ae21-91723d16b24d\",\"name\":\"fde1b9cc-9480-4418-ae21-91723d16b24d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was created\",\"content\":\"The user account {{TargetAccount}} was created\",\"description\":\"This activity displays the user account events for when it was created\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/b15901ba-8679-4f6a-b312-722031ab58f2\",\"name\":\"b15901ba-8679-4f6a-b312-722031ab58f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was deleted\",\"content\":\"The user account {{TargetAccount}} was deleted\",\"description\":\"This activity displays the user account events for when it was deleted\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"name\":\"c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account password was reset\",\"content\":\"The user account {{TargetAccount}} had a password reset\",\"description\":\"This activity displays the user account events for when the password was reset\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274723\u0027, \u00274724\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"name\":\"5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user consented to OAuth application\",\"content\":\"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s consents to an OAuth applications.\",\"queryDefinitions\":{\"query\":\"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\" );\\nAuditLogs\\n| where OperationName == \\\"Consent to application\\\"\\n| extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\n| where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\nor (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\n| extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\n};\\nUserConsentToApplication(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/cab4058a-0707-4a02-b76f-cf96270823ed\",\"name\":\"cab4058a-0707-4a02-b76f-cf96270823ed\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User performed operation on azure resource from IP\",\"content\":\"User performed operation {{OperationNameValue}} on azure resource: {{shortResourceId}} from IP {{Source_IP_Address}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s activities on Azure.\",\"queryDefinitions\":{\"query\":\"let AzureRunProcess = (Account_Name:string, Account_UPNSuffix:string,Account_AadUserId:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nAzureActivity\\n| where (isnotempty(Account_AadUserId) and Caller =~ Account_AadUserId) or Caller =~ upn\\n| where OperationNameValue contains \\\"Run Command on Virtual Machine\\\"\\n or (OperationNameValue == \\\"List Storage Account Keys\\\" and ActivityStatusValue == \\\"Succeeded\\\")\\n or OperationNameValue == \\\"Create or Update Virtual Machine\\\"\\n or OperationNameValue == \\\"Create Deployment\\\"\\n or OperationNameValue == \\\"Create role assignment\\\"\\n| project-rename Target_AzureResource_ResourceId = _ResourceId, Source_IP_Address = CallerIpAddress\\n| extend shortResourceId = tostring(split(ResourceId,\u0027/\u0027)[-1])\\n};\\nAzureRunProcess(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_AzureResource_ResourceId, Source_IP_Address, shortResourceId, OperationNameValue, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"name\":\"febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a local privileged group\",\"content\":\"The user has added accounts to the local privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"name\":\"0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a domain privileged group\",\"content\":\"The user has added accounts to the domain privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/0caf9819-3269-48ac-b162-eeee638e4aa9\",\"name\":\"0caf9819-3269-48ac-b162-eeee638e4aa9\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a local privileged group\",\"content\":\"This user was added to the local privileged group {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"name\":\"d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a domain privileged group\",\"content\":\"This user was added to the domain privileged group {{TargetAccount}}\",\"description\":\"This activity displays that this user was added to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"name\":\"5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to the Remote Desktop Users group\",\"content\":\"The user has added accounts to the {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"name\":\"60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to the Remote Desktop Users group\",\"content\":\"This user was added to the {{TargetAccount}} group\",\"description\":\"This activity displays that this user was added to the Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"name\":\"bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added an account to a security group\",\"content\":\"The user has added {{MemberAdded}} to the {{TargetAccount}} group\",\"description\":\"This activity displays the user that added an account and the account that was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, MemberAdded, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"name\":\"252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a security group\",\"content\":\"This user was added to the {{TargetAccount}} group, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"name\":\"1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user acted on another accounts mailbox\",\"content\":\"The user acted on mailbox {{MailboxOwnerUPN}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s activities on others\u0027 mailbox\",\"queryDefinitions\":{\"query\":\"let TLQ_UserActedOnForeignMailbox = (Account_Name:string, Account_UPNSuffix:string, account_sid:string){\\nlet account_upn = iff(Account_Name!=\\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n,strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\");\\nOfficeActivity\\n| where RecordType == \\\"ExchangeItem\\\" and UserType ==\\\"Regular\\\" and Operation !contains \\\"InboxRule\\\"\\n| where LogonUserSid != MailboxOwnerSid \\n| where ((account_sid != \\\"\\\" and LogonUserSid =~ account_sid)\\n or ( account_upn != \\\"\\\" and UserId =~ account_upn ))\\n};\\nTLQ_UserActedOnForeignMailbox(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/e480efd0-016d-428e-b892-84b9d586d004\",\"name\":\"e480efd0-016d-428e-b892-84b9d586d004\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user modified inbox rules on another accounts mailbox\",\"content\":\"User Modified {{Count}} inbox rules on {{MailboxOwnerUPN}}\u0027s Mailbox\",\"description\":\"User modified inbox rules on a mailbox\",\"queryDefinitions\":{\"query\":\"let ruleChangeRecordTypes = dynamic( [\\\"ExchangeAdmin\\\", \\\"ExchangeItem\\\"]);\\nlet TLQ_UserModifiedinboxRules = (Account_Name: string, Account_UPNSuffix: string, Account_Sid: string){\\nlet upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name, \\\"@\\\", Account_UPNSuffix)\\n, \\\"\\\");\\nOfficeActivity\\n| where RecordType in~ (ruleChangeRecordTypes) and Operation contains \\\"InboxRule\\\"\\n| where((Account_Sid != \\\"\\\" and LogonUserSid == Account_Sid)\\nor(upn != \\\"\\\" and UserId == upn )\\n)\\n};\\nTLQ_UserModifiedinboxRules(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/0eabec03-51e7-4909-b0cb-1adc76759e93\",\"name\":\"0eabec03-51e7-4909-b0cb-1adc76759e93\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User uploaded files to SharePoint\",\"content\":\"User uploaded {{Count}} file(s) To SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint uploads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileUploaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"name\":\"df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User downloaded files from SharePoint\",\"content\":\"User downloaded {{Count}} File(s) from SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint downloads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileDownloaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/0f328f28-7e21-4596-b71c-54309fee5551\",\"name\":\"0f328f28-7e21-4596-b71c-54309fee5551\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user signed in to an Azure resource\",\"content\":\"The user signed in to {{shortResourceId}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s sign ins to Azure Resources\",\"queryDefinitions\":{\"query\":\"let SignInsByResource = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet acc_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\" ,strcat(Account_Name,\\\"@\\\" ,Account_UPNSuffix),\\\"\\\");\\nSigninLogs\\n| where (acc_upn != \\\"\\\" and UserPrincipalName =~ acc_upn) or\\n   (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ UserId) // UserPrincipalName, UserId\\n| extend shortResourceId = tostring(split(ResourceId,\\\"/\\\")[-1])\\n};\\nSignInsByResource(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project shortResourceId, ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SigninLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"name\":\"0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID==4624 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"name\":\"c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"name\":\"8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u002710 - RemoteInteractive\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"name\":\"ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"New credentials log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s log-ins with new credentials, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00279 - NewCredentials\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"name\":\"e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Privileged log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s privileged log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID == 4672 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"name\":\"a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/11449689-6542-4867-86dc-56264abbd90c\",\"name\":\"11449689-6542-4867-86dc-56264abbd90c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/686cf7e8-87c7-4391-8898-25adf1033a54\",\"name\":\"686cf7e8-87c7-4391-8898-25adf1033a54\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} failed to logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u002710 - RemoteInteractive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/c6523929-5696-4e94-8a61-61aeb1c953d1\",\"name\":\"c6523929-5696-4e94-8a61-61aeb1c953d1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Custom Script Extension execution (Preview)\",\"content\":\"The account {{Caller}} ran the custom script extension {{extName}} {{Count}} time(s)\",\"description\":\"This activity indicated Custom Script Extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = tostring(resBody.name), extType = resBody.properties.type\\n| where extType in (\\\"CustomScriptExtension\\\", \\\"CustomScript\\\", \\\"CustomScriptForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource, extType, extName \\n| project Caller, _ResourceId, extName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/5a2b8371-8708-4e41-8613-b64bbcbd0199\",\"name\":\"5a2b8371-8708-4e41-8613-b64bbcbd0199\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Azure Key Vault sensitive operation\",\"content\":\"The operation {{OperationName}} was observed from the IP {{CallerIPAddress}} {{Count}} time(s)\",\"description\":\"This activity indicated sensitive operation of Azure Key Valut\",\"queryDefinitions\":{\"query\":\"let SensitiveOperationList = dynamic([\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\n AzureDiagnostics\\n | where ResourceType == \\\"VAULTS\\\"\\n | where Category == \\\"AuditEvent\\\"\\n | where ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n | extend Result = columnifexists(\\\"ResultType\\\", \\\"NoResult\\\")\\n | extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n | extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n | where Result !~ \\\"None\\\" and isnotempty(Result)\\n | where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n | where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n | where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n | where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n | where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n | where ResourceType =~ \\\"VAULTS\\\" and Result =~ \\\"Success\\\"\\n | where OperationName in~ (SensitiveOperationList)\\n | project TimeGenerated, ResourceId, Result, OperationName, CallerIPAddress \\n| project ResourceId, OperationName, CallerIPAddress, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureDiagnostics\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/a8b50062-f80e-4331-a247-de0e10d7b83f\",\"name\":\"a8b50062-f80e-4331-a247-de0e10d7b83f\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list (Preview)\",\"content\":\"The account {{Caller}} retrieved the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list operation\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24d372a-ce9a-424e-99ba-5894177365a0\",\"name\":\"e24d372a-ce9a-424e-99ba-5894177365a0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list were regenerated (Preview)\",\"content\":\"The account {{Caller}} regenerated the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list regeneration\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/2276eacb-9400-47e9-88c9-600b9b04ad81\",\"name\":\"2276eacb-9400-47e9-88c9-600b9b04ad81\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM Run Command execution (Preview)\",\"content\":\"The account {{Caller}} used Run Command on the VM {{Count}} time(s)\",\"description\":\"This activity indicates usage of Run Command\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/0aa3626b-30dd-4731-9d1e-39872a73949c\",\"name\":\"0aa3626b-30dd-4731-9d1e-39872a73949c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM access extension execution (Preview)\",\"content\":\"The account {{Caller}} ran VM Access extension on the VM {{Count}} time(s)\",\"description\":\"This activity indicated VM access extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = resBody.name, extType = resBody.properties.type\\n| where extType in (\\\"VMAccessAgent\\\", \\\"VMAccessForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"name\":\"307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was created by \u0027{{AddedBy}}\u0027\",\"description\":\"Account created on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4720 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/31529548-dbd2-4d5d-8270-710330cdcec7\",\"name\":\"31529548-dbd2-4d5d-8270-710330cdcec7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \u0027{{AddedBy}}\u0027\",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4726 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"name\":\"2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Security Event log cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Security Event log cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName =~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"name\":\"3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Event log(s) cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Event logs cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName !~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"name\":\"b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the local Administrators group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to local Administrators group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid == \u0027S-1-5-32-544\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/aaad22c3-be50-465f-b258-8570d629c3db\",\"name\":\"aaad22c3-be50-465f-b258-8570d629c3db\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Domain Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Domain Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/cf3469b3-f64c-4ae2-9900-289617443d74\",\"name\":\"cf3469b3-f64c-4ae2-9900-289617443d74\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Enterprise Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Enterprise Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"name\":\"5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Account added to a privileged group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to privileged group.\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where (TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID) and TargetSid != \u0027S-1-5-32-544\u0027 and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027) and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027) \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/290032e9-c52e-4e66-841a-7428f0b356bb\",\"name\":\"290032e9-c52e-4e66-841a-7428f0b356bb\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was created by sudo\",\"description\":\"Account created on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027new user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"name\":\"ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was deleted by sudo\",\"description\":\"Account deleted on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027delete user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"name\":\"46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account added to the sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027added to\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"name\":\"e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was removed from the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account removed from sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027removed from\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"name\":\"c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Application Control activities on this host\",\"content\":\"{{FriendlyActivityName}} by {{InitiatingProcessAccountUpn}} {{Count}} time(s)\",\"description\":\"Microsoft Defender Application Control activities\",\"queryDefinitions\":{\"query\":\"let AppControlEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nlet AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string)\\n [\\\"AppControlAppInstallationAudited\\\", \\\"Application control detected the installation of an untrusted app.\\\",\\\"Untrusted app installed\\\"\\n ,\\\"AppControlAppInstallationBlocked\\\", \\\"Application control blocked the installation of an untrusted app.\\\", \\\"Untrusted app installation blocked\\\"\\n ,\\\"AppControlCodeIntegrityDriverRevoked\\\", \\\"Application control found a driver with a revoked certificate.\\\", \\\"Driver with revoked certificate detected\\\"\\n ,\\\"AppControlCodeIntegrityImageRevoked\\\", \\\"Application control found an executable file with a revoked certificate.\\\", \\\"Executable with revoked certificate detected\\\"\\n ,\\\"AppControlExecutableAudited\\\",\\\"Application control detected the use of an untrusted executable.\\\",\\\"Untrusted executable used\\\"\\n ,\\\"AppControlExecutableBlocked\\\",\\\"Application control blocked the use of an untrusted executable.\\\",\\\"Untrusted executable blocked\\\"\\n ,\\\"AppControlScriptAudited\\\", \\\"Application control detected the use of an untrusted script.\\\", \\\"Untrusted script detected\\\"\\n ,\\\"AppControlScriptBlocked\\\", \\\"Application control blocked the use of an untrusted script.\\\", \\\"Untrusted script blocked\\\" ];\\nDeviceEvents\\n| where ActionType in (AppControls) \\n| where DeviceName ==p_FullDeviceName\\n| lookup AppControls on ActionType\\n};\\nAppControlEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| project DeviceName, ActionType, FriendlyActivityName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"name\":\"c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Screenshot taken\",\"content\":\"The user \u0027{{InitiatingProcessAccountUpn}}\u0027 has taken {{Count}} screenshot(s) on the host\",\"description\":\"A screenshot was taken on the host\",\"queryDefinitions\":{\"query\":\"let ScreenshotTakers= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents \\n | where ActionType ==\u0027ScreenshotTaken\u0027 \\n | where DeviceName =~ p_FullDeviceName\\n};\\nScreenshotTakers(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where 1==1 \\n| project InitiatingProcessAccountName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"name\":\"8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was blocked. \",\"description\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedBlocked\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff80327-7c54-449d-95d4-613848f7d60b\",\"name\":\"3ff80327-7c54-449d-95d4-613848f7d60b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was audited.\",\"description\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedAudited\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"name\":\"3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Antivirus activities on this host\",\"content\":\"Window Defender Antivirus \u0027{{ActionType}}\u0027 activity was spotted on Host {{Host_HostName}}\",\"description\":\"Windows Defender Antivirus activities\",\"queryDefinitions\":{\"query\":\"let AntivirusEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet Severity= datatable(ActionType:string, Severity:int)[\\\"AntivirusMalwareActionFailed\\\",1,\\\"AntivirusDetection\\\",2,\\\"AntivirusScanFailed\\\",3, \\\"AntivirusError\\\",4, \\\"AntivirusDefinitionsUpdateFailed\\\",5];\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nDeviceEvents\\n| where ActionType hasprefix \\\"Antivirus\\\" and ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\")\\n| where DeviceName ==p_FullDeviceName\\n| lookup Severity on ActionType};\\nAntivirusEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\") \\n| project ActionType, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"name\":\"d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has created an account\",\"content\":\"The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account creation events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"name\":\"e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has deleted an account\",\"content\":\"The user {{InitiatedByAccount}} has deleted the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account deletion events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"name\":\"ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has reset an account\u0027s password\",\"content\":\"The password for account {{TargetAccount}} was reset by the user {{InitiatedByAccount}} {{Count}} time(s)\",\"description\":\"This activity displays password reset events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274724\u0027, \u00274723\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/fde1b9cc-9480-4418-ae21-91723d16b24d\",\"name\":\"fde1b9cc-9480-4418-ae21-91723d16b24d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was created\",\"content\":\"The user account {{TargetAccount}} was created\",\"description\":\"This activity displays the user account events for when it was created\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/b15901ba-8679-4f6a-b312-722031ab58f2\",\"name\":\"b15901ba-8679-4f6a-b312-722031ab58f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was deleted\",\"content\":\"The user account {{TargetAccount}} was deleted\",\"description\":\"This activity displays the user account events for when it was deleted\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"name\":\"c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account password was reset\",\"content\":\"The user account {{TargetAccount}} had a password reset\",\"description\":\"This activity displays the user account events for when the password was reset\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274723\u0027, \u00274724\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"name\":\"5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user consented to OAuth application\",\"content\":\"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s consents to an OAuth applications.\",\"queryDefinitions\":{\"query\":\"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\" );\\nAuditLogs\\n| where OperationName == \\\"Consent to application\\\"\\n| extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\n| where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\nor (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\n| extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\n};\\nUserConsentToApplication(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/cab4058a-0707-4a02-b76f-cf96270823ed\",\"name\":\"cab4058a-0707-4a02-b76f-cf96270823ed\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User performed operation on azure resource from IP\",\"content\":\"User performed operation {{OperationNameValue}} on azure resource: {{shortResourceId}} from IP {{Source_IP_Address}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s activities on Azure.\",\"queryDefinitions\":{\"query\":\"let AzureRunProcess = (Account_Name:string, Account_UPNSuffix:string,Account_AadUserId:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nAzureActivity\\n| where (isnotempty(Account_AadUserId) and Caller =~ Account_AadUserId) or Caller =~ upn\\n| where OperationNameValue contains \\\"Run Command on Virtual Machine\\\"\\n or (OperationNameValue == \\\"List Storage Account Keys\\\" and ActivityStatusValue == \\\"Succeeded\\\")\\n or OperationNameValue == \\\"Create or Update Virtual Machine\\\"\\n or OperationNameValue == \\\"Create Deployment\\\"\\n or OperationNameValue == \\\"Create role assignment\\\"\\n| project-rename Target_AzureResource_ResourceId = _ResourceId, Source_IP_Address = CallerIpAddress\\n| extend shortResourceId = tostring(split(ResourceId,\u0027/\u0027)[-1])\\n};\\nAzureRunProcess(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_AzureResource_ResourceId, Source_IP_Address, shortResourceId, OperationNameValue, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"name\":\"febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a local privileged group\",\"content\":\"The user has added accounts to the local privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_Sid:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_Sid) and MemberSid =~ v_Account_Sid, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_Sid) and SubjectUserSid has v_Account_Sid, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true\\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID,\\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch\\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"name\":\"0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a domain privileged group\",\"content\":\"The user has added accounts to the domain privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_Sid:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_Sid) and MemberSid =~ v_Account_Sid, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_Sid) and SubjectUserSid has v_Account_Sid, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true\\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID,\\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch\\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/0caf9819-3269-48ac-b162-eeee638e4aa9\",\"name\":\"0caf9819-3269-48ac-b162-eeee638e4aa9\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a local privileged group\",\"content\":\"This user was added to the local privileged group {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_Sid:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_Sid) and MemberSid =~ v_Account_Sid, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_Sid) and SubjectUserSid has v_Account_Sid, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true\\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID,\\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch\\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"name\":\"d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a domain privileged group\",\"content\":\"This user was added to the domain privileged group {{TargetAccount}}\",\"description\":\"This activity displays that this user was added to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_Sid:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_Sid) and MemberSid =~ v_Account_Sid, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_Sid) and SubjectUserSid has v_Account_Sid, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true\\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID,\\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch\\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"name\":\"5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to the Remote Desktop Users group\",\"content\":\"The user has added accounts to the {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_Sid:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_Sid) and MemberSid =~ v_Account_Sid, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_Sid) and SubjectUserSid has v_Account_Sid, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true\\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID,\\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch\\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"name\":\"60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to the Remote Desktop Users group\",\"content\":\"This user was added to the {{TargetAccount}} group\",\"description\":\"This activity displays that this user was added to the Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_Sid:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_Sid) and MemberSid =~ v_Account_Sid, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_Sid) and SubjectUserSid has v_Account_Sid, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true\\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID,\\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch\\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"name\":\"bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added an account to a security group\",\"content\":\"The user has added {{MemberAdded}} to the {{TargetAccount}} group\",\"description\":\"This activity displays the user that added an account and the account that was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_Sid:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_Sid) and MemberSid =~ v_Account_Sid, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_Sid) and SubjectUserSid has v_Account_Sid, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true\\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID,\\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch\\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where ((SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, MemberAdded, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"name\":\"252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a security group\",\"content\":\"This user was added to the {{TargetAccount}} group, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_Sid:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_Sid) and MemberSid =~ v_Account_Sid, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_Sid) and SubjectUserSid has v_Account_Sid, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true\\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID,\\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch\\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"name\":\"1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user acted on another accounts mailbox\",\"content\":\"The user acted on mailbox {{MailboxOwnerUPN}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s activities on others\u0027 mailbox\",\"queryDefinitions\":{\"query\":\"let TLQ_UserActedOnForeignMailbox = (Account_Name:string, Account_UPNSuffix:string, account_sid:string){\\nlet account_upn = iff(Account_Name!=\\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n,strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\");\\nOfficeActivity\\n| where RecordType == \\\"ExchangeItem\\\" and UserType ==\\\"Regular\\\" and Operation !contains \\\"InboxRule\\\"\\n| where LogonUserSid != MailboxOwnerSid \\n| where ((account_sid != \\\"\\\" and LogonUserSid =~ account_sid)\\n or ( account_upn != \\\"\\\" and UserId =~ account_upn ))\\n};\\nTLQ_UserActedOnForeignMailbox(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/e480efd0-016d-428e-b892-84b9d586d004\",\"name\":\"e480efd0-016d-428e-b892-84b9d586d004\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user modified inbox rules on another accounts mailbox\",\"content\":\"User Modified {{Count}} inbox rules on {{MailboxOwnerUPN}}\u0027s Mailbox\",\"description\":\"User modified inbox rules on a mailbox\",\"queryDefinitions\":{\"query\":\"let ruleChangeRecordTypes = dynamic( [\\\"ExchangeAdmin\\\", \\\"ExchangeItem\\\"]);\\nlet TLQ_UserModifiedinboxRules = (Account_Name: string, Account_UPNSuffix: string, Account_Sid: string){\\nlet upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name, \\\"@\\\", Account_UPNSuffix)\\n, \\\"\\\");\\nOfficeActivity\\n| where RecordType in~ (ruleChangeRecordTypes) and Operation contains \\\"InboxRule\\\"\\n| where((Account_Sid != \\\"\\\" and LogonUserSid == Account_Sid)\\nor(upn != \\\"\\\" and UserId == upn )\\n)\\n};\\nTLQ_UserModifiedinboxRules(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/0eabec03-51e7-4909-b0cb-1adc76759e93\",\"name\":\"0eabec03-51e7-4909-b0cb-1adc76759e93\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User uploaded files to SharePoint\",\"content\":\"User uploaded {{Count}} file(s) To SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint uploads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileUploaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"name\":\"df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User downloaded files from SharePoint\",\"content\":\"User downloaded {{Count}} File(s) from SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint downloads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileDownloaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/0f328f28-7e21-4596-b71c-54309fee5551\",\"name\":\"0f328f28-7e21-4596-b71c-54309fee5551\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user signed in to an Azure resource\",\"content\":\"The user signed in to {{shortResourceId}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s sign ins to Azure Resources\",\"queryDefinitions\":{\"query\":\"let SignInsByResource = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet acc_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\" ,strcat(Account_Name,\\\"@\\\" ,Account_UPNSuffix),\\\"\\\");\\nSigninLogs\\n| where (acc_upn != \\\"\\\" and UserPrincipalName =~ acc_upn) or\\n   (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ UserId) // UserPrincipalName, UserId\\n| extend shortResourceId = tostring(split(ResourceId,\\\"/\\\")[-1])\\n};\\nSignInsByResource(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project shortResourceId, ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SigninLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"name\":\"0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID==4624 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"name\":\"c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"name\":\"8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u002710 - RemoteInteractive\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"name\":\"ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"New credentials log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s log-ins with new credentials, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00279 - NewCredentials\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"name\":\"e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Privileged log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s privileged log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID == 4672 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"name\":\"a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/11449689-6542-4867-86dc-56264abbd90c\",\"name\":\"11449689-6542-4867-86dc-56264abbd90c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/686cf7e8-87c7-4391-8898-25adf1033a54\",\"name\":\"686cf7e8-87c7-4391-8898-25adf1033a54\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} failed to logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u002710 - RemoteInteractive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/c6523929-5696-4e94-8a61-61aeb1c953d1\",\"name\":\"c6523929-5696-4e94-8a61-61aeb1c953d1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Custom Script Extension execution (Preview)\",\"content\":\"The account {{Caller}} ran the custom script extension {{extName}} {{Count}} time(s)\",\"description\":\"This activity indicated Custom Script Extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = tostring(resBody.name), extType = resBody.properties.type\\n| where extType in (\\\"CustomScriptExtension\\\", \\\"CustomScript\\\", \\\"CustomScriptForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource, extType, extName \\n| project Caller, _ResourceId, extName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/5a2b8371-8708-4e41-8613-b64bbcbd0199\",\"name\":\"5a2b8371-8708-4e41-8613-b64bbcbd0199\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Azure Key Vault sensitive operation\",\"content\":\"The operation {{OperationName}} was observed from the IP {{CallerIPAddress}} {{Count}} time(s)\",\"description\":\"This activity indicated sensitive operation of Azure Key Valut\",\"queryDefinitions\":{\"query\":\"let SensitiveOperationList = dynamic([\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\n AzureDiagnostics\\n | where ResourceType == \\\"VAULTS\\\"\\n | where Category == \\\"AuditEvent\\\"\\n | where ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n | extend Result = columnifexists(\\\"ResultType\\\", \\\"NoResult\\\")\\n | extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n | extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n | where Result !~ \\\"None\\\" and isnotempty(Result)\\n | where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n | where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n | where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n | where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n | where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n | where ResourceType =~ \\\"VAULTS\\\" and Result =~ \\\"Success\\\"\\n | where OperationName in~ (SensitiveOperationList)\\n | project TimeGenerated, ResourceId, Result, OperationName, CallerIPAddress \\n| project ResourceId, OperationName, CallerIPAddress, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureDiagnostics\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/a8b50062-f80e-4331-a247-de0e10d7b83f\",\"name\":\"a8b50062-f80e-4331-a247-de0e10d7b83f\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list (Preview)\",\"content\":\"The account {{Caller}} retrieved the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list operation\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24d372a-ce9a-424e-99ba-5894177365a0\",\"name\":\"e24d372a-ce9a-424e-99ba-5894177365a0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list were regenerated (Preview)\",\"content\":\"The account {{Caller}} regenerated the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list regeneration\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/2276eacb-9400-47e9-88c9-600b9b04ad81\",\"name\":\"2276eacb-9400-47e9-88c9-600b9b04ad81\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM Run Command execution (Preview)\",\"content\":\"The account {{Caller}} used Run Command on the VM {{Count}} time(s)\",\"description\":\"This activity indicates usage of Run Command\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/0aa3626b-30dd-4731-9d1e-39872a73949c\",\"name\":\"0aa3626b-30dd-4731-9d1e-39872a73949c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM access extension execution (Preview)\",\"content\":\"The account {{Caller}} ran VM Access extension on the VM {{Count}} time(s)\",\"description\":\"This activity indicated VM access extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = resBody.name, extType = resBody.properties.type\\n| where extType in (\\\"VMAccessAgent\\\", \\\"VMAccessForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"name\":\"307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was created by \u0027{{AddedBy}}\u0027\",\"description\":\"Account created on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4720 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/31529548-dbd2-4d5d-8270-710330cdcec7\",\"name\":\"31529548-dbd2-4d5d-8270-710330cdcec7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \u0027{{AddedBy}}\u0027\",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4726 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/37d8da04-1fe3-406f-a1a0-a3763f7ec16c\",\"name\":\"37d8da04-1fe3-406f-a1a0-a3763f7ec16c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Dropped, blocked, or denied network traffic on this host\",\"content\":\"\u0027{{DeviceAction}}\u0027 network traffic from \u0027{{SourceIP}}\u0027 to \u0027{{DestinationIP}}\u0027 via port \u0027{{DestinationPort}}\u0027\",\"description\":\"Dropped, blocked, or denied network traffic originating from a specific host.\",\"queryDefinitions\":{\"query\":\"let CommonSecurityEvents = (v_Host_HostName:string) {\\nCommonSecurityLog\\n| where DeviceVendor in~ (\\\"drop\\\", \\\"dropped\\\", \\\"deny\\\", \\\"denied\\\", \\\"block\\\", \\\"blocked\\\")\\n| extend hostname = iff(\\n DeviceVendor =~ \\\"zscalar\\\",\\n extract(@\\\"devicehostname=([^;]+)\\\", 1, AdditionalExtensions),\\n iff(DeviceVendor in~ (\\\"palo alto\\\", \\\"fortinet\\\", \\\"check point\\\") and isnotempty(SourceHostName), SourceHostName, \\\"Unknown\\\"))\\n| where hostname != \\\"Unknown\\\" and hostname != \\\"NA\\\"\\n| extend hostname = case(\\nSourceHostName has \u0027@\u0027, tostring(split(SourceHostName, \u0027@\u0027)[0]),\\nSourceHostName has \u0027\\\\\\\\\u0027, tostring(split(SourceHostName, \u0027\\\\\\\\\u0027)[1]),\\nSourceHostName has \u0027.\u0027, tostring(split(SourceHostName, \u0027.\u0027)[0]),\\nhostname\\n)\\n| where hostname == v_Host_HostName // Use the provided hostname parameter for filtering\\n| project DestinationIP, DestinationPort, SourceIP, DeviceAction, TimeGenerated\\n};\\n// Calling the function with the input hostname parameter\\nCommonSecurityEvents(\u0027{{Host_HostName}}\u0027) \\n| project DestinationIP, DestinationPort, SourceIP, DeviceAction, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"CommonSecurityLog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"name\":\"2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Security Event log cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Security Event log cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName =~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"name\":\"3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Event log(s) cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Event logs cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName !~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"name\":\"b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the local Administrators group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to local Administrators group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid == \u0027S-1-5-32-544\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/aaad22c3-be50-465f-b258-8570d629c3db\",\"name\":\"aaad22c3-be50-465f-b258-8570d629c3db\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Domain Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Domain Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/cf3469b3-f64c-4ae2-9900-289617443d74\",\"name\":\"cf3469b3-f64c-4ae2-9900-289617443d74\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Enterprise Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Enterprise Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"name\":\"5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Account added to a privileged group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to privileged group.\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where (TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID) and TargetSid != \u0027S-1-5-32-544\u0027 and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027) and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027) \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/290032e9-c52e-4e66-841a-7428f0b356bb\",\"name\":\"290032e9-c52e-4e66-841a-7428f0b356bb\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was created by sudo\",\"description\":\"Account created on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027new user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"name\":\"ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was deleted by sudo\",\"description\":\"Account deleted on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027delete user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"name\":\"46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account added to the sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027added to\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"name\":\"e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was removed from the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account removed from sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027removed from\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"name\":\"c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Application Control activities on this host\",\"content\":\"{{FriendlyActivityName}} by {{InitiatingProcessAccountUpn}} {{Count}} time(s)\",\"description\":\"Microsoft Defender Application Control activities\",\"queryDefinitions\":{\"query\":\"let AppControlEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nlet AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string)\\n [\\\"AppControlAppInstallationAudited\\\", \\\"Application control detected the installation of an untrusted app.\\\",\\\"Untrusted app installed\\\"\\n ,\\\"AppControlAppInstallationBlocked\\\", \\\"Application control blocked the installation of an untrusted app.\\\", \\\"Untrusted app installation blocked\\\"\\n ,\\\"AppControlCodeIntegrityDriverRevoked\\\", \\\"Application control found a driver with a revoked certificate.\\\", \\\"Driver with revoked certificate detected\\\"\\n ,\\\"AppControlCodeIntegrityImageRevoked\\\", \\\"Application control found an executable file with a revoked certificate.\\\", \\\"Executable with revoked certificate detected\\\"\\n ,\\\"AppControlExecutableAudited\\\",\\\"Application control detected the use of an untrusted executable.\\\",\\\"Untrusted executable used\\\"\\n ,\\\"AppControlExecutableBlocked\\\",\\\"Application control blocked the use of an untrusted executable.\\\",\\\"Untrusted executable blocked\\\"\\n ,\\\"AppControlScriptAudited\\\", \\\"Application control detected the use of an untrusted script.\\\", \\\"Untrusted script detected\\\"\\n ,\\\"AppControlScriptBlocked\\\", \\\"Application control blocked the use of an untrusted script.\\\", \\\"Untrusted script blocked\\\" ];\\nDeviceEvents\\n| where ActionType in (AppControls) \\n| where DeviceName ==p_FullDeviceName\\n| lookup AppControls on ActionType\\n};\\nAppControlEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| project DeviceName, ActionType, FriendlyActivityName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"name\":\"c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Screenshot taken\",\"content\":\"The user \u0027{{InitiatingProcessAccountUpn}}\u0027 has taken {{Count}} screenshot(s) on the host\",\"description\":\"A screenshot was taken on the host\",\"queryDefinitions\":{\"query\":\"let ScreenshotTakers= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents \\n | where ActionType ==\u0027ScreenshotTaken\u0027 \\n | where DeviceName =~ p_FullDeviceName\\n};\\nScreenshotTakers(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where 1==1 \\n| project InitiatingProcessAccountName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"name\":\"8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was blocked. \",\"description\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedBlocked\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff80327-7c54-449d-95d4-613848f7d60b\",\"name\":\"3ff80327-7c54-449d-95d4-613848f7d60b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was audited.\",\"description\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedAudited\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"name\":\"3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Antivirus activities on this host\",\"content\":\"Window Defender Antivirus \u0027{{ActionType}}\u0027 activity was spotted on Host {{Host_HostName}}\",\"description\":\"Windows Defender Antivirus activities\",\"queryDefinitions\":{\"query\":\"let AntivirusEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet Severity= datatable(ActionType:string, Severity:int)[\\\"AntivirusMalwareActionFailed\\\",1,\\\"AntivirusDetection\\\",2,\\\"AntivirusScanFailed\\\",3, \\\"AntivirusError\\\",4, \\\"AntivirusDefinitionsUpdateFailed\\\",5];\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nDeviceEvents\\n| where ActionType hasprefix \\\"Antivirus\\\" and ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\")\\n| where DeviceName ==p_FullDeviceName\\n| lookup Severity on ActionType};\\nAntivirusEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\") \\n| project ActionType, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}}]}", "isContentBase64": false } }, - "Get-AzSentinelEntityQueryTemplate+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa?api-version=2021-09-01-preview+2": { + "Get-AzSentinelEntityQueryTemplate+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "204" ], - "x-ms-client-request-id": [ "bf1f16ba-68bf-4f44-a7f1-d6fff69d2bea" ], + "x-ms-unique-id": [ "47" ], + "x-ms-client-request-id": [ "d01b1f23-d0fe-414e-b808-11b740cbffc1" ], "CommandName": [ "Get-AzSentinelentityQueryTemplate" ], "FullCommandName": [ "Get-AzSentinelEntityQueryTemplate_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -104,21 +112,25 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11961" ], - "x-ms-request-id": [ "2e400cd0-12a6-472c-9458-afbcc31a2a31" ], - "x-ms-correlation-request-id": [ "2e400cd0-12a6-472c-9458-afbcc31a2a31" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160729Z:2e400cd0-12a6-472c-9458-afbcc31a2a31" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/3b2b553e-08b8-4988-85b3-4f77ec6cd061" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "7d7f9c37-fc0a-4873-b7a5-61bda2ae1479" ], + "x-ms-correlation-request-id": [ "7d7f9c37-fc0a-4873-b7a5-61bda2ae1479" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074449Z:7d7f9c37-fc0a-4873-b7a5-61bda2ae1479" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:29 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 164AE483848640CC830C34833CAA75DF Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:48Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:48 GMT" ] }, "ContentHeaders": { "Content-Length": [ "3224" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"name\":\"d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has created an account\",\"content\":\"The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account creation events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"name\":\"d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has created an account\",\"content\":\"The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account creation events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityTimeline.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityTimeline.Recording.json index b47fcd0a430d..367c327ea5b6 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityTimeline.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityTimeline.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelEntityTimeline+[NoContext]+ListExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntityTimeline+[NoContext]+ListExpanded+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "205" ], - "x-ms-client-request-id": [ "2ec57016-bc84-4571-8584-02edd5bdab17" ], + "x-ms-unique-id": [ "48" ], + "x-ms-client-request-id": [ "e9c24f8d-9c2c-4abd-97ca-2bcf3229a054" ], "CommandName": [ "Get-AzSentinelentity" ], "FullCommandName": [ "Get-AzSentinelEntity_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,35 +22,39 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11960" ], - "x-ms-request-id": [ "fbffee43-bc69-4dda-b717-fddd3a2a68db" ], - "x-ms-correlation-request-id": [ "fbffee43-bc69-4dda-b717-fddd3a2a68db" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160730Z:fbffee43-bc69-4dda-b717-fddd3a2a68db" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/fa1eaea9-8789-49fc-83ef-16f1ddd17688" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "f5c6234e-9acc-4d19-8ac7-72a5f8ad71d2" ], + "x-ms-correlation-request-id": [ "f5c6234e-9acc-4d19-8ac7-72a5f8ad71d2" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074450Z:f5c6234e-9acc-4d19-8ac7-72a5f8ad71d2" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:30 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 19AFF193543743FBAB059B20CF0FBA3F Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:50Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:50 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "461" ], + "Content-Length": [ "482" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"5\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"5\",\"IsExactMatch\":false},\"friendlyName\":\"175.45.176.99\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelEntityTimeline+[NoContext]+ListExpanded+$POST+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getTimeline?api-version=2021-09-01-preview+2": { + "Get-AzSentinelEntityTimeline+[NoContext]+ListExpanded+$POST+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getTimeline?api-version=2021-09-01-preview+2": { "Request": { "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getTimeline?api-version=2021-09-01-preview", - "Content": "{\n \"startTime\": \"2022-08-15T04:00:00.0000000+00:00\",\n \"endTime\": \"2022-08-16T04:00:00.0000000+00:00\"\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getTimeline?api-version=2021-09-01-preview", + "Content": "{\r\n \"startTime\": \"2026-03-24T09:00:00.0000000+02:00\",\r\n \"endTime\": \"2026-03-25T09:00:00.0000000+02:00\"\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "104" ] + "Content-Length": [ "107" ] } }, "Response": { @@ -58,14 +62,17 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11959" ], - "x-ms-request-id": [ "1b8c739e-1bd8-422d-a3f5-fd5933df6785" ], - "x-ms-correlation-request-id": [ "1b8c739e-1bd8-422d-a3f5-fd5933df6785" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160733Z:1b8c739e-1bd8-422d-a3f5-fd5933df6785" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/9117cb9c-dd6b-446d-a878-6646ce444752" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "26219c0a-1d29-48b7-a222-8659899f5635" ], + "x-ms-correlation-request-id": [ "26219c0a-1d29-48b7-a222-8659899f5635" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074452Z:26219c0a-1d29-48b7-a222-8659899f5635" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:32 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 0D5432E51A214D4595B540B043DB231D Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:51Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:51 GMT" ] }, "ContentHeaders": { "Content-Length": [ "152" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncident.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncident.Recording.json index 9b420cb75828..d578b4683c83 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncident.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncident.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelIncident+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncident+[NoContext]+List+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "207" ], - "x-ms-client-request-id": [ "0c9d6dcb-80c0-4733-8b09-9f326f1824b9" ], + "x-ms-unique-id": [ "50" ], + "x-ms-client-request-id": [ "814da38e-019a-407c-9a7e-80dccb251b9f" ], "CommandName": [ "Get-AzSentinelincident" ], "FullCommandName": [ "Get-AzSentinelIncident_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,37 +22,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11958" ], - "x-ms-request-id": [ "739fa3e1-03f6-41c7-bf18-3f2c1870488d" ], - "x-ms-correlation-request-id": [ "739fa3e1-03f6-41c7-bf18-3f2c1870488d" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160733Z:739fa3e1-03f6-41c7-bf18-3f2c1870488d" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/ae536726-8f86-4e95-9636-51f84d31d437" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "0f1015ce-d7e9-4b7b-93b6-49531967fa10" ], + "x-ms-correlation-request-id": [ "0f1015ce-d7e9-4b7b-93b6-49531967fa10" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074453Z:0f1015ce-d7e9-4b7b-93b6-49531967fa10" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:33 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 4865CB7E80514C8088A16C1B5B49C1CE Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:53Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:52 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "26513" ], + "Content-Length": [ "26518" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/e6be0e56-c636-4b4b-9793-6f3c0f345a46\",\"name\":\"e6be0e56-c636-4b4b-9793-6f3c0f345a46\",\"etag\":\"\\\"4a005452-0000-0100-0000-62fbc0450000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentRelationIncidentNames9xv50\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:05:25.2815442Z\",\"createdTimeUtc\":\"2022-08-16T16:05:25.0149382Z\",\"incidentNumber\":21,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/e6be0e56-c636-4b4b-9793-6f3c0f345a46\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"21\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/20c587be-2ccb-4fd4-aea6-cce3754722dd\",\"name\":\"20c587be-2ccb-4fd4-aea6-cce3754722dd\",\"etag\":\"\\\"4a004e52-0000-0100-0000-62fbc0260000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentRelationIncidentNamegz4803\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:04:54.7835869Z\",\"createdTimeUtc\":\"2022-08-16T16:04:54.5583695Z\",\"incidentNumber\":20,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/20c587be-2ccb-4fd4-aea6-cce3754722dd\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"20\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b2ae0920-7287-4d85-a609-bf6c7e651630\",\"name\":\"b2ae0920-7287-4d85-a609-bf6c7e651630\",\"etag\":\"\\\"4a004252-0000-0100-0000-62fbc0060000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentRelationIncidentNameg1b6wx\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:04:22.942031Z\",\"createdTimeUtc\":\"2022-08-16T16:04:22.6913248Z\",\"incidentNumber\":19,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b2ae0920-7287-4d85-a609-bf6c7e651630\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"19\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/bd3104a8-2b2d-4934-bef4-5fc4c04ef055\",\"name\":\"bd3104a8-2b2d-4934-bef4-5fc4c04ef055\",\"etag\":\"\\\"4a003652-0000-0100-0000-62fbbfe70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentRelationIncidentNamecz4ioj\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:03:51.5477653Z\",\"createdTimeUtc\":\"2022-08-16T16:03:51.0612525Z\",\"incidentNumber\":18,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/bd3104a8-2b2d-4934-bef4-5fc4c04ef055\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"18\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/524da4fb-3888-4446-9e92-12183ac2eaab\",\"name\":\"524da4fb-3888-4446-9e92-12183ac2eaab\",\"etag\":\"\\\"4a002d52-0000-0100-0000-62fbbfc70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentRelationIncidentName8sjnvu\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:03:19.056371Z\",\"createdTimeUtc\":\"2022-08-16T16:03:18.8268747Z\",\"incidentNumber\":17,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/524da4fb-3888-4446-9e92-12183ac2eaab\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"17\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b5e65719-0b65-4dd0-a4b0-da2bbad915a5\",\"name\":\"b5e65719-0b65-4dd0-a4b0-da2bbad915a5\",\"etag\":\"\\\"4a00f351-0000-0100-0000-62fbbfa60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentCommentjf7t0g\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:02:46.970405Z\",\"createdTimeUtc\":\"2022-08-16T16:02:46.7008255Z\",\"incidentNumber\":16,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b5e65719-0b65-4dd0-a4b0-da2bbad915a5\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"16\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/71e8df01-919c-45c1-b526-bc145e411eee\",\"name\":\"71e8df01-919c-45c1-b526-bc145e411eee\",\"etag\":\"\\\"4a00d951-0000-0100-0000-62fbbf870000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentCommentgi1a7c\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:02:15.7570363Z\",\"createdTimeUtc\":\"2022-08-16T16:02:15.3377476Z\",\"incidentNumber\":15,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/71e8df01-919c-45c1-b526-bc145e411eee\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"15\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/ac97c565-75c1-40ab-a8e1-334c04dda7d0\",\"name\":\"ac97c565-75c1-40ab-a8e1-334c04dda7d0\",\"etag\":\"\\\"4a00c251-0000-0100-0000-62fbbf610000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentCommentjd165a\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:01:37.6171004Z\",\"createdTimeUtc\":\"2022-08-16T16:01:37.1895215Z\",\"incidentNumber\":14,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/ac97c565-75c1-40ab-a8e1-334c04dda7d0\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"14\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/1f6bbf1d-7f2d-4435-84f7-2be61d9e090d\",\"name\":\"1f6bbf1d-7f2d-4435-84f7-2be61d9e090d\",\"etag\":\"\\\"4a00af51-0000-0100-0000-62fbbf410000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentCommenteny0g2\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:01:05.7124022Z\",\"createdTimeUtc\":\"2022-08-16T16:01:05.3290956Z\",\"incidentNumber\":13,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/1f6bbf1d-7f2d-4435-84f7-2be61d9e090d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"13\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/8b193352-f109-474f-84ce-3b3908d0e288\",\"name\":\"8b193352-f109-474f-84ce-3b3908d0e288\",\"etag\":\"\\\"4a009751-0000-0100-0000-62fbbf210000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentCommentcpthi1\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:00:33.9316207Z\",\"createdTimeUtc\":\"2022-08-16T16:00:33.6021829Z\",\"incidentNumber\":12,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/8b193352-f109-474f-84ce-3b3908d0e288\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"12\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"name\":\"c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"etag\":\"\\\"4a007051-0000-0100-0000-62fbbf000000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:00:00.5994057Z\",\"createdTimeUtc\":\"2022-08-16T16:00:00.5994057Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/905e7dec-fd14-42df-9ed5-c4df09445158\",\"name\":\"905e7dec-fd14-42df-9ed5-c4df09445158\",\"etag\":\"\\\"4a005e51-0000-0100-0000-62fbbee00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:59:28.733771Z\",\"createdTimeUtc\":\"2022-08-16T15:59:28.733771Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/905e7dec-fd14-42df-9ed5-c4df09445158\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/fdc66a29-9153-4079-894f-9d92f19fb0d9\",\"name\":\"fdc66a29-9153-4079-894f-9d92f19fb0d9\",\"etag\":\"\\\"4a004d51-0000-0100-0000-62fbbec10000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:58:57.2230955Z\",\"createdTimeUtc\":\"2022-08-16T15:58:57.2230955Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/fdc66a29-9153-4079-894f-9d92f19fb0d9\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3c0d63a6-5274-4c2c-82fa-d209415ca9bf\",\"name\":\"3c0d63a6-5274-4c2c-82fa-d209415ca9bf\",\"etag\":\"\\\"4a004151-0000-0100-0000-62fbbea10000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:58:25.8766719Z\",\"createdTimeUtc\":\"2022-08-16T15:58:25.8766719Z\",\"incidentNumber\":8,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3c0d63a6-5274-4c2c-82fa-d209415ca9bf\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"8\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"name\":\"3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"etag\":\"\\\"4a001651-0000-0100-0000-62fbbe820000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:57:54.290729Z\",\"createdTimeUtc\":\"2022-08-16T15:57:54.290729Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/68e94645-a3b4-4595-9bfe-0d5370f5c8dd\",\"name\":\"68e94645-a3b4-4595-9bfe-0d5370f5c8dd\",\"etag\":\"\\\"4a00c950-0000-0100-0000-62fbbda80000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdbookmarkRelationIncidentNamel2rnui\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:54:16.8017033Z\",\"createdTimeUtc\":\"2022-08-16T15:54:16.168895Z\",\"incidentNumber\":6,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/68e94645-a3b4-4595-9bfe-0d5370f5c8dd\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"6\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/6f90c814-29fb-4d2d-8188-360a8df4a559\",\"name\":\"6f90c814-29fb-4d2d-8188-360a8df4a559\",\"etag\":\"\\\"4a00bd50-0000-0100-0000-62fbbd8a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdatebookmarkRelationIncidentNamedejagn\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:53:46.0785179Z\",\"createdTimeUtc\":\"2022-08-16T15:53:45.3576615Z\",\"incidentNumber\":5,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/6f90c814-29fb-4d2d-8188-360a8df4a559\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"5\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/62ce8785-21b2-4262-be4d-5208b35d255a\",\"name\":\"62ce8785-21b2-4262-be4d-5208b35d255a\",\"etag\":\"\\\"4a00a950-0000-0100-0000-62fbbd690000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdbookmarkRelationIncidentName5g6qnd\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:53:13.4795073Z\",\"createdTimeUtc\":\"2022-08-16T15:53:13.2096924Z\",\"incidentNumber\":4,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/62ce8785-21b2-4262-be4d-5208b35d255a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"4\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/fba327a0-b301-4d1c-918c-23aec8e03323\",\"name\":\"fba327a0-b301-4d1c-918c-23aec8e03323\",\"etag\":\"\\\"4a009250-0000-0100-0000-62fbbd560000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemovebookmarkRelationIncidentNamebfrwvc\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:52:54.1214758Z\",\"createdTimeUtc\":\"2022-08-16T15:52:41.6535212Z\",\"incidentNumber\":3,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/fba327a0-b301-4d1c-918c-23aec8e03323\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"3\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"name\":\"7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"etag\":\"\\\"4a006950-0000-0100-0000-62fbbd240000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetbookmarkRelationIncidentName75xtbo\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:52:04.8090363Z\",\"createdTimeUtc\":\"2022-08-16T15:52:04.1891525Z\",\"incidentNumber\":2,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"2\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/39f5326a-185e-e413-043e-89635f82507e\",\"name\":\"39f5326a-185e-e413-043e-89635f82507e\",\"etag\":\"\\\"4a002a52-0000-0100-0000-62fbbfbe0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"severity\":\"Medium\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"firstActivityTimeUtc\":\"2022-08-16T15:08:06.0646524Z\",\"lastActivityTimeUtc\":\"2022-08-16T15:58:06.0646524Z\",\"lastModifiedTimeUtc\":\"2022-08-16T16:03:10.634814Z\",\"createdTimeUtc\":\"2022-08-16T15:43:09.2489917Z\",\"incidentNumber\":1,\"additionalData\":{\"alertsCount\":5,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[\"Azure Sentinel\"],\"tactics\":[\"InitialAccess\",\"Persistence\"]},\"relatedAnalyticRuleIds\":[\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/53274afe-2640-4c50-bd36-78c1c79f102c\"],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/39f5326a-185e-e413-043e-89635f82507e\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"1\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/325fdf3f-6dc0-47d2-87b7-cd3a7342672c\",\"name\":\"325fdf3f-6dc0-47d2-87b7-cd3a7342672c\",\"etag\":\"\\\"2f006036-0000-0100-0000-69c38f6d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentRelationIncidentName4phdfw\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:31:57.5330149Z\",\"createdTimeUtc\":\"2026-03-25T07:31:57.2224938Z\",\"incidentNumber\":21,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/325fdf3f-6dc0-47d2-87b7-cd3a7342672c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"21\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/9e73b493-03a2-4837-9f25-61a39c8841b8\",\"name\":\"9e73b493-03a2-4837-9f25-61a39c8841b8\",\"etag\":\"\\\"2f006a35-0000-0100-0000-69c38f650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentRelationIncidentNamepxyd1a\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:31:49.001801Z\",\"createdTimeUtc\":\"2026-03-25T07:31:48.6560326Z\",\"incidentNumber\":20,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/9e73b493-03a2-4837-9f25-61a39c8841b8\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"20\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/edfd97a6-4cb0-4eb8-aa7d-4df47259f318\",\"name\":\"edfd97a6-4cb0-4eb8-aa7d-4df47259f318\",\"etag\":\"\\\"2f008734-0000-0100-0000-69c38f5d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentRelationIncidentNametqy1nd\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:31:41.0702721Z\",\"createdTimeUtc\":\"2026-03-25T07:31:40.7391018Z\",\"incidentNumber\":19,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/edfd97a6-4cb0-4eb8-aa7d-4df47259f318\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"19\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/1a71316d-53cd-4e3e-b964-5089a315a6a7\",\"name\":\"1a71316d-53cd-4e3e-b964-5089a315a6a7\",\"etag\":\"\\\"2f007333-0000-0100-0000-69c38f540000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentRelationIncidentNameqeb7h3\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:31:32.488687Z\",\"createdTimeUtc\":\"2026-03-25T07:31:32.0863044Z\",\"incidentNumber\":18,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/1a71316d-53cd-4e3e-b964-5089a315a6a7\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"18\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/da7f7404-2a4a-4811-9f0e-fa20649928fa\",\"name\":\"da7f7404-2a4a-4811-9f0e-fa20649928fa\",\"etag\":\"\\\"2f00b232-0000-0100-0000-69c38f4d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentRelationIncidentNamesywphe\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:31:25.4401752Z\",\"createdTimeUtc\":\"2026-03-25T07:31:24.7044282Z\",\"incidentNumber\":17,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/da7f7404-2a4a-4811-9f0e-fa20649928fa\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"17\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/869cd3bd-6eb7-4b9b-9afb-6e96d1e7c02b\",\"name\":\"869cd3bd-6eb7-4b9b-9afb-6e96d1e7c02b\",\"etag\":\"\\\"2f008131-0000-0100-0000-69c38f430000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentCommentpqwe28\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:31:15.3283442Z\",\"createdTimeUtc\":\"2026-03-25T07:31:15.0445553Z\",\"incidentNumber\":16,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/869cd3bd-6eb7-4b9b-9afb-6e96d1e7c02b\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"16\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/9d4e3d1a-e085-4ffc-a5b0-3609e308432d\",\"name\":\"9d4e3d1a-e085-4ffc-a5b0-3609e308432d\",\"etag\":\"\\\"2f006b30-0000-0100-0000-69c38f3a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentCommentnxou8t\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:31:06.6653041Z\",\"createdTimeUtc\":\"2026-03-25T07:31:06.3711578Z\",\"incidentNumber\":15,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/9d4e3d1a-e085-4ffc-a5b0-3609e308432d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"15\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/0010a620-61dc-4183-8b70-70548c9a4fa4\",\"name\":\"0010a620-61dc-4183-8b70-70548c9a4fa4\",\"etag\":\"\\\"2f00552f-0000-0100-0000-69c38f320000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentComment9kqox4\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:58.9292109Z\",\"createdTimeUtc\":\"2026-03-25T07:30:58.6339766Z\",\"incidentNumber\":14,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/0010a620-61dc-4183-8b70-70548c9a4fa4\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"14\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/c674c57d-29aa-47de-a24b-79836e85dcd4\",\"name\":\"c674c57d-29aa-47de-a24b-79836e85dcd4\",\"etag\":\"\\\"2f004b2e-0000-0100-0000-69c38f2a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentCommentgp6y5f\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:50.5637464Z\",\"createdTimeUtc\":\"2026-03-25T07:30:50.2523095Z\",\"incidentNumber\":13,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/c674c57d-29aa-47de-a24b-79836e85dcd4\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"13\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/5009cfac-c645-4f19-8828-f8bef6650f21\",\"name\":\"5009cfac-c645-4f19-8828-f8bef6650f21\",\"etag\":\"\\\"2f006a2d-0000-0100-0000-69c38f220000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentComment0spgja\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:42.9180903Z\",\"createdTimeUtc\":\"2026-03-25T07:30:42.5976337Z\",\"incidentNumber\":12,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/5009cfac-c645-4f19-8828-f8bef6650f21\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"12\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/2846cf2f-82ea-43f6-84bd-efb4d3a9d16c\",\"name\":\"2846cf2f-82ea-43f6-84bd-efb4d3a9d16c\",\"etag\":\"\\\"2f00682c-0000-0100-0000-69c38f1a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:34.4799593Z\",\"createdTimeUtc\":\"2026-03-25T07:30:34.4799593Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/2846cf2f-82ea-43f6-84bd-efb4d3a9d16c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/0bb93d60-a942-42f4-a8de-41d4b42cfd18\",\"name\":\"0bb93d60-a942-42f4-a8de-41d4b42cfd18\",\"etag\":\"\\\"2f00422b-0000-0100-0000-69c38f110000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:25.6894808Z\",\"createdTimeUtc\":\"2026-03-25T07:30:25.6894808Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/0bb93d60-a942-42f4-a8de-41d4b42cfd18\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/d34e2b26-c2ca-4e38-b9b2-285fc2bd09c6\",\"name\":\"d34e2b26-c2ca-4e38-b9b2-285fc2bd09c6\",\"etag\":\"\\\"2f00562a-0000-0100-0000-69c38f090000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:17.1560735Z\",\"createdTimeUtc\":\"2026-03-25T07:30:17.1560735Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/d34e2b26-c2ca-4e38-b9b2-285fc2bd09c6\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/297ebb03-dbd5-45af-855f-ac7a514bd3d2\",\"name\":\"297ebb03-dbd5-45af-855f-ac7a514bd3d2\",\"etag\":\"\\\"2f004e29-0000-0100-0000-69c38f000000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:08.5690238Z\",\"createdTimeUtc\":\"2026-03-25T07:30:08.5690238Z\",\"incidentNumber\":8,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/297ebb03-dbd5-45af-855f-ac7a514bd3d2\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"8\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/e8b65102-7a7b-49f2-a08b-566ecc2dec39\",\"name\":\"e8b65102-7a7b-49f2-a08b-566ecc2dec39\",\"etag\":\"\\\"2f003228-0000-0100-0000-69c38ef80000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:00.7981151Z\",\"createdTimeUtc\":\"2026-03-25T07:30:00.7981151Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/e8b65102-7a7b-49f2-a08b-566ecc2dec39\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/e0a2f9cf-074f-41f7-9cf7-ee2f76903f3e\",\"name\":\"e0a2f9cf-074f-41f7-9cf7-ee2f76903f3e\",\"etag\":\"\\\"2f00861d-0000-0100-0000-69c38ea40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdbookmarkRelationIncidentNameft7j0l\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:28:36.6156869Z\",\"createdTimeUtc\":\"2026-03-25T07:28:35.7698327Z\",\"incidentNumber\":6,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/e0a2f9cf-074f-41f7-9cf7-ee2f76903f3e\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"6\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/53f5c7e4-34eb-4e33-9c57-9445ffc4cd6a\",\"name\":\"53f5c7e4-34eb-4e33-9c57-9445ffc4cd6a\",\"etag\":\"\\\"2f00601c-0000-0100-0000-69c38e9b0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdatebookmarkRelationIncidentNameldmxhn\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:28:27.1757697Z\",\"createdTimeUtc\":\"2026-03-25T07:28:26.810166Z\",\"incidentNumber\":5,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/53f5c7e4-34eb-4e33-9c57-9445ffc4cd6a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"5\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/21818327-2522-4bca-a761-889f6ae7387d\",\"name\":\"21818327-2522-4bca-a761-889f6ae7387d\",\"etag\":\"\\\"2f00501b-0000-0100-0000-69c38e920000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdbookmarkRelationIncidentName3bjron\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:28:18.5792489Z\",\"createdTimeUtc\":\"2026-03-25T07:28:18.147343Z\",\"incidentNumber\":4,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/21818327-2522-4bca-a761-889f6ae7387d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"4\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/fcdbdca2-668e-499f-8911-a98624615adf\",\"name\":\"fcdbdca2-668e-499f-8911-a98624615adf\",\"etag\":\"\\\"2f00791a-0000-0100-0000-69c38e8b0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemovebookmarkRelationIncidentNamejmkt5r\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:28:11.2515383Z\",\"createdTimeUtc\":\"2026-03-25T07:28:10.4865566Z\",\"incidentNumber\":3,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/fcdbdca2-668e-499f-8911-a98624615adf\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"3\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/72b20fd5-9297-487f-b5c0-16d443ae9bc9\",\"name\":\"72b20fd5-9297-487f-b5c0-16d443ae9bc9\",\"etag\":\"\\\"2f005519-0000-0100-0000-69c38e820000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetbookmarkRelationIncidentNamektmguy\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:28:02.4686353Z\",\"createdTimeUtc\":\"2026-03-25T07:28:02.0492693Z\",\"incidentNumber\":2,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/72b20fd5-9297-487f-b5c0-16d443ae9bc9\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"2\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/71e9e642-df65-4cca-8feb-921622daddb5\",\"name\":\"71e9e642-df65-4cca-8feb-921622daddb5\",\"etag\":\"\\\"2f000490-0000-0100-0000-69c3923c0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"severity\":\"Medium\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"firstActivityTimeUtc\":\"2026-03-25T06:48:50.7525804Z\",\"lastActivityTimeUtc\":\"2026-03-25T07:38:50.7525804Z\",\"lastModifiedTimeUtc\":\"2026-03-25T07:43:56.7204744Z\",\"createdTimeUtc\":\"2026-03-25T07:24:00.5835442Z\",\"incidentNumber\":1,\"additionalData\":{\"alertsCount\":5,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[\"Azure Sentinel\"],\"tactics\":[\"InitialAccess\",\"Persistence\"]},\"relatedAnalyticRuleIds\":[\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/5fa8a509-b73d-4f80-a32c-c6ff8dbbfb07\"],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/71e9e642-df65-4cca-8feb-921622daddb5\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"1\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelIncident+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncident+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/e8b65102-7a7b-49f2-a08b-566ecc2dec39?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/e8b65102-7a7b-49f2-a08b-566ecc2dec39?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "208" ], - "x-ms-client-request-id": [ "a083b0ec-a9f1-4822-adc6-47f170a26acb" ], + "x-ms-unique-id": [ "51" ], + "x-ms-client-request-id": [ "a77ed4d3-871b-4b45-a3a7-d1fb57be73f3" ], "CommandName": [ "Get-AzSentinelincident" ], "FullCommandName": [ "Get-AzSentinelIncident_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,37 +67,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11957" ], - "x-ms-request-id": [ "c8c0f1a6-bb5f-482f-bebd-1adddde2c81e" ], - "x-ms-correlation-request-id": [ "c8c0f1a6-bb5f-482f-bebd-1adddde2c81e" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160734Z:c8c0f1a6-bb5f-482f-bebd-1adddde2c81e" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/a893026c-b66d-4b55-a17a-ce1400eed6dd" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "7b9dfbc2-1dbb-4437-891e-43ba0b15ed48" ], + "x-ms-correlation-request-id": [ "7b9dfbc2-1dbb-4437-891e-43ba0b15ed48" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074453Z:7b9dfbc2-1dbb-4437-891e-43ba0b15ed48" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:33 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: DB4E25EB1F1D459E9980D8354EF110B6 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:53Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:53 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1204" ], + "Content-Length": [ "1206" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"name\":\"3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"etag\":\"\\\"4a001651-0000-0100-0000-62fbbe820000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:57:54.290729Z\",\"createdTimeUtc\":\"2022-08-16T15:57:54.290729Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/e8b65102-7a7b-49f2-a08b-566ecc2dec39\",\"name\":\"e8b65102-7a7b-49f2-a08b-566ecc2dec39\",\"etag\":\"\\\"2f003228-0000-0100-0000-69c38ef80000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:00.7981151Z\",\"createdTimeUtc\":\"2026-03-25T07:30:00.7981151Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/e8b65102-7a7b-49f2-a08b-566ecc2dec39\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}}", "isContentBase64": false } }, - "Get-AzSentinelIncident+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncident+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/e8b65102-7a7b-49f2-a08b-566ecc2dec39?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/e8b65102-7a7b-49f2-a08b-566ecc2dec39?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "209" ], - "x-ms-client-request-id": [ "d4f376b6-c386-4f4d-81b9-0d20b0e3cfd6" ], + "x-ms-unique-id": [ "52" ], + "x-ms-client-request-id": [ "57fe12b9-cb75-488c-8b3d-afaf3f1074cf" ], "CommandName": [ "Get-AzSentinelincident" ], "FullCommandName": [ "Get-AzSentinelIncident_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -104,37 +112,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11956" ], - "x-ms-request-id": [ "5c19c043-6b9a-434e-98e8-31f868227f4c" ], - "x-ms-correlation-request-id": [ "5c19c043-6b9a-434e-98e8-31f868227f4c" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160734Z:5c19c043-6b9a-434e-98e8-31f868227f4c" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/de421bf6-6c99-4572-8636-87e5f9b3ecc1" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "617ec7d0-7c5b-4512-83b1-a76c2599168e" ], + "x-ms-correlation-request-id": [ "617ec7d0-7c5b-4512-83b1-a76c2599168e" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074454Z:617ec7d0-7c5b-4512-83b1-a76c2599168e" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:34 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: E0A0B3FC507A4143ABED0E274D804915 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:54Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:54 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1204" ], + "Content-Length": [ "1206" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"name\":\"3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"etag\":\"\\\"4a001651-0000-0100-0000-62fbbe820000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:57:54.290729Z\",\"createdTimeUtc\":\"2022-08-16T15:57:54.290729Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/e8b65102-7a7b-49f2-a08b-566ecc2dec39\",\"name\":\"e8b65102-7a7b-49f2-a08b-566ecc2dec39\",\"etag\":\"\\\"2f003228-0000-0100-0000-69c38ef80000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:00.7981151Z\",\"createdTimeUtc\":\"2026-03-25T07:30:00.7981151Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/e8b65102-7a7b-49f2-a08b-566ecc2dec39\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}}", "isContentBase64": false } }, - "Get-AzSentinelIncident+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f?api-version=2021-09-01-preview+2": { + "Get-AzSentinelIncident+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/e8b65102-7a7b-49f2-a08b-566ecc2dec39?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/e8b65102-7a7b-49f2-a08b-566ecc2dec39?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "210" ], - "x-ms-client-request-id": [ "c002c776-f5b7-4f11-8c23-9d49885590b3" ], + "x-ms-unique-id": [ "53" ], + "x-ms-client-request-id": [ "005d310d-053d-47e5-9e7e-e41b19bd49ca" ], "CommandName": [ "Get-AzSentinelincident" ], "FullCommandName": [ "Get-AzSentinelIncident_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -145,21 +157,25 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11955" ], - "x-ms-request-id": [ "74b242ad-227d-4ae0-a964-81c2eae1ec75" ], - "x-ms-correlation-request-id": [ "74b242ad-227d-4ae0-a964-81c2eae1ec75" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160734Z:74b242ad-227d-4ae0-a964-81c2eae1ec75" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/6caf1ef3-cd6e-4384-8477-04215df876a9" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "bc1e79ce-1c00-4737-8533-f516b6b65c13" ], + "x-ms-correlation-request-id": [ "bc1e79ce-1c00-4737-8533-f516b6b65c13" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074454Z:bc1e79ce-1c00-4737-8533-f516b6b65c13" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:34 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 787D8B7F0DA14C66AB60619623DE5F17 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:54Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:54 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1204" ], + "Content-Length": [ "1206" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"name\":\"3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"etag\":\"\\\"4a001651-0000-0100-0000-62fbbe820000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:57:54.290729Z\",\"createdTimeUtc\":\"2022-08-16T15:57:54.290729Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/e8b65102-7a7b-49f2-a08b-566ecc2dec39\",\"name\":\"e8b65102-7a7b-49f2-a08b-566ecc2dec39\",\"etag\":\"\\\"2f003228-0000-0100-0000-69c38ef80000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:00.7981151Z\",\"createdTimeUtc\":\"2026-03-25T07:30:00.7981151Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/e8b65102-7a7b-49f2-a08b-566ecc2dec39\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentAlert.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentAlert.Recording.json index 4cc56e8b894e..a32b6c5a893f 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentAlert.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentAlert.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelIncidentAlert+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncidentAlert+[NoContext]+List+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "211" ], - "x-ms-client-request-id": [ "652aba39-20ba-48a2-891d-471c992f1ce0" ], + "x-ms-unique-id": [ "54" ], + "x-ms-client-request-id": [ "bee25831-608d-4079-97f0-d46237c21eb3" ], "CommandName": [ "Get-AzSentinelIncident" ], "FullCommandName": [ "Get-AzSentinelIncident_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,37 +22,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11954" ], - "x-ms-request-id": [ "e12fa222-e494-4bbd-a4f6-a8116a263afa" ], - "x-ms-correlation-request-id": [ "e12fa222-e494-4bbd-a4f6-a8116a263afa" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160735Z:e12fa222-e494-4bbd-a4f6-a8116a263afa" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/e65ff1fc-b7fd-4dfa-8bb7-3ac93c203678" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "0f873af3-eb1c-41e8-935a-eeebd62569b0" ], + "x-ms-correlation-request-id": [ "0f873af3-eb1c-41e8-935a-eeebd62569b0" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074455Z:0f873af3-eb1c-41e8-935a-eeebd62569b0" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:35 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: BBAE092CBB2D481494E0BA674280A1FA Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:55Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:55 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "26513" ], + "Content-Length": [ "26518" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/e6be0e56-c636-4b4b-9793-6f3c0f345a46\",\"name\":\"e6be0e56-c636-4b4b-9793-6f3c0f345a46\",\"etag\":\"\\\"4a005452-0000-0100-0000-62fbc0450000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentRelationIncidentNames9xv50\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:05:25.2815442Z\",\"createdTimeUtc\":\"2022-08-16T16:05:25.0149382Z\",\"incidentNumber\":21,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/e6be0e56-c636-4b4b-9793-6f3c0f345a46\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"21\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/20c587be-2ccb-4fd4-aea6-cce3754722dd\",\"name\":\"20c587be-2ccb-4fd4-aea6-cce3754722dd\",\"etag\":\"\\\"4a004e52-0000-0100-0000-62fbc0260000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentRelationIncidentNamegz4803\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:04:54.7835869Z\",\"createdTimeUtc\":\"2022-08-16T16:04:54.5583695Z\",\"incidentNumber\":20,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/20c587be-2ccb-4fd4-aea6-cce3754722dd\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"20\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b2ae0920-7287-4d85-a609-bf6c7e651630\",\"name\":\"b2ae0920-7287-4d85-a609-bf6c7e651630\",\"etag\":\"\\\"4a004252-0000-0100-0000-62fbc0060000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentRelationIncidentNameg1b6wx\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:04:22.942031Z\",\"createdTimeUtc\":\"2022-08-16T16:04:22.6913248Z\",\"incidentNumber\":19,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b2ae0920-7287-4d85-a609-bf6c7e651630\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"19\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/bd3104a8-2b2d-4934-bef4-5fc4c04ef055\",\"name\":\"bd3104a8-2b2d-4934-bef4-5fc4c04ef055\",\"etag\":\"\\\"4a003652-0000-0100-0000-62fbbfe70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentRelationIncidentNamecz4ioj\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:03:51.5477653Z\",\"createdTimeUtc\":\"2022-08-16T16:03:51.0612525Z\",\"incidentNumber\":18,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/bd3104a8-2b2d-4934-bef4-5fc4c04ef055\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"18\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/524da4fb-3888-4446-9e92-12183ac2eaab\",\"name\":\"524da4fb-3888-4446-9e92-12183ac2eaab\",\"etag\":\"\\\"4a002d52-0000-0100-0000-62fbbfc70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentRelationIncidentName8sjnvu\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:03:19.056371Z\",\"createdTimeUtc\":\"2022-08-16T16:03:18.8268747Z\",\"incidentNumber\":17,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/524da4fb-3888-4446-9e92-12183ac2eaab\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"17\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b5e65719-0b65-4dd0-a4b0-da2bbad915a5\",\"name\":\"b5e65719-0b65-4dd0-a4b0-da2bbad915a5\",\"etag\":\"\\\"4a00f351-0000-0100-0000-62fbbfa60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentCommentjf7t0g\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:02:46.970405Z\",\"createdTimeUtc\":\"2022-08-16T16:02:46.7008255Z\",\"incidentNumber\":16,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b5e65719-0b65-4dd0-a4b0-da2bbad915a5\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"16\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/71e8df01-919c-45c1-b526-bc145e411eee\",\"name\":\"71e8df01-919c-45c1-b526-bc145e411eee\",\"etag\":\"\\\"4a00d951-0000-0100-0000-62fbbf870000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentCommentgi1a7c\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:02:15.7570363Z\",\"createdTimeUtc\":\"2022-08-16T16:02:15.3377476Z\",\"incidentNumber\":15,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/71e8df01-919c-45c1-b526-bc145e411eee\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"15\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/ac97c565-75c1-40ab-a8e1-334c04dda7d0\",\"name\":\"ac97c565-75c1-40ab-a8e1-334c04dda7d0\",\"etag\":\"\\\"4a00c251-0000-0100-0000-62fbbf610000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentCommentjd165a\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:01:37.6171004Z\",\"createdTimeUtc\":\"2022-08-16T16:01:37.1895215Z\",\"incidentNumber\":14,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/ac97c565-75c1-40ab-a8e1-334c04dda7d0\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"14\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/1f6bbf1d-7f2d-4435-84f7-2be61d9e090d\",\"name\":\"1f6bbf1d-7f2d-4435-84f7-2be61d9e090d\",\"etag\":\"\\\"4a00af51-0000-0100-0000-62fbbf410000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentCommenteny0g2\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:01:05.7124022Z\",\"createdTimeUtc\":\"2022-08-16T16:01:05.3290956Z\",\"incidentNumber\":13,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/1f6bbf1d-7f2d-4435-84f7-2be61d9e090d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"13\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/8b193352-f109-474f-84ce-3b3908d0e288\",\"name\":\"8b193352-f109-474f-84ce-3b3908d0e288\",\"etag\":\"\\\"4a009751-0000-0100-0000-62fbbf210000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentCommentcpthi1\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:00:33.9316207Z\",\"createdTimeUtc\":\"2022-08-16T16:00:33.6021829Z\",\"incidentNumber\":12,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/8b193352-f109-474f-84ce-3b3908d0e288\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"12\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"name\":\"c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"etag\":\"\\\"4a007051-0000-0100-0000-62fbbf000000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:00:00.5994057Z\",\"createdTimeUtc\":\"2022-08-16T16:00:00.5994057Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/905e7dec-fd14-42df-9ed5-c4df09445158\",\"name\":\"905e7dec-fd14-42df-9ed5-c4df09445158\",\"etag\":\"\\\"4a005e51-0000-0100-0000-62fbbee00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:59:28.733771Z\",\"createdTimeUtc\":\"2022-08-16T15:59:28.733771Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/905e7dec-fd14-42df-9ed5-c4df09445158\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/fdc66a29-9153-4079-894f-9d92f19fb0d9\",\"name\":\"fdc66a29-9153-4079-894f-9d92f19fb0d9\",\"etag\":\"\\\"4a004d51-0000-0100-0000-62fbbec10000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:58:57.2230955Z\",\"createdTimeUtc\":\"2022-08-16T15:58:57.2230955Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/fdc66a29-9153-4079-894f-9d92f19fb0d9\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3c0d63a6-5274-4c2c-82fa-d209415ca9bf\",\"name\":\"3c0d63a6-5274-4c2c-82fa-d209415ca9bf\",\"etag\":\"\\\"4a004151-0000-0100-0000-62fbbea10000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:58:25.8766719Z\",\"createdTimeUtc\":\"2022-08-16T15:58:25.8766719Z\",\"incidentNumber\":8,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3c0d63a6-5274-4c2c-82fa-d209415ca9bf\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"8\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"name\":\"3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"etag\":\"\\\"4a001651-0000-0100-0000-62fbbe820000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:57:54.290729Z\",\"createdTimeUtc\":\"2022-08-16T15:57:54.290729Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/68e94645-a3b4-4595-9bfe-0d5370f5c8dd\",\"name\":\"68e94645-a3b4-4595-9bfe-0d5370f5c8dd\",\"etag\":\"\\\"4a00c950-0000-0100-0000-62fbbda80000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdbookmarkRelationIncidentNamel2rnui\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:54:16.8017033Z\",\"createdTimeUtc\":\"2022-08-16T15:54:16.168895Z\",\"incidentNumber\":6,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/68e94645-a3b4-4595-9bfe-0d5370f5c8dd\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"6\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/6f90c814-29fb-4d2d-8188-360a8df4a559\",\"name\":\"6f90c814-29fb-4d2d-8188-360a8df4a559\",\"etag\":\"\\\"4a00bd50-0000-0100-0000-62fbbd8a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdatebookmarkRelationIncidentNamedejagn\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:53:46.0785179Z\",\"createdTimeUtc\":\"2022-08-16T15:53:45.3576615Z\",\"incidentNumber\":5,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/6f90c814-29fb-4d2d-8188-360a8df4a559\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"5\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/62ce8785-21b2-4262-be4d-5208b35d255a\",\"name\":\"62ce8785-21b2-4262-be4d-5208b35d255a\",\"etag\":\"\\\"4a00a950-0000-0100-0000-62fbbd690000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdbookmarkRelationIncidentName5g6qnd\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:53:13.4795073Z\",\"createdTimeUtc\":\"2022-08-16T15:53:13.2096924Z\",\"incidentNumber\":4,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/62ce8785-21b2-4262-be4d-5208b35d255a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"4\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/fba327a0-b301-4d1c-918c-23aec8e03323\",\"name\":\"fba327a0-b301-4d1c-918c-23aec8e03323\",\"etag\":\"\\\"4a009250-0000-0100-0000-62fbbd560000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemovebookmarkRelationIncidentNamebfrwvc\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:52:54.1214758Z\",\"createdTimeUtc\":\"2022-08-16T15:52:41.6535212Z\",\"incidentNumber\":3,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/fba327a0-b301-4d1c-918c-23aec8e03323\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"3\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"name\":\"7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"etag\":\"\\\"4a006950-0000-0100-0000-62fbbd240000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetbookmarkRelationIncidentName75xtbo\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:52:04.8090363Z\",\"createdTimeUtc\":\"2022-08-16T15:52:04.1891525Z\",\"incidentNumber\":2,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"2\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/39f5326a-185e-e413-043e-89635f82507e\",\"name\":\"39f5326a-185e-e413-043e-89635f82507e\",\"etag\":\"\\\"4a002a52-0000-0100-0000-62fbbfbe0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"severity\":\"Medium\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"firstActivityTimeUtc\":\"2022-08-16T15:08:06.0646524Z\",\"lastActivityTimeUtc\":\"2022-08-16T15:58:06.0646524Z\",\"lastModifiedTimeUtc\":\"2022-08-16T16:03:10.634814Z\",\"createdTimeUtc\":\"2022-08-16T15:43:09.2489917Z\",\"incidentNumber\":1,\"additionalData\":{\"alertsCount\":5,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[\"Azure Sentinel\"],\"tactics\":[\"InitialAccess\",\"Persistence\"]},\"relatedAnalyticRuleIds\":[\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/53274afe-2640-4c50-bd36-78c1c79f102c\"],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/39f5326a-185e-e413-043e-89635f82507e\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"1\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/325fdf3f-6dc0-47d2-87b7-cd3a7342672c\",\"name\":\"325fdf3f-6dc0-47d2-87b7-cd3a7342672c\",\"etag\":\"\\\"2f006036-0000-0100-0000-69c38f6d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentRelationIncidentName4phdfw\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:31:57.5330149Z\",\"createdTimeUtc\":\"2026-03-25T07:31:57.2224938Z\",\"incidentNumber\":21,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/325fdf3f-6dc0-47d2-87b7-cd3a7342672c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"21\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/9e73b493-03a2-4837-9f25-61a39c8841b8\",\"name\":\"9e73b493-03a2-4837-9f25-61a39c8841b8\",\"etag\":\"\\\"2f006a35-0000-0100-0000-69c38f650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentRelationIncidentNamepxyd1a\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:31:49.001801Z\",\"createdTimeUtc\":\"2026-03-25T07:31:48.6560326Z\",\"incidentNumber\":20,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/9e73b493-03a2-4837-9f25-61a39c8841b8\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"20\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/edfd97a6-4cb0-4eb8-aa7d-4df47259f318\",\"name\":\"edfd97a6-4cb0-4eb8-aa7d-4df47259f318\",\"etag\":\"\\\"2f008734-0000-0100-0000-69c38f5d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentRelationIncidentNametqy1nd\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:31:41.0702721Z\",\"createdTimeUtc\":\"2026-03-25T07:31:40.7391018Z\",\"incidentNumber\":19,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/edfd97a6-4cb0-4eb8-aa7d-4df47259f318\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"19\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/1a71316d-53cd-4e3e-b964-5089a315a6a7\",\"name\":\"1a71316d-53cd-4e3e-b964-5089a315a6a7\",\"etag\":\"\\\"2f007333-0000-0100-0000-69c38f540000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentRelationIncidentNameqeb7h3\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:31:32.488687Z\",\"createdTimeUtc\":\"2026-03-25T07:31:32.0863044Z\",\"incidentNumber\":18,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/1a71316d-53cd-4e3e-b964-5089a315a6a7\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"18\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/da7f7404-2a4a-4811-9f0e-fa20649928fa\",\"name\":\"da7f7404-2a4a-4811-9f0e-fa20649928fa\",\"etag\":\"\\\"2f00b232-0000-0100-0000-69c38f4d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentRelationIncidentNamesywphe\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:31:25.4401752Z\",\"createdTimeUtc\":\"2026-03-25T07:31:24.7044282Z\",\"incidentNumber\":17,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/da7f7404-2a4a-4811-9f0e-fa20649928fa\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"17\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/869cd3bd-6eb7-4b9b-9afb-6e96d1e7c02b\",\"name\":\"869cd3bd-6eb7-4b9b-9afb-6e96d1e7c02b\",\"etag\":\"\\\"2f008131-0000-0100-0000-69c38f430000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentCommentpqwe28\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:31:15.3283442Z\",\"createdTimeUtc\":\"2026-03-25T07:31:15.0445553Z\",\"incidentNumber\":16,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/869cd3bd-6eb7-4b9b-9afb-6e96d1e7c02b\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"16\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/9d4e3d1a-e085-4ffc-a5b0-3609e308432d\",\"name\":\"9d4e3d1a-e085-4ffc-a5b0-3609e308432d\",\"etag\":\"\\\"2f006b30-0000-0100-0000-69c38f3a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentCommentnxou8t\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:31:06.6653041Z\",\"createdTimeUtc\":\"2026-03-25T07:31:06.3711578Z\",\"incidentNumber\":15,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/9d4e3d1a-e085-4ffc-a5b0-3609e308432d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"15\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/0010a620-61dc-4183-8b70-70548c9a4fa4\",\"name\":\"0010a620-61dc-4183-8b70-70548c9a4fa4\",\"etag\":\"\\\"2f00552f-0000-0100-0000-69c38f320000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentComment9kqox4\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:58.9292109Z\",\"createdTimeUtc\":\"2026-03-25T07:30:58.6339766Z\",\"incidentNumber\":14,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/0010a620-61dc-4183-8b70-70548c9a4fa4\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"14\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/c674c57d-29aa-47de-a24b-79836e85dcd4\",\"name\":\"c674c57d-29aa-47de-a24b-79836e85dcd4\",\"etag\":\"\\\"2f004b2e-0000-0100-0000-69c38f2a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentCommentgp6y5f\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:50.5637464Z\",\"createdTimeUtc\":\"2026-03-25T07:30:50.2523095Z\",\"incidentNumber\":13,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/c674c57d-29aa-47de-a24b-79836e85dcd4\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"13\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/5009cfac-c645-4f19-8828-f8bef6650f21\",\"name\":\"5009cfac-c645-4f19-8828-f8bef6650f21\",\"etag\":\"\\\"2f006a2d-0000-0100-0000-69c38f220000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentComment0spgja\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:42.9180903Z\",\"createdTimeUtc\":\"2026-03-25T07:30:42.5976337Z\",\"incidentNumber\":12,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/5009cfac-c645-4f19-8828-f8bef6650f21\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"12\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/2846cf2f-82ea-43f6-84bd-efb4d3a9d16c\",\"name\":\"2846cf2f-82ea-43f6-84bd-efb4d3a9d16c\",\"etag\":\"\\\"2f00682c-0000-0100-0000-69c38f1a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:34.4799593Z\",\"createdTimeUtc\":\"2026-03-25T07:30:34.4799593Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/2846cf2f-82ea-43f6-84bd-efb4d3a9d16c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/0bb93d60-a942-42f4-a8de-41d4b42cfd18\",\"name\":\"0bb93d60-a942-42f4-a8de-41d4b42cfd18\",\"etag\":\"\\\"2f00422b-0000-0100-0000-69c38f110000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:25.6894808Z\",\"createdTimeUtc\":\"2026-03-25T07:30:25.6894808Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/0bb93d60-a942-42f4-a8de-41d4b42cfd18\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/d34e2b26-c2ca-4e38-b9b2-285fc2bd09c6\",\"name\":\"d34e2b26-c2ca-4e38-b9b2-285fc2bd09c6\",\"etag\":\"\\\"2f00562a-0000-0100-0000-69c38f090000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:17.1560735Z\",\"createdTimeUtc\":\"2026-03-25T07:30:17.1560735Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/d34e2b26-c2ca-4e38-b9b2-285fc2bd09c6\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/297ebb03-dbd5-45af-855f-ac7a514bd3d2\",\"name\":\"297ebb03-dbd5-45af-855f-ac7a514bd3d2\",\"etag\":\"\\\"2f004e29-0000-0100-0000-69c38f000000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:08.5690238Z\",\"createdTimeUtc\":\"2026-03-25T07:30:08.5690238Z\",\"incidentNumber\":8,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/297ebb03-dbd5-45af-855f-ac7a514bd3d2\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"8\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/e8b65102-7a7b-49f2-a08b-566ecc2dec39\",\"name\":\"e8b65102-7a7b-49f2-a08b-566ecc2dec39\",\"etag\":\"\\\"2f003228-0000-0100-0000-69c38ef80000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:00.7981151Z\",\"createdTimeUtc\":\"2026-03-25T07:30:00.7981151Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/e8b65102-7a7b-49f2-a08b-566ecc2dec39\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/e0a2f9cf-074f-41f7-9cf7-ee2f76903f3e\",\"name\":\"e0a2f9cf-074f-41f7-9cf7-ee2f76903f3e\",\"etag\":\"\\\"2f00861d-0000-0100-0000-69c38ea40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdbookmarkRelationIncidentNameft7j0l\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:28:36.6156869Z\",\"createdTimeUtc\":\"2026-03-25T07:28:35.7698327Z\",\"incidentNumber\":6,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/e0a2f9cf-074f-41f7-9cf7-ee2f76903f3e\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"6\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/53f5c7e4-34eb-4e33-9c57-9445ffc4cd6a\",\"name\":\"53f5c7e4-34eb-4e33-9c57-9445ffc4cd6a\",\"etag\":\"\\\"2f00601c-0000-0100-0000-69c38e9b0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdatebookmarkRelationIncidentNameldmxhn\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:28:27.1757697Z\",\"createdTimeUtc\":\"2026-03-25T07:28:26.810166Z\",\"incidentNumber\":5,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/53f5c7e4-34eb-4e33-9c57-9445ffc4cd6a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"5\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/21818327-2522-4bca-a761-889f6ae7387d\",\"name\":\"21818327-2522-4bca-a761-889f6ae7387d\",\"etag\":\"\\\"2f00501b-0000-0100-0000-69c38e920000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdbookmarkRelationIncidentName3bjron\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:28:18.5792489Z\",\"createdTimeUtc\":\"2026-03-25T07:28:18.147343Z\",\"incidentNumber\":4,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/21818327-2522-4bca-a761-889f6ae7387d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"4\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/fcdbdca2-668e-499f-8911-a98624615adf\",\"name\":\"fcdbdca2-668e-499f-8911-a98624615adf\",\"etag\":\"\\\"2f00791a-0000-0100-0000-69c38e8b0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemovebookmarkRelationIncidentNamejmkt5r\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:28:11.2515383Z\",\"createdTimeUtc\":\"2026-03-25T07:28:10.4865566Z\",\"incidentNumber\":3,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/fcdbdca2-668e-499f-8911-a98624615adf\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"3\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/72b20fd5-9297-487f-b5c0-16d443ae9bc9\",\"name\":\"72b20fd5-9297-487f-b5c0-16d443ae9bc9\",\"etag\":\"\\\"2f005519-0000-0100-0000-69c38e820000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetbookmarkRelationIncidentNamektmguy\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:28:02.4686353Z\",\"createdTimeUtc\":\"2026-03-25T07:28:02.0492693Z\",\"incidentNumber\":2,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/72b20fd5-9297-487f-b5c0-16d443ae9bc9\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"2\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/71e9e642-df65-4cca-8feb-921622daddb5\",\"name\":\"71e9e642-df65-4cca-8feb-921622daddb5\",\"etag\":\"\\\"2f000490-0000-0100-0000-69c3923c0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"severity\":\"Medium\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"firstActivityTimeUtc\":\"2026-03-25T06:48:50.7525804Z\",\"lastActivityTimeUtc\":\"2026-03-25T07:38:50.7525804Z\",\"lastModifiedTimeUtc\":\"2026-03-25T07:43:56.7204744Z\",\"createdTimeUtc\":\"2026-03-25T07:24:00.5835442Z\",\"incidentNumber\":1,\"additionalData\":{\"alertsCount\":5,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[\"Azure Sentinel\"],\"tactics\":[\"InitialAccess\",\"Persistence\"]},\"relatedAnalyticRuleIds\":[\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/5fa8a509-b73d-4f80-a32c-c6ff8dbbfb07\"],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/71e9e642-df65-4cca-8feb-921622daddb5\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"1\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelIncidentAlert+[NoContext]+List+$POST+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/39f5326a-185e-e413-043e-89635f82507e/alerts?api-version=2021-09-01-preview+2": { + "Get-AzSentinelIncidentAlert+[NoContext]+List+$POST+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/71e9e642-df65-4cca-8feb-921622daddb5/alerts?api-version=2021-09-01-preview+2": { "Request": { "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/39f5326a-185e-e413-043e-89635f82507e/alerts?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/71e9e642-df65-4cca-8feb-921622daddb5/alerts?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "212" ], - "x-ms-client-request-id": [ "ac59b75a-8066-425b-b618-acf3b1f266f3" ], + "x-ms-unique-id": [ "55" ], + "x-ms-client-request-id": [ "1703632f-44ac-4ee9-a587-a8a9ff9e22fa" ], "CommandName": [ "Get-AzSentinelIncidentAlert" ], "FullCommandName": [ "Get-AzSentinelIncidentAlert_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,21 +67,24 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "248cfd9a-b247-40ec-9ca7-2c0e944d46d5" ], - "x-ms-correlation-request-id": [ "248cfd9a-b247-40ec-9ca7-2c0e944d46d5" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160735Z:248cfd9a-b247-40ec-9ca7-2c0e944d46d5" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/7f364edf-8f38-4365-9314-ac50fbf76921" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "83f790b9-5e33-4686-808c-af07fa80ac7e" ], + "x-ms-correlation-request-id": [ "83f790b9-5e33-4686-808c-af07fa80ac7e" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074456Z:83f790b9-5e33-4686-808c-af07fa80ac7e" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:35 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: E64369B3D16B479D92DFB748434C5E53 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:56Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:55 GMT" ] }, "ContentHeaders": { "Content-Length": [ "9254" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Entities/0b3a9cb4-ef3f-fb30-9773-f8046dc635ee\",\"name\":\"0b3a9cb4-ef3f-fb30-9773-f8046dc635ee\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"0b3a9cb4-ef3f-fb30-9773-f8046dc635ee\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"97475cd1-3a32-4e3c-89c4-6087e71316ed_53274afe-2640-4c50-bd36-78c1c79f102c\",\"processingEndTime\":\"2022-08-16T15:43:08.9677133Z\",\"status\":\"New\",\"endTimeUtc\":\"2022-08-16T15:38:06.0646524Z\",\"startTimeUtc\":\"2022-08-16T15:08:06.0646524Z\",\"timeGenerated\":\"2022-08-16T15:43:09.073943Z\",\"providerAlertId\":\"7ceadc78-39ab-40b6-8ef5-be72c6f66e47\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"97475cd1-3a32-4e3c-89c4-6087e71316ed\",\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"resourceGroup\":\"aspstest7ptmcr\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2022-08-16T15:43:09.111Z\",\"Search Query Results Overall Count\":\"1\",\"OriginalProductName\":\"Azure Sentinel\",\"OriginalProductComponentName\":\"Scheduled Alerts\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Entities/933d404c-277b-ab1c-b77d-7933325e068b\",\"name\":\"933d404c-277b-ab1c-b77d-7933325e068b\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"933d404c-277b-ab1c-b77d-7933325e068b\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"97475cd1-3a32-4e3c-89c4-6087e71316ed_53274afe-2640-4c50-bd36-78c1c79f102c\",\"processingEndTime\":\"2022-08-16T15:48:09.1596878Z\",\"status\":\"New\",\"endTimeUtc\":\"2022-08-16T15:43:06.0646524Z\",\"startTimeUtc\":\"2022-08-16T15:13:06.0646524Z\",\"timeGenerated\":\"2022-08-16T15:48:09.2530745Z\",\"providerAlertId\":\"791c5ad6-36e0-45c8-a1a7-c4ec72cd1a9d\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"97475cd1-3a32-4e3c-89c4-6087e71316ed\",\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"resourceGroup\":\"aspstest7ptmcr\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2022-08-16T15:48:09.273Z\",\"Search Query Results Overall Count\":\"1\",\"OriginalProductName\":\"Azure Sentinel\",\"OriginalProductComponentName\":\"Scheduled Alerts\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Entities/186781d4-d418-8372-9c2a-6dc0f76f60fd\",\"name\":\"186781d4-d418-8372-9c2a-6dc0f76f60fd\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"186781d4-d418-8372-9c2a-6dc0f76f60fd\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"97475cd1-3a32-4e3c-89c4-6087e71316ed_53274afe-2640-4c50-bd36-78c1c79f102c\",\"processingEndTime\":\"2022-08-16T15:53:09.0879803Z\",\"status\":\"New\",\"endTimeUtc\":\"2022-08-16T15:48:06.0646524Z\",\"startTimeUtc\":\"2022-08-16T15:18:06.0646524Z\",\"timeGenerated\":\"2022-08-16T15:53:09.1647755Z\",\"providerAlertId\":\"54ca1209-3b91-462a-9641-d617f9e09117\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"97475cd1-3a32-4e3c-89c4-6087e71316ed\",\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"resourceGroup\":\"aspstest7ptmcr\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2022-08-16T15:53:09.19Z\",\"Search Query Results Overall Count\":\"1\",\"OriginalProductName\":\"Azure Sentinel\",\"OriginalProductComponentName\":\"Scheduled Alerts\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Entities/aa2a6297-8084-a8d5-e9f5-62b9e9f2e4a9\",\"name\":\"aa2a6297-8084-a8d5-e9f5-62b9e9f2e4a9\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"aa2a6297-8084-a8d5-e9f5-62b9e9f2e4a9\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"97475cd1-3a32-4e3c-89c4-6087e71316ed_53274afe-2640-4c50-bd36-78c1c79f102c\",\"processingEndTime\":\"2022-08-16T15:58:10.9403489Z\",\"status\":\"New\",\"endTimeUtc\":\"2022-08-16T15:53:06.0646524Z\",\"startTimeUtc\":\"2022-08-16T15:23:06.0646524Z\",\"timeGenerated\":\"2022-08-16T15:58:11.0568146Z\",\"providerAlertId\":\"dbe9d88f-ab63-4308-8f11-49504ef6dcfa\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"97475cd1-3a32-4e3c-89c4-6087e71316ed\",\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"resourceGroup\":\"aspstest7ptmcr\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2022-08-16T15:58:11.155Z\",\"Search Query Results Overall Count\":\"1\",\"OriginalProductName\":\"Azure Sentinel\",\"OriginalProductComponentName\":\"Scheduled Alerts\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Entities/3d80764e-2431-5938-d868-b39c037ade7d\",\"name\":\"3d80764e-2431-5938-d868-b39c037ade7d\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"3d80764e-2431-5938-d868-b39c037ade7d\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"97475cd1-3a32-4e3c-89c4-6087e71316ed_53274afe-2640-4c50-bd36-78c1c79f102c\",\"processingEndTime\":\"2022-08-16T16:03:10.3447369Z\",\"status\":\"New\",\"endTimeUtc\":\"2022-08-16T15:58:06.0646524Z\",\"startTimeUtc\":\"2022-08-16T15:28:06.0646524Z\",\"timeGenerated\":\"2022-08-16T16:03:10.4902613Z\",\"providerAlertId\":\"8c102508-1690-4800-9b13-95fa7ff021ec\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"97475cd1-3a32-4e3c-89c4-6087e71316ed\",\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"resourceGroup\":\"aspstest7ptmcr\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2022-08-16T16:03:10.484Z\",\"Search Query Results Overall Count\":\"1\",\"OriginalProductName\":\"Azure Sentinel\",\"OriginalProductComponentName\":\"Scheduled Alerts\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Entities/63b04fc8-5fb0-af8c-0c69-fa0fc11f23b0\",\"name\":\"63b04fc8-5fb0-af8c-0c69-fa0fc11f23b0\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"63b04fc8-5fb0-af8c-0c69-fa0fc11f23b0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"514a628c-e691-4346-bfaf-4995f84165c7_5fa8a509-b73d-4f80-a32c-c6ff8dbbfb07\",\"processingEndTime\":\"2026-03-25T07:23:55.9170779Z\",\"status\":\"New\",\"endTimeUtc\":\"2026-03-25T07:18:50.7525804Z\",\"startTimeUtc\":\"2026-03-25T06:48:50.7525804Z\",\"timeGenerated\":\"2026-03-25T07:23:56.0064631Z\",\"providerAlertId\":\"3d881f68-af2c-4b7a-80dc-6a5f35d1e48e\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"514a628c-e691-4346-bfaf-4995f84165c7\",\"subscriptionId\":\"419581d6-4853-49bd-83b6-d94bb8a77887\",\"resourceGroup\":\"aspstest4pr7te\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2026-03-25T07:23:56.048Z\",\"Search Query Results Overall Count\":\"1\",\"OriginalProductName\":\"Azure Sentinel\",\"OriginalProductComponentName\":\"Scheduled Alerts\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Entities/36e61f0b-993d-5f59-38bd-4a3bc250839c\",\"name\":\"36e61f0b-993d-5f59-38bd-4a3bc250839c\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"36e61f0b-993d-5f59-38bd-4a3bc250839c\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"514a628c-e691-4346-bfaf-4995f84165c7_5fa8a509-b73d-4f80-a32c-c6ff8dbbfb07\",\"processingEndTime\":\"2026-03-25T07:28:52.9093667Z\",\"status\":\"New\",\"endTimeUtc\":\"2026-03-25T07:23:50.7525804Z\",\"startTimeUtc\":\"2026-03-25T06:53:50.7525804Z\",\"timeGenerated\":\"2026-03-25T07:28:52.9886092Z\",\"providerAlertId\":\"1829c406-ca43-45e9-a84a-24422eac37ca\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"514a628c-e691-4346-bfaf-4995f84165c7\",\"subscriptionId\":\"419581d6-4853-49bd-83b6-d94bb8a77887\",\"resourceGroup\":\"aspstest4pr7te\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2026-03-25T07:28:53.105Z\",\"Search Query Results Overall Count\":\"1\",\"OriginalProductName\":\"Azure Sentinel\",\"OriginalProductComponentName\":\"Scheduled Alerts\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Entities/c7715757-bcb3-49d4-1fec-7c72729af0dc\",\"name\":\"c7715757-bcb3-49d4-1fec-7c72729af0dc\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"c7715757-bcb3-49d4-1fec-7c72729af0dc\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"514a628c-e691-4346-bfaf-4995f84165c7_5fa8a509-b73d-4f80-a32c-c6ff8dbbfb07\",\"processingEndTime\":\"2026-03-25T07:33:52.7363834Z\",\"status\":\"New\",\"endTimeUtc\":\"2026-03-25T07:28:50.7525804Z\",\"startTimeUtc\":\"2026-03-25T06:58:50.7525804Z\",\"timeGenerated\":\"2026-03-25T07:33:52.8217354Z\",\"providerAlertId\":\"d4f6fa7d-9a7b-4401-b7bd-d4872743e5b6\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"514a628c-e691-4346-bfaf-4995f84165c7\",\"subscriptionId\":\"419581d6-4853-49bd-83b6-d94bb8a77887\",\"resourceGroup\":\"aspstest4pr7te\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2026-03-25T07:33:52.937Z\",\"Search Query Results Overall Count\":\"1\",\"OriginalProductName\":\"Azure Sentinel\",\"OriginalProductComponentName\":\"Scheduled Alerts\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Entities/1b2808d5-177d-00ca-ad3d-56a44b18d76c\",\"name\":\"1b2808d5-177d-00ca-ad3d-56a44b18d76c\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"1b2808d5-177d-00ca-ad3d-56a44b18d76c\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"514a628c-e691-4346-bfaf-4995f84165c7_5fa8a509-b73d-4f80-a32c-c6ff8dbbfb07\",\"processingEndTime\":\"2026-03-25T07:39:03.7337762Z\",\"status\":\"New\",\"endTimeUtc\":\"2026-03-25T07:33:50.7525804Z\",\"startTimeUtc\":\"2026-03-25T07:03:50.7525804Z\",\"timeGenerated\":\"2026-03-25T07:39:03.8588358Z\",\"providerAlertId\":\"45e8867d-5357-44b3-b933-d7f3d68ee5fa\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"514a628c-e691-4346-bfaf-4995f84165c7\",\"subscriptionId\":\"419581d6-4853-49bd-83b6-d94bb8a77887\",\"resourceGroup\":\"aspstest4pr7te\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2026-03-25T07:39:03.88Z\",\"Search Query Results Overall Count\":\"1\",\"OriginalProductName\":\"Azure Sentinel\",\"OriginalProductComponentName\":\"Scheduled Alerts\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Entities/6c7210b6-f678-6a69-a8c3-dfd348b99d0b\",\"name\":\"6c7210b6-f678-6a69-a8c3-dfd348b99d0b\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"6c7210b6-f678-6a69-a8c3-dfd348b99d0b\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"514a628c-e691-4346-bfaf-4995f84165c7_5fa8a509-b73d-4f80-a32c-c6ff8dbbfb07\",\"processingEndTime\":\"2026-03-25T07:43:52.478882Z\",\"status\":\"New\",\"endTimeUtc\":\"2026-03-25T07:38:50.7525804Z\",\"startTimeUtc\":\"2026-03-25T07:08:50.7525804Z\",\"timeGenerated\":\"2026-03-25T07:43:52.6642452Z\",\"providerAlertId\":\"cebd238e-f034-4609-8421-c3de9c5e0347\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"514a628c-e691-4346-bfaf-4995f84165c7\",\"subscriptionId\":\"419581d6-4853-49bd-83b6-d94bb8a77887\",\"resourceGroup\":\"aspstest4pr7te\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2026-03-25T07:43:52.739Z\",\"Search Query Results Overall Count\":\"1\",\"OriginalProductName\":\"Azure Sentinel\",\"OriginalProductComponentName\":\"Scheduled Alerts\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}}]}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentBookmark.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentBookmark.Recording.json index 6dea04b46704..7c02f6e51ffd 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentBookmark.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentBookmark.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelIncidentBookmark+[NoContext]+List+$POST+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/524da4fb-3888-4446-9e92-12183ac2eaab/bookmarks?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncidentBookmark+[NoContext]+List+$POST+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/da7f7404-2a4a-4811-9f0e-fa20649928fa/bookmarks?api-version=2021-09-01-preview+1": { "Request": { "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/524da4fb-3888-4446-9e92-12183ac2eaab/bookmarks?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/da7f7404-2a4a-4811-9f0e-fa20649928fa/bookmarks?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "213" ], - "x-ms-client-request-id": [ "937f1661-977f-4695-8a28-6f150ead213a" ], + "x-ms-unique-id": [ "56" ], + "x-ms-client-request-id": [ "f741355c-02b6-4920-acd9-63d4a3ad9d5f" ], "CommandName": [ "Get-AzSentinelIncidentBookmark" ], "FullCommandName": [ "Get-AzSentinelIncidentBookmark_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,21 +22,24 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "874c5be9-5668-4529-b9dd-99d1eef583b1" ], - "x-ms-correlation-request-id": [ "874c5be9-5668-4529-b9dd-99d1eef583b1" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160736Z:874c5be9-5668-4529-b9dd-99d1eef583b1" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/92d5d857-2ada-4be1-9e06-0af489f424fe" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "064bc1d6-5732-4532-951f-cb788c9ab2eb" ], + "x-ms-correlation-request-id": [ "064bc1d6-5732-4532-951f-cb788c9ab2eb" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074457Z:064bc1d6-5732-4532-951f-cb788c9ab2eb" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:36 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 4CC07A2736804E188E81A579F132FF9F Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:57Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:56 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1118" ], + "Content-Length": [ "1108" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Entities/40c54fdc-490c-4164-901e-b95ca08e0a88\",\"name\":\"40c54fdc-490c-4164-901e-b95ca08e0a88\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"Bookmark\",\"properties\":{\"displayName\":\"GetincidentRelationBookmarkNameu4dakt\",\"created\":\"2022-08-16T16:03:18.3793809+00:00\",\"updated\":\"2022-08-16T16:03:18.3793809+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T04:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"additionalData\":{\"EntityMappings\":\"[]\",\"Tactics\":\"[]\",\"Techniques\":\"[]\",\"ETag\":\"\\\"3c00618c-0000-0100-0000-62fbbfc70000\\\"\",\"EntityId\":\"40c54fdc-490c-4164-901e-b95ca08e0a88\"},\"friendlyName\":\"GetincidentRelationBookmarkNameu4dakt\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Entities/fd69298f-7839-41cf-85aa-4a0a182790c4\",\"name\":\"fd69298f-7839-41cf-85aa-4a0a182790c4\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"Bookmark\",\"properties\":{\"displayName\":\"GetincidentRelationBookmarkNamen4atph\",\"created\":\"2026-03-25T07:31:23.9333039+00:00\",\"updated\":\"2026-03-25T07:31:23.9333039+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"additionalData\":{\"EntityMappings\":\"[]\",\"Tactics\":\"[]\",\"Techniques\":\"[]\",\"ETag\":\"\\\"3c001226-0000-0100-0000-69c38f4d0000\\\"\",\"EntityId\":\"fd69298f-7839-41cf-85aa-4a0a182790c4\"},\"friendlyName\":\"GetincidentRelationBookmarkNamen4atph\"}}]}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentComment.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentComment.Recording.json index 494ea8211c90..391f4cf89be1 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentComment.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentComment.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelIncidentComment+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/8b193352-f109-474f-84ce-3b3908d0e288/comments?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncidentComment+[NoContext]+List+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/5009cfac-c645-4f19-8828-f8bef6650f21/comments?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/8b193352-f109-474f-84ce-3b3908d0e288/comments?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/5009cfac-c645-4f19-8828-f8bef6650f21/comments?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "214" ], - "x-ms-client-request-id": [ "f52e54b6-629b-451f-8d32-f91c1754940a" ], + "x-ms-unique-id": [ "57" ], + "x-ms-client-request-id": [ "75e491a6-a827-4964-a704-f87250cbd204" ], "CommandName": [ "Get-AzSentinelincidentComment" ], "FullCommandName": [ "Get-AzSentinelIncidentComment_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,37 +22,40 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "08413111-5582-4f50-951b-592bac34520b" ], - "x-ms-correlation-request-id": [ "08413111-5582-4f50-951b-592bac34520b" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160737Z:08413111-5582-4f50-951b-592bac34520b" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/4ba3f04e-2b7c-42f5-a4e5-e8a0efab1cd6" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "4ca723a1-7d5c-4035-bf4c-8d5f298884da" ], + "x-ms-correlation-request-id": [ "4ca723a1-7d5c-4035-bf4c-8d5f298884da" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074458Z:4ca723a1-7d5c-4035-bf4c-8d5f298884da" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:36 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: B5B5AD26286A44F1904A8B7799181F65 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:58Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:57 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "769" ], + "Content-Length": [ "764" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/8b193352-f109-474f-84ce-3b3908d0e288/Comments/fbb0c47c-a502-43d0-8a55-ee55a799bb1b\",\"name\":\"fbb0c47c-a502-43d0-8a55-ee55a799bb1b\",\"etag\":\"\\\"4a009651-0000-0100-0000-62fbbf210000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"GetincidentCommentcpthi1\",\"createdTimeUtc\":\"2022-08-16T16:00:33.900596Z\",\"lastModifiedTimeUtc\":\"2022-08-16T16:00:33.900596Z\",\"author\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/5009cfac-c645-4f19-8828-f8bef6650f21/Comments/9849e0b9-b7bf-4d56-9403-2993114e46b9\",\"name\":\"9849e0b9-b7bf-4d56-9403-2993114e46b9\",\"etag\":\"\\\"2f00682d-0000-0100-0000-69c38f220000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"GetincidentComment0spgja\",\"createdTimeUtc\":\"2026-03-25T07:30:42.8941264Z\",\"lastModifiedTimeUtc\":\"2026-03-25T07:30:42.8941264Z\",\"author\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"}}}]}", "isContentBase64": false } }, - "Get-AzSentinelIncidentComment+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/8b193352-f109-474f-84ce-3b3908d0e288/comments/fbb0c47c-a502-43d0-8a55-ee55a799bb1b?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncidentComment+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/5009cfac-c645-4f19-8828-f8bef6650f21/comments/9849e0b9-b7bf-4d56-9403-2993114e46b9?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/8b193352-f109-474f-84ce-3b3908d0e288/comments/fbb0c47c-a502-43d0-8a55-ee55a799bb1b?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/5009cfac-c645-4f19-8828-f8bef6650f21/comments/9849e0b9-b7bf-4d56-9403-2993114e46b9?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "215" ], - "x-ms-client-request-id": [ "710302de-ea95-4592-8893-82662f77f6de" ], + "x-ms-unique-id": [ "58" ], + "x-ms-client-request-id": [ "761cbe96-a6bb-4ded-bed5-d096fdbc916f" ], "CommandName": [ "Get-AzSentinelincidentComment" ], "FullCommandName": [ "Get-AzSentinelIncidentComment_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,21 +66,24 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "b928dd75-8abf-4018-a5c3-ad2fd556704c" ], - "x-ms-correlation-request-id": [ "b928dd75-8abf-4018-a5c3-ad2fd556704c" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160737Z:b928dd75-8abf-4018-a5c3-ad2fd556704c" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/e33950d8-7dcf-42df-9a7a-650921483a6d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "2421d642-ff93-4540-abd6-cf46014f1ed6" ], + "x-ms-correlation-request-id": [ "2421d642-ff93-4540-abd6-cf46014f1ed6" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074458Z:2421d642-ff93-4540-abd6-cf46014f1ed6" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:37 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 5FDBE28B8970495381B7AC24D0B014D4 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:58Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:58 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "757" ], + "Content-Length": [ "752" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/8b193352-f109-474f-84ce-3b3908d0e288/Comments/fbb0c47c-a502-43d0-8a55-ee55a799bb1b\",\"name\":\"fbb0c47c-a502-43d0-8a55-ee55a799bb1b\",\"etag\":\"\\\"4a009651-0000-0100-0000-62fbbf210000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"GetincidentCommentcpthi1\",\"createdTimeUtc\":\"2022-08-16T16:00:33.900596Z\",\"lastModifiedTimeUtc\":\"2022-08-16T16:00:33.900596Z\",\"author\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/5009cfac-c645-4f19-8828-f8bef6650f21/Comments/9849e0b9-b7bf-4d56-9403-2993114e46b9\",\"name\":\"9849e0b9-b7bf-4d56-9403-2993114e46b9\",\"etag\":\"\\\"2f00682d-0000-0100-0000-69c38f220000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"GetincidentComment0spgja\",\"createdTimeUtc\":\"2026-03-25T07:30:42.8941264Z\",\"lastModifiedTimeUtc\":\"2026-03-25T07:30:42.8941264Z\",\"author\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentEntity.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentEntity.Recording.json index c6aba23e8c2b..e686bb6944f8 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentEntity.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentEntity.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelIncidentEntity+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncidentEntity+[NoContext]+List+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "216" ], - "x-ms-client-request-id": [ "8d1075aa-475a-449a-8ecc-359d0fa1e3b8" ], + "x-ms-unique-id": [ "59" ], + "x-ms-client-request-id": [ "7fc6518f-1d2d-4a44-b18c-8e408138ba4a" ], "CommandName": [ "Get-AzSentinelIncident" ], "FullCommandName": [ "Get-AzSentinelIncident_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,37 +22,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11953" ], - "x-ms-request-id": [ "c8d0c8b7-2142-4c6d-b94e-71a1e83bfb8a" ], - "x-ms-correlation-request-id": [ "c8d0c8b7-2142-4c6d-b94e-71a1e83bfb8a" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160738Z:c8d0c8b7-2142-4c6d-b94e-71a1e83bfb8a" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/5edde32a-df4d-4a5f-a6c9-e5751b8f6462" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "3ad64e12-924f-4179-8582-828b212e5a7c" ], + "x-ms-correlation-request-id": [ "3ad64e12-924f-4179-8582-828b212e5a7c" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074500Z:3ad64e12-924f-4179-8582-828b212e5a7c" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:37 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: FB45B8C1A2E74680A716AC3218D899AF Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:59Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:59 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "26513" ], + "Content-Length": [ "26518" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/e6be0e56-c636-4b4b-9793-6f3c0f345a46\",\"name\":\"e6be0e56-c636-4b4b-9793-6f3c0f345a46\",\"etag\":\"\\\"4a005452-0000-0100-0000-62fbc0450000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentRelationIncidentNames9xv50\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:05:25.2815442Z\",\"createdTimeUtc\":\"2022-08-16T16:05:25.0149382Z\",\"incidentNumber\":21,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/e6be0e56-c636-4b4b-9793-6f3c0f345a46\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"21\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/20c587be-2ccb-4fd4-aea6-cce3754722dd\",\"name\":\"20c587be-2ccb-4fd4-aea6-cce3754722dd\",\"etag\":\"\\\"4a004e52-0000-0100-0000-62fbc0260000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentRelationIncidentNamegz4803\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:04:54.7835869Z\",\"createdTimeUtc\":\"2022-08-16T16:04:54.5583695Z\",\"incidentNumber\":20,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/20c587be-2ccb-4fd4-aea6-cce3754722dd\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"20\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b2ae0920-7287-4d85-a609-bf6c7e651630\",\"name\":\"b2ae0920-7287-4d85-a609-bf6c7e651630\",\"etag\":\"\\\"4a004252-0000-0100-0000-62fbc0060000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentRelationIncidentNameg1b6wx\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:04:22.942031Z\",\"createdTimeUtc\":\"2022-08-16T16:04:22.6913248Z\",\"incidentNumber\":19,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b2ae0920-7287-4d85-a609-bf6c7e651630\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"19\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/bd3104a8-2b2d-4934-bef4-5fc4c04ef055\",\"name\":\"bd3104a8-2b2d-4934-bef4-5fc4c04ef055\",\"etag\":\"\\\"4a003652-0000-0100-0000-62fbbfe70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentRelationIncidentNamecz4ioj\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:03:51.5477653Z\",\"createdTimeUtc\":\"2022-08-16T16:03:51.0612525Z\",\"incidentNumber\":18,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/bd3104a8-2b2d-4934-bef4-5fc4c04ef055\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"18\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/524da4fb-3888-4446-9e92-12183ac2eaab\",\"name\":\"524da4fb-3888-4446-9e92-12183ac2eaab\",\"etag\":\"\\\"4a002d52-0000-0100-0000-62fbbfc70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentRelationIncidentName8sjnvu\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:03:19.056371Z\",\"createdTimeUtc\":\"2022-08-16T16:03:18.8268747Z\",\"incidentNumber\":17,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/524da4fb-3888-4446-9e92-12183ac2eaab\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"17\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b5e65719-0b65-4dd0-a4b0-da2bbad915a5\",\"name\":\"b5e65719-0b65-4dd0-a4b0-da2bbad915a5\",\"etag\":\"\\\"4a00f351-0000-0100-0000-62fbbfa60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentCommentjf7t0g\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:02:46.970405Z\",\"createdTimeUtc\":\"2022-08-16T16:02:46.7008255Z\",\"incidentNumber\":16,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b5e65719-0b65-4dd0-a4b0-da2bbad915a5\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"16\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/71e8df01-919c-45c1-b526-bc145e411eee\",\"name\":\"71e8df01-919c-45c1-b526-bc145e411eee\",\"etag\":\"\\\"4a00d951-0000-0100-0000-62fbbf870000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentCommentgi1a7c\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:02:15.7570363Z\",\"createdTimeUtc\":\"2022-08-16T16:02:15.3377476Z\",\"incidentNumber\":15,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/71e8df01-919c-45c1-b526-bc145e411eee\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"15\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/ac97c565-75c1-40ab-a8e1-334c04dda7d0\",\"name\":\"ac97c565-75c1-40ab-a8e1-334c04dda7d0\",\"etag\":\"\\\"4a00c251-0000-0100-0000-62fbbf610000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentCommentjd165a\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:01:37.6171004Z\",\"createdTimeUtc\":\"2022-08-16T16:01:37.1895215Z\",\"incidentNumber\":14,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/ac97c565-75c1-40ab-a8e1-334c04dda7d0\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"14\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/1f6bbf1d-7f2d-4435-84f7-2be61d9e090d\",\"name\":\"1f6bbf1d-7f2d-4435-84f7-2be61d9e090d\",\"etag\":\"\\\"4a00af51-0000-0100-0000-62fbbf410000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentCommenteny0g2\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:01:05.7124022Z\",\"createdTimeUtc\":\"2022-08-16T16:01:05.3290956Z\",\"incidentNumber\":13,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/1f6bbf1d-7f2d-4435-84f7-2be61d9e090d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"13\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/8b193352-f109-474f-84ce-3b3908d0e288\",\"name\":\"8b193352-f109-474f-84ce-3b3908d0e288\",\"etag\":\"\\\"4a009751-0000-0100-0000-62fbbf210000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentCommentcpthi1\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:00:33.9316207Z\",\"createdTimeUtc\":\"2022-08-16T16:00:33.6021829Z\",\"incidentNumber\":12,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/8b193352-f109-474f-84ce-3b3908d0e288\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"12\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"name\":\"c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"etag\":\"\\\"4a007051-0000-0100-0000-62fbbf000000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:00:00.5994057Z\",\"createdTimeUtc\":\"2022-08-16T16:00:00.5994057Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/905e7dec-fd14-42df-9ed5-c4df09445158\",\"name\":\"905e7dec-fd14-42df-9ed5-c4df09445158\",\"etag\":\"\\\"4a005e51-0000-0100-0000-62fbbee00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:59:28.733771Z\",\"createdTimeUtc\":\"2022-08-16T15:59:28.733771Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/905e7dec-fd14-42df-9ed5-c4df09445158\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/fdc66a29-9153-4079-894f-9d92f19fb0d9\",\"name\":\"fdc66a29-9153-4079-894f-9d92f19fb0d9\",\"etag\":\"\\\"4a004d51-0000-0100-0000-62fbbec10000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:58:57.2230955Z\",\"createdTimeUtc\":\"2022-08-16T15:58:57.2230955Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/fdc66a29-9153-4079-894f-9d92f19fb0d9\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3c0d63a6-5274-4c2c-82fa-d209415ca9bf\",\"name\":\"3c0d63a6-5274-4c2c-82fa-d209415ca9bf\",\"etag\":\"\\\"4a004151-0000-0100-0000-62fbbea10000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:58:25.8766719Z\",\"createdTimeUtc\":\"2022-08-16T15:58:25.8766719Z\",\"incidentNumber\":8,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3c0d63a6-5274-4c2c-82fa-d209415ca9bf\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"8\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"name\":\"3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"etag\":\"\\\"4a001651-0000-0100-0000-62fbbe820000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:57:54.290729Z\",\"createdTimeUtc\":\"2022-08-16T15:57:54.290729Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/68e94645-a3b4-4595-9bfe-0d5370f5c8dd\",\"name\":\"68e94645-a3b4-4595-9bfe-0d5370f5c8dd\",\"etag\":\"\\\"4a00c950-0000-0100-0000-62fbbda80000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdbookmarkRelationIncidentNamel2rnui\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:54:16.8017033Z\",\"createdTimeUtc\":\"2022-08-16T15:54:16.168895Z\",\"incidentNumber\":6,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/68e94645-a3b4-4595-9bfe-0d5370f5c8dd\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"6\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/6f90c814-29fb-4d2d-8188-360a8df4a559\",\"name\":\"6f90c814-29fb-4d2d-8188-360a8df4a559\",\"etag\":\"\\\"4a00bd50-0000-0100-0000-62fbbd8a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdatebookmarkRelationIncidentNamedejagn\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:53:46.0785179Z\",\"createdTimeUtc\":\"2022-08-16T15:53:45.3576615Z\",\"incidentNumber\":5,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/6f90c814-29fb-4d2d-8188-360a8df4a559\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"5\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/62ce8785-21b2-4262-be4d-5208b35d255a\",\"name\":\"62ce8785-21b2-4262-be4d-5208b35d255a\",\"etag\":\"\\\"4a00a950-0000-0100-0000-62fbbd690000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdbookmarkRelationIncidentName5g6qnd\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:53:13.4795073Z\",\"createdTimeUtc\":\"2022-08-16T15:53:13.2096924Z\",\"incidentNumber\":4,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/62ce8785-21b2-4262-be4d-5208b35d255a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"4\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/fba327a0-b301-4d1c-918c-23aec8e03323\",\"name\":\"fba327a0-b301-4d1c-918c-23aec8e03323\",\"etag\":\"\\\"4a009250-0000-0100-0000-62fbbd560000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemovebookmarkRelationIncidentNamebfrwvc\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:52:54.1214758Z\",\"createdTimeUtc\":\"2022-08-16T15:52:41.6535212Z\",\"incidentNumber\":3,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/fba327a0-b301-4d1c-918c-23aec8e03323\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"3\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"name\":\"7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"etag\":\"\\\"4a006950-0000-0100-0000-62fbbd240000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetbookmarkRelationIncidentName75xtbo\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:52:04.8090363Z\",\"createdTimeUtc\":\"2022-08-16T15:52:04.1891525Z\",\"incidentNumber\":2,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"2\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/39f5326a-185e-e413-043e-89635f82507e\",\"name\":\"39f5326a-185e-e413-043e-89635f82507e\",\"etag\":\"\\\"4a002a52-0000-0100-0000-62fbbfbe0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"severity\":\"Medium\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"firstActivityTimeUtc\":\"2022-08-16T15:08:06.0646524Z\",\"lastActivityTimeUtc\":\"2022-08-16T15:58:06.0646524Z\",\"lastModifiedTimeUtc\":\"2022-08-16T16:03:10.634814Z\",\"createdTimeUtc\":\"2022-08-16T15:43:09.2489917Z\",\"incidentNumber\":1,\"additionalData\":{\"alertsCount\":5,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[\"Azure Sentinel\"],\"tactics\":[\"InitialAccess\",\"Persistence\"]},\"relatedAnalyticRuleIds\":[\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/53274afe-2640-4c50-bd36-78c1c79f102c\"],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/39f5326a-185e-e413-043e-89635f82507e\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"1\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/325fdf3f-6dc0-47d2-87b7-cd3a7342672c\",\"name\":\"325fdf3f-6dc0-47d2-87b7-cd3a7342672c\",\"etag\":\"\\\"2f006036-0000-0100-0000-69c38f6d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentRelationIncidentName4phdfw\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:31:57.5330149Z\",\"createdTimeUtc\":\"2026-03-25T07:31:57.2224938Z\",\"incidentNumber\":21,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/325fdf3f-6dc0-47d2-87b7-cd3a7342672c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"21\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/9e73b493-03a2-4837-9f25-61a39c8841b8\",\"name\":\"9e73b493-03a2-4837-9f25-61a39c8841b8\",\"etag\":\"\\\"2f006a35-0000-0100-0000-69c38f650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentRelationIncidentNamepxyd1a\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:31:49.001801Z\",\"createdTimeUtc\":\"2026-03-25T07:31:48.6560326Z\",\"incidentNumber\":20,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/9e73b493-03a2-4837-9f25-61a39c8841b8\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"20\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/edfd97a6-4cb0-4eb8-aa7d-4df47259f318\",\"name\":\"edfd97a6-4cb0-4eb8-aa7d-4df47259f318\",\"etag\":\"\\\"2f008734-0000-0100-0000-69c38f5d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentRelationIncidentNametqy1nd\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:31:41.0702721Z\",\"createdTimeUtc\":\"2026-03-25T07:31:40.7391018Z\",\"incidentNumber\":19,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/edfd97a6-4cb0-4eb8-aa7d-4df47259f318\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"19\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/1a71316d-53cd-4e3e-b964-5089a315a6a7\",\"name\":\"1a71316d-53cd-4e3e-b964-5089a315a6a7\",\"etag\":\"\\\"2f007333-0000-0100-0000-69c38f540000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentRelationIncidentNameqeb7h3\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:31:32.488687Z\",\"createdTimeUtc\":\"2026-03-25T07:31:32.0863044Z\",\"incidentNumber\":18,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/1a71316d-53cd-4e3e-b964-5089a315a6a7\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"18\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/da7f7404-2a4a-4811-9f0e-fa20649928fa\",\"name\":\"da7f7404-2a4a-4811-9f0e-fa20649928fa\",\"etag\":\"\\\"2f00b232-0000-0100-0000-69c38f4d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentRelationIncidentNamesywphe\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:31:25.4401752Z\",\"createdTimeUtc\":\"2026-03-25T07:31:24.7044282Z\",\"incidentNumber\":17,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/da7f7404-2a4a-4811-9f0e-fa20649928fa\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"17\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/869cd3bd-6eb7-4b9b-9afb-6e96d1e7c02b\",\"name\":\"869cd3bd-6eb7-4b9b-9afb-6e96d1e7c02b\",\"etag\":\"\\\"2f008131-0000-0100-0000-69c38f430000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentCommentpqwe28\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:31:15.3283442Z\",\"createdTimeUtc\":\"2026-03-25T07:31:15.0445553Z\",\"incidentNumber\":16,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/869cd3bd-6eb7-4b9b-9afb-6e96d1e7c02b\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"16\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/9d4e3d1a-e085-4ffc-a5b0-3609e308432d\",\"name\":\"9d4e3d1a-e085-4ffc-a5b0-3609e308432d\",\"etag\":\"\\\"2f006b30-0000-0100-0000-69c38f3a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentCommentnxou8t\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:31:06.6653041Z\",\"createdTimeUtc\":\"2026-03-25T07:31:06.3711578Z\",\"incidentNumber\":15,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/9d4e3d1a-e085-4ffc-a5b0-3609e308432d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"15\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/0010a620-61dc-4183-8b70-70548c9a4fa4\",\"name\":\"0010a620-61dc-4183-8b70-70548c9a4fa4\",\"etag\":\"\\\"2f00552f-0000-0100-0000-69c38f320000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentComment9kqox4\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:58.9292109Z\",\"createdTimeUtc\":\"2026-03-25T07:30:58.6339766Z\",\"incidentNumber\":14,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/0010a620-61dc-4183-8b70-70548c9a4fa4\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"14\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/c674c57d-29aa-47de-a24b-79836e85dcd4\",\"name\":\"c674c57d-29aa-47de-a24b-79836e85dcd4\",\"etag\":\"\\\"2f004b2e-0000-0100-0000-69c38f2a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentCommentgp6y5f\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:50.5637464Z\",\"createdTimeUtc\":\"2026-03-25T07:30:50.2523095Z\",\"incidentNumber\":13,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/c674c57d-29aa-47de-a24b-79836e85dcd4\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"13\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/5009cfac-c645-4f19-8828-f8bef6650f21\",\"name\":\"5009cfac-c645-4f19-8828-f8bef6650f21\",\"etag\":\"\\\"2f006a2d-0000-0100-0000-69c38f220000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentComment0spgja\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:42.9180903Z\",\"createdTimeUtc\":\"2026-03-25T07:30:42.5976337Z\",\"incidentNumber\":12,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/5009cfac-c645-4f19-8828-f8bef6650f21\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"12\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/2846cf2f-82ea-43f6-84bd-efb4d3a9d16c\",\"name\":\"2846cf2f-82ea-43f6-84bd-efb4d3a9d16c\",\"etag\":\"\\\"2f00682c-0000-0100-0000-69c38f1a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:34.4799593Z\",\"createdTimeUtc\":\"2026-03-25T07:30:34.4799593Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/2846cf2f-82ea-43f6-84bd-efb4d3a9d16c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/0bb93d60-a942-42f4-a8de-41d4b42cfd18\",\"name\":\"0bb93d60-a942-42f4-a8de-41d4b42cfd18\",\"etag\":\"\\\"2f00422b-0000-0100-0000-69c38f110000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:25.6894808Z\",\"createdTimeUtc\":\"2026-03-25T07:30:25.6894808Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/0bb93d60-a942-42f4-a8de-41d4b42cfd18\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/d34e2b26-c2ca-4e38-b9b2-285fc2bd09c6\",\"name\":\"d34e2b26-c2ca-4e38-b9b2-285fc2bd09c6\",\"etag\":\"\\\"2f00562a-0000-0100-0000-69c38f090000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:17.1560735Z\",\"createdTimeUtc\":\"2026-03-25T07:30:17.1560735Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/d34e2b26-c2ca-4e38-b9b2-285fc2bd09c6\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/297ebb03-dbd5-45af-855f-ac7a514bd3d2\",\"name\":\"297ebb03-dbd5-45af-855f-ac7a514bd3d2\",\"etag\":\"\\\"2f004e29-0000-0100-0000-69c38f000000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:08.5690238Z\",\"createdTimeUtc\":\"2026-03-25T07:30:08.5690238Z\",\"incidentNumber\":8,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/297ebb03-dbd5-45af-855f-ac7a514bd3d2\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"8\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/e8b65102-7a7b-49f2-a08b-566ecc2dec39\",\"name\":\"e8b65102-7a7b-49f2-a08b-566ecc2dec39\",\"etag\":\"\\\"2f003228-0000-0100-0000-69c38ef80000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:00.7981151Z\",\"createdTimeUtc\":\"2026-03-25T07:30:00.7981151Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/e8b65102-7a7b-49f2-a08b-566ecc2dec39\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/e0a2f9cf-074f-41f7-9cf7-ee2f76903f3e\",\"name\":\"e0a2f9cf-074f-41f7-9cf7-ee2f76903f3e\",\"etag\":\"\\\"2f00861d-0000-0100-0000-69c38ea40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdbookmarkRelationIncidentNameft7j0l\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:28:36.6156869Z\",\"createdTimeUtc\":\"2026-03-25T07:28:35.7698327Z\",\"incidentNumber\":6,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/e0a2f9cf-074f-41f7-9cf7-ee2f76903f3e\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"6\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/53f5c7e4-34eb-4e33-9c57-9445ffc4cd6a\",\"name\":\"53f5c7e4-34eb-4e33-9c57-9445ffc4cd6a\",\"etag\":\"\\\"2f00601c-0000-0100-0000-69c38e9b0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdatebookmarkRelationIncidentNameldmxhn\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:28:27.1757697Z\",\"createdTimeUtc\":\"2026-03-25T07:28:26.810166Z\",\"incidentNumber\":5,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/53f5c7e4-34eb-4e33-9c57-9445ffc4cd6a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"5\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/21818327-2522-4bca-a761-889f6ae7387d\",\"name\":\"21818327-2522-4bca-a761-889f6ae7387d\",\"etag\":\"\\\"2f00501b-0000-0100-0000-69c38e920000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdbookmarkRelationIncidentName3bjron\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:28:18.5792489Z\",\"createdTimeUtc\":\"2026-03-25T07:28:18.147343Z\",\"incidentNumber\":4,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/21818327-2522-4bca-a761-889f6ae7387d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"4\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/fcdbdca2-668e-499f-8911-a98624615adf\",\"name\":\"fcdbdca2-668e-499f-8911-a98624615adf\",\"etag\":\"\\\"2f00791a-0000-0100-0000-69c38e8b0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemovebookmarkRelationIncidentNamejmkt5r\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:28:11.2515383Z\",\"createdTimeUtc\":\"2026-03-25T07:28:10.4865566Z\",\"incidentNumber\":3,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/fcdbdca2-668e-499f-8911-a98624615adf\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"3\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/72b20fd5-9297-487f-b5c0-16d443ae9bc9\",\"name\":\"72b20fd5-9297-487f-b5c0-16d443ae9bc9\",\"etag\":\"\\\"2f005519-0000-0100-0000-69c38e820000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetbookmarkRelationIncidentNamektmguy\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:28:02.4686353Z\",\"createdTimeUtc\":\"2026-03-25T07:28:02.0492693Z\",\"incidentNumber\":2,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/72b20fd5-9297-487f-b5c0-16d443ae9bc9\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"2\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/71e9e642-df65-4cca-8feb-921622daddb5\",\"name\":\"71e9e642-df65-4cca-8feb-921622daddb5\",\"etag\":\"\\\"2f000490-0000-0100-0000-69c3923c0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"severity\":\"Medium\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"firstActivityTimeUtc\":\"2026-03-25T06:48:50.7525804Z\",\"lastActivityTimeUtc\":\"2026-03-25T07:38:50.7525804Z\",\"lastModifiedTimeUtc\":\"2026-03-25T07:43:56.7204744Z\",\"createdTimeUtc\":\"2026-03-25T07:24:00.5835442Z\",\"incidentNumber\":1,\"additionalData\":{\"alertsCount\":5,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[\"Azure Sentinel\"],\"tactics\":[\"InitialAccess\",\"Persistence\"]},\"relatedAnalyticRuleIds\":[\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/5fa8a509-b73d-4f80-a32c-c6ff8dbbfb07\"],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/71e9e642-df65-4cca-8feb-921622daddb5\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"1\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelIncidentEntity+[NoContext]+List+$POST+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/39f5326a-185e-e413-043e-89635f82507e/entities?api-version=2021-09-01-preview+2": { + "Get-AzSentinelIncidentEntity+[NoContext]+List+$POST+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/71e9e642-df65-4cca-8feb-921622daddb5/entities?api-version=2021-09-01-preview+2": { "Request": { "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/39f5326a-185e-e413-043e-89635f82507e/entities?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/71e9e642-df65-4cca-8feb-921622daddb5/entities?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "217" ], - "x-ms-client-request-id": [ "f979e4ab-cb9c-4bd0-8c8d-906824edbeae" ], + "x-ms-unique-id": [ "60" ], + "x-ms-client-request-id": [ "3ace0b49-e36f-4837-b36e-71ccd514eb1f" ], "CommandName": [ "Get-AzSentinelIncidentEntity" ], "FullCommandName": [ "Get-AzSentinelIncidentEntity_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,21 +67,24 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "ac8f0b18-713d-41a6-b357-45625645d965" ], - "x-ms-correlation-request-id": [ "ac8f0b18-713d-41a6-b357-45625645d965" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160739Z:ac8f0b18-713d-41a6-b357-45625645d965" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/039fce24-0924-4650-a00d-75a1cad39459" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "eacb993e-52a4-4361-93c1-8636f240a3d7" ], + "x-ms-correlation-request-id": [ "eacb993e-52a4-4361-93c1-8636f240a3d7" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074500Z:eacb993e-52a4-4361-93c1-8636f240a3d7" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:38 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: C7AC91CF96B44AE0A7F4AB6890D285A8 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:00Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:00 GMT" ] }, "ContentHeaders": { "Content-Length": [ "471" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"entities\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}],\"metaData\":[{\"entityKind\":\"Ip\",\"count\":1}]}", + "Content": "{\"entities\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}],\"metaData\":[{\"entityKind\":\"Ip\",\"count\":1}]}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentRelation.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentRelation.Recording.json index a4603bcbc967..7f6766cef776 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentRelation.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentRelation.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelIncidentRelation+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/524da4fb-3888-4446-9e92-12183ac2eaab/relations?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncidentRelation+[NoContext]+List+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/da7f7404-2a4a-4811-9f0e-fa20649928fa/relations?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/524da4fb-3888-4446-9e92-12183ac2eaab/relations?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/da7f7404-2a4a-4811-9f0e-fa20649928fa/relations?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "218" ], - "x-ms-client-request-id": [ "4d745071-e0b6-4819-a7e7-ed0b08c97429" ], + "x-ms-unique-id": [ "61" ], + "x-ms-client-request-id": [ "6c27c79e-9a1d-45a3-a2d4-efed5455344e" ], "CommandName": [ "Get-AzSentinelincidentRelation" ], "FullCommandName": [ "Get-AzSentinelIncidentRelation_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,37 +22,40 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "69b938d7-9eb3-413a-b8ad-458700556d23" ], - "x-ms-correlation-request-id": [ "69b938d7-9eb3-413a-b8ad-458700556d23" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160739Z:69b938d7-9eb3-413a-b8ad-458700556d23" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/180c2c04-76f0-41e6-9d8e-24bcaaa703bd" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "b6e072ac-99f8-4656-af59-caaf55514719" ], + "x-ms-correlation-request-id": [ "b6e072ac-99f8-4656-af59-caaf55514719" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074501Z:b6e072ac-99f8-4656-af59-caaf55514719" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:39 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 82D2EC384A4D4529BDE2F8B493F8ED17 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:01Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:01 GMT" ] }, "ContentHeaders": { "Content-Length": [ "840" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/524da4fb-3888-4446-9e92-12183ac2eaab/relations/d8e7ac2f-7b68-4110-a408-6dda491cd5d0\",\"name\":\"d8e7ac2f-7b68-4110-a408-6dda491cd5d0\",\"etag\":\"\\\"4a002d52-0000-0100-0000-62fbbfc70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/40c54fdc-490c-4164-901e-b95ca08e0a88\",\"relatedResourceName\":\"40c54fdc-490c-4164-901e-b95ca08e0a88\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/da7f7404-2a4a-4811-9f0e-fa20649928fa/relations/7fb245aa-38d5-4660-ad34-72817ce63eed\",\"name\":\"7fb245aa-38d5-4660-ad34-72817ce63eed\",\"etag\":\"\\\"2f00b232-0000-0100-0000-69c38f4d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/fd69298f-7839-41cf-85aa-4a0a182790c4\",\"relatedResourceName\":\"fd69298f-7839-41cf-85aa-4a0a182790c4\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelIncidentRelation+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/524da4fb-3888-4446-9e92-12183ac2eaab/relations/d8e7ac2f-7b68-4110-a408-6dda491cd5d0?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncidentRelation+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/da7f7404-2a4a-4811-9f0e-fa20649928fa/relations/7fb245aa-38d5-4660-ad34-72817ce63eed?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/524da4fb-3888-4446-9e92-12183ac2eaab/relations/d8e7ac2f-7b68-4110-a408-6dda491cd5d0?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/da7f7404-2a4a-4811-9f0e-fa20649928fa/relations/7fb245aa-38d5-4660-ad34-72817ce63eed?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "219" ], - "x-ms-client-request-id": [ "2a132920-aa8f-49c4-bb15-db1b74de8fe6" ], + "x-ms-unique-id": [ "62" ], + "x-ms-client-request-id": [ "8117a3de-ad79-43eb-b41b-8d0ac783c71a" ], "CommandName": [ "Get-AzSentinelincidentRelation" ], "FullCommandName": [ "Get-AzSentinelIncidentRelation_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,37 +66,40 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "b68e95a2-6f5b-4e75-8144-10ad515e3ef0" ], - "x-ms-correlation-request-id": [ "b68e95a2-6f5b-4e75-8144-10ad515e3ef0" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160740Z:b68e95a2-6f5b-4e75-8144-10ad515e3ef0" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/2ca1f19f-e896-4111-ae4d-c2f0fe0a743f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "a0e4e32d-11ce-4d8b-ac57-e7d153229d98" ], + "x-ms-correlation-request-id": [ "a0e4e32d-11ce-4d8b-ac57-e7d153229d98" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074502Z:a0e4e32d-11ce-4d8b-ac57-e7d153229d98" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:39 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 8F5E4942B7884067B90A38187D79BB90 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:02Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:02 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/524da4fb-3888-4446-9e92-12183ac2eaab/relations/d8e7ac2f-7b68-4110-a408-6dda491cd5d0\",\"name\":\"d8e7ac2f-7b68-4110-a408-6dda491cd5d0\",\"etag\":\"\\\"4a002d52-0000-0100-0000-62fbbfc70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/40c54fdc-490c-4164-901e-b95ca08e0a88\",\"relatedResourceName\":\"40c54fdc-490c-4164-901e-b95ca08e0a88\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/da7f7404-2a4a-4811-9f0e-fa20649928fa/relations/7fb245aa-38d5-4660-ad34-72817ce63eed\",\"name\":\"7fb245aa-38d5-4660-ad34-72817ce63eed\",\"etag\":\"\\\"2f00b232-0000-0100-0000-69c38f4d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/fd69298f-7839-41cf-85aa-4a0a182790c4\",\"relatedResourceName\":\"fd69298f-7839-41cf-85aa-4a0a182790c4\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", "isContentBase64": false } }, - "Get-AzSentinelIncidentRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/524da4fb-3888-4446-9e92-12183ac2eaab/relations/d8e7ac2f-7b68-4110-a408-6dda491cd5d0?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncidentRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/da7f7404-2a4a-4811-9f0e-fa20649928fa/relations/7fb245aa-38d5-4660-ad34-72817ce63eed?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/524da4fb-3888-4446-9e92-12183ac2eaab/relations/d8e7ac2f-7b68-4110-a408-6dda491cd5d0?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/da7f7404-2a4a-4811-9f0e-fa20649928fa/relations/7fb245aa-38d5-4660-ad34-72817ce63eed?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "220" ], - "x-ms-client-request-id": [ "a64a76d4-85c4-451e-b33e-3b5de2ca635b" ], + "x-ms-unique-id": [ "63" ], + "x-ms-client-request-id": [ "3b2e8921-0677-45d5-9d0e-d5bff77f9feb" ], "CommandName": [ "Get-AzSentinelincidentRelation" ], "FullCommandName": [ "Get-AzSentinelIncidentRelation_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -104,37 +110,40 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], - "x-ms-request-id": [ "62d87c59-c438-4f6b-a6a9-fcb44410ff10" ], - "x-ms-correlation-request-id": [ "62d87c59-c438-4f6b-a6a9-fcb44410ff10" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160740Z:62d87c59-c438-4f6b-a6a9-fcb44410ff10" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/850b82e4-cb1a-4a3d-b792-f4ab824c3b50" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "cdf3f05f-e3dd-4976-88bb-d6ceb5aa6c89" ], + "x-ms-correlation-request-id": [ "cdf3f05f-e3dd-4976-88bb-d6ceb5aa6c89" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074502Z:cdf3f05f-e3dd-4976-88bb-d6ceb5aa6c89" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:39 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 58A2C52A384F4D2395E4045CD9904079 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:02Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:02 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/524da4fb-3888-4446-9e92-12183ac2eaab/relations/d8e7ac2f-7b68-4110-a408-6dda491cd5d0\",\"name\":\"d8e7ac2f-7b68-4110-a408-6dda491cd5d0\",\"etag\":\"\\\"4a002d52-0000-0100-0000-62fbbfc70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/40c54fdc-490c-4164-901e-b95ca08e0a88\",\"relatedResourceName\":\"40c54fdc-490c-4164-901e-b95ca08e0a88\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/da7f7404-2a4a-4811-9f0e-fa20649928fa/relations/7fb245aa-38d5-4660-ad34-72817ce63eed\",\"name\":\"7fb245aa-38d5-4660-ad34-72817ce63eed\",\"etag\":\"\\\"2f00b232-0000-0100-0000-69c38f4d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/fd69298f-7839-41cf-85aa-4a0a182790c4\",\"relatedResourceName\":\"fd69298f-7839-41cf-85aa-4a0a182790c4\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", "isContentBase64": false } }, - "Get-AzSentinelIncidentRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/524da4fb-3888-4446-9e92-12183ac2eaab/relations/d8e7ac2f-7b68-4110-a408-6dda491cd5d0?api-version=2021-09-01-preview+2": { + "Get-AzSentinelIncidentRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/da7f7404-2a4a-4811-9f0e-fa20649928fa/relations/7fb245aa-38d5-4660-ad34-72817ce63eed?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/524da4fb-3888-4446-9e92-12183ac2eaab/relations/d8e7ac2f-7b68-4110-a408-6dda491cd5d0?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/da7f7404-2a4a-4811-9f0e-fa20649928fa/relations/7fb245aa-38d5-4660-ad34-72817ce63eed?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "221" ], - "x-ms-client-request-id": [ "3f500359-1c75-4a7f-890b-1c60bef30b53" ], + "x-ms-unique-id": [ "64" ], + "x-ms-client-request-id": [ "8d388d2d-b6e3-42dc-a1a1-eebea80ebd49" ], "CommandName": [ "Get-AzSentinelincidentRelation" ], "FullCommandName": [ "Get-AzSentinelIncidentRelation_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -145,21 +154,24 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "496" ], - "x-ms-request-id": [ "7a6846fd-537b-47cd-801b-d5484244717b" ], - "x-ms-correlation-request-id": [ "7a6846fd-537b-47cd-801b-d5484244717b" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160743Z:7a6846fd-537b-47cd-801b-d5484244717b" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1098" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/825f4b98-958e-4cee-a1a7-574132dae508" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "1075d844-263f-450a-b494-9567c63ef03b" ], + "x-ms-correlation-request-id": [ "1075d844-263f-450a-b494-9567c63ef03b" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074503Z:1075d844-263f-450a-b494-9567c63ef03b" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:42 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: B07EB15E8A6E4C51A2235146D8904084 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:03Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:03 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/524da4fb-3888-4446-9e92-12183ac2eaab/relations/d8e7ac2f-7b68-4110-a408-6dda491cd5d0\",\"name\":\"d8e7ac2f-7b68-4110-a408-6dda491cd5d0\",\"etag\":\"\\\"4a002d52-0000-0100-0000-62fbbfc70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/40c54fdc-490c-4164-901e-b95ca08e0a88\",\"relatedResourceName\":\"40c54fdc-490c-4164-901e-b95ca08e0a88\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/da7f7404-2a4a-4811-9f0e-fa20649928fa/relations/7fb245aa-38d5-4660-ad34-72817ce63eed\",\"name\":\"7fb245aa-38d5-4660-ad34-72817ce63eed\",\"etag\":\"\\\"2f00b232-0000-0100-0000-69c38f4d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/fd69298f-7839-41cf-85aa-4a0a182790c4\",\"relatedResourceName\":\"fd69298f-7839-41cf-85aa-4a0a182790c4\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelMetadata.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelMetadata.Recording.json index a5f15b2f40cb..4e0e12c94b4e 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelMetadata.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelMetadata.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelMetadata+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/metadata?api-version=2021-09-01-preview+1": { + "Get-AzSentinelMetadata+[NoContext]+List+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/metadata?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/metadata?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/metadata?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "222" ], - "x-ms-client-request-id": [ "4679d405-1c0d-4fce-abec-597f4c16d65c" ], + "x-ms-unique-id": [ "65" ], + "x-ms-client-request-id": [ "fcfc4b53-8506-46c5-affd-b141e0926559" ], "CommandName": [ "Get-AzSentinelMetadata" ], "FullCommandName": [ "Get-AzSentinelMetadata_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,37 +22,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11952" ], - "x-ms-request-id": [ "7065808a-cc9a-4985-8201-473881861d6e" ], - "x-ms-correlation-request-id": [ "7065808a-cc9a-4985-8201-473881861d6e" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160744Z:7065808a-cc9a-4985-8201-473881861d6e" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/b83949c4-9a36-4b37-a761-bd67ddeac771" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "afdbd5ae-4606-483c-afba-bef96445f78d" ], + "x-ms-correlation-request-id": [ "afdbd5ae-4606-483c-afba-bef96445f78d" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074504Z:afdbd5ae-4606-483c-afba-bef96445f78d" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:44 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 6631C659C7D442D9925F0E379ABB3651 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:04Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:04 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "2645" ], + "Content-Length": [ "2641" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourcegroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2022-08-16T16:05:56.4459878Z\",\"createdBy\":\"nicholas@zeronetworks.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2022-08-16T16:05:56.4459878Z\",\"lastModifiedBy\":\"nicholas@zeronetworks.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourcegroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2026-03-25T07:32:06.5067584Z\",\"createdBy\":\"t-helezra@microsoft.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2026-03-25T07:32:06.5067584Z\",\"lastModifiedBy\":\"t-helezra@microsoft.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelMetadata+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview+1": { + "Get-AzSentinelMetadata+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "223" ], - "x-ms-client-request-id": [ "90a01563-b597-4c43-9c7a-c720e87a4901" ], + "x-ms-unique-id": [ "66" ], + "x-ms-client-request-id": [ "cddbc3ad-ac0e-4528-9f50-8361031366e4" ], "CommandName": [ "Get-AzSentinelMetadata" ], "FullCommandName": [ "Get-AzSentinelMetadata_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,37 +67,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11951" ], - "x-ms-request-id": [ "207cab83-2656-41a1-a92c-fe6cb4e8ca21" ], - "x-ms-correlation-request-id": [ "207cab83-2656-41a1-a92c-fe6cb4e8ca21" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160745Z:207cab83-2656-41a1-a92c-fe6cb4e8ca21" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/3b50c860-1b48-4cc9-9a6b-5ee913cc9a02" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "addefe76-344f-423b-b91b-186f55f077e6" ], + "x-ms-correlation-request-id": [ "addefe76-344f-423b-b91b-186f55f077e6" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074505Z:addefe76-344f-423b-b91b-186f55f077e6" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:44 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 9FBB4AC817BA458E9A7EB0DE5D5B4306 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:04Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:04 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "2633" ], + "Content-Length": [ "2629" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourcegroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2022-08-16T16:05:56.4459878Z\",\"createdBy\":\"nicholas@zeronetworks.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2022-08-16T16:05:56.4459878Z\",\"lastModifiedBy\":\"nicholas@zeronetworks.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourcegroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2026-03-25T07:32:06.5067584Z\",\"createdBy\":\"t-helezra@microsoft.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2026-03-25T07:32:06.5067584Z\",\"lastModifiedBy\":\"t-helezra@microsoft.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}", "isContentBase64": false } }, - "Get-AzSentinelMetadata+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview+1": { + "Get-AzSentinelMetadata+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "224" ], - "x-ms-client-request-id": [ "aab796cf-f660-40e5-b466-1216e864d305" ], + "x-ms-unique-id": [ "67" ], + "x-ms-client-request-id": [ "dc90893f-9de4-4a28-9c1d-fee7d537516d" ], "CommandName": [ "Get-AzSentinelMetadata" ], "FullCommandName": [ "Get-AzSentinelMetadata_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -104,37 +112,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11950" ], - "x-ms-request-id": [ "21cf9504-1551-4ad2-8c89-1557d1ebfff4" ], - "x-ms-correlation-request-id": [ "21cf9504-1551-4ad2-8c89-1557d1ebfff4" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160745Z:21cf9504-1551-4ad2-8c89-1557d1ebfff4" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/4c9cf9d7-7c01-4f47-864f-37944eed2634" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "8cba9940-1890-4200-9ce8-642a373385cb" ], + "x-ms-correlation-request-id": [ "8cba9940-1890-4200-9ce8-642a373385cb" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074505Z:8cba9940-1890-4200-9ce8-642a373385cb" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:45 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 5DB384D0A6AA494CBACC1ED6B5F65826 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:05Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:05 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "2633" ], + "Content-Length": [ "2629" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourcegroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2022-08-16T16:05:56.4459878Z\",\"createdBy\":\"nicholas@zeronetworks.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2022-08-16T16:05:56.4459878Z\",\"lastModifiedBy\":\"nicholas@zeronetworks.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourcegroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2026-03-25T07:32:06.5067584Z\",\"createdBy\":\"t-helezra@microsoft.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2026-03-25T07:32:06.5067584Z\",\"lastModifiedBy\":\"t-helezra@microsoft.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}", "isContentBase64": false } }, - "Get-AzSentinelMetadata+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview+2": { + "Get-AzSentinelMetadata+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "225" ], - "x-ms-client-request-id": [ "dff0d8f9-4ce3-48a7-b53b-5cdffe2e3d6d" ], + "x-ms-unique-id": [ "68" ], + "x-ms-client-request-id": [ "bca8af4a-4c98-4c24-8b8e-3c83f31cba72" ], "CommandName": [ "Get-AzSentinelMetadata" ], "FullCommandName": [ "Get-AzSentinelMetadata_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -145,21 +157,25 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11949" ], - "x-ms-request-id": [ "68e5f81c-058a-4a4a-8cd6-890d71b3dbab" ], - "x-ms-correlation-request-id": [ "68e5f81c-058a-4a4a-8cd6-890d71b3dbab" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160746Z:68e5f81c-058a-4a4a-8cd6-890d71b3dbab" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/b0b88d28-503d-46d4-bee9-160a4612da50" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "3e94724a-da4d-4458-91b6-a2367940131c" ], + "x-ms-correlation-request-id": [ "3e94724a-da4d-4458-91b6-a2367940131c" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074505Z:3e94724a-da4d-4458-91b6-a2367940131c" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:45 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: F999BE82B85E4212A0020D1AE64287AA Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:05Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:05 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "2633" ], + "Content-Length": [ "2629" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourcegroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2022-08-16T16:05:56.4459878Z\",\"createdBy\":\"nicholas@zeronetworks.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2022-08-16T16:05:56.4459878Z\",\"lastModifiedBy\":\"nicholas@zeronetworks.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourcegroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2026-03-25T07:32:06.5067584Z\",\"createdBy\":\"t-helezra@microsoft.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2026-03-25T07:32:06.5067584Z\",\"lastModifiedBy\":\"t-helezra@microsoft.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelOnboardingState.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelOnboardingState.Recording.json index 1fb3b6afa9ce..106b1d8e0063 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelOnboardingState.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelOnboardingState.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelOnboardingState+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/onboardingStates?api-version=2021-09-01-preview+1": { + "Get-AzSentinelOnboardingState+[NoContext]+List+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/onboardingStates?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/onboardingStates?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/onboardingStates?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "226" ], - "x-ms-client-request-id": [ "f3af40b9-f4cf-4c18-99a0-aedb3f1d2fad" ], + "x-ms-unique-id": [ "69" ], + "x-ms-client-request-id": [ "847a982e-d5e2-4025-ae3b-048507cf7e01" ], "CommandName": [ "Get-AzSentinelonboardingState" ], "FullCommandName": [ "Get-AzSentinelOnboardingState_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,37 +22,40 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "11" ], - "x-ms-request-id": [ "015e4cad-056f-48dc-8b2e-59bf2de87ebe" ], - "x-ms-correlation-request-id": [ "015e4cad-056f-48dc-8b2e-59bf2de87ebe" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160747Z:015e4cad-056f-48dc-8b2e-59bf2de87ebe" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/3e2756f0-b427-461d-9a70-9e9cdbd51567" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "f8a571f1-074a-4526-be89-528fd3e7e2ca" ], + "x-ms-correlation-request-id": [ "f8a571f1-074a-4526-be89-528fd3e7e2ca" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074507Z:f8a571f1-074a-4526-be89-528fd3e7e2ca" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:46 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: C9BC01E072944A648009E6604A4C4712 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:07Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:07 GMT" ] }, "ContentHeaders": { "Content-Length": [ "331" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"properties\":{},\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{}}]}", + "Content": "{\"value\":[{\"properties\":{},\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{}}]}", "isContentBase64": false } }, - "Get-AzSentinelOnboardingState+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+1": { + "Get-AzSentinelOnboardingState+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "227" ], - "x-ms-client-request-id": [ "32995150-e783-4002-9b8f-ebbb239f27a4" ], + "x-ms-unique-id": [ "70" ], + "x-ms-client-request-id": [ "1b2d2d91-3934-4ce7-aa92-3961165f6315" ], "CommandName": [ "Get-AzSentinelonboardingState" ], "FullCommandName": [ "Get-AzSentinelOnboardingState_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,37 +66,40 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "10" ], - "x-ms-request-id": [ "439d3442-a04d-431c-b7ca-1e196c67dd70" ], - "x-ms-correlation-request-id": [ "439d3442-a04d-431c-b7ca-1e196c67dd70" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160747Z:439d3442-a04d-431c-b7ca-1e196c67dd70" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/a675d6f0-04ea-4b8e-a826-d47f6c898892" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "9450d677-ea1e-47c2-b8aa-f466adc2469d" ], + "x-ms-correlation-request-id": [ "9450d677-ea1e-47c2-b8aa-f466adc2469d" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074508Z:9450d677-ea1e-47c2-b8aa-f466adc2469d" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:47 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 57F22A5DACA14C21A84BFC3682194E31 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:07Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:07 GMT" ] }, "ContentHeaders": { "Content-Length": [ "319" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"properties\":{},\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{}}", + "Content": "{\"properties\":{},\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{}}", "isContentBase64": false } }, - "Get-AzSentinelOnboardingState+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+1": { + "Get-AzSentinelOnboardingState+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "228" ], - "x-ms-client-request-id": [ "77e679dc-ac21-46c6-986b-ae51c210b0bf" ], + "x-ms-unique-id": [ "71" ], + "x-ms-client-request-id": [ "035d12d7-ddea-47db-987c-794acdcbc069" ], "CommandName": [ "Get-AzSentinelonboardingState" ], "FullCommandName": [ "Get-AzSentinelOnboardingState_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -104,37 +110,40 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "9" ], - "x-ms-request-id": [ "0d956850-64f2-46d4-8b73-1945eb241cfd" ], - "x-ms-correlation-request-id": [ "0d956850-64f2-46d4-8b73-1945eb241cfd" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160747Z:0d956850-64f2-46d4-8b73-1945eb241cfd" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/ecbaf493-eeb9-47b7-a0fa-6a99c4fc5088" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "9409c4e2-9e30-439d-ab20-938b92e2869b" ], + "x-ms-correlation-request-id": [ "9409c4e2-9e30-439d-ab20-938b92e2869b" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074508Z:9409c4e2-9e30-439d-ab20-938b92e2869b" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:47 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 1A747F38FBC543349EACF8784BFA5C2D Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:08Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:08 GMT" ] }, "ContentHeaders": { "Content-Length": [ "319" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"properties\":{},\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{}}", + "Content": "{\"properties\":{},\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{}}", "isContentBase64": false } }, - "Get-AzSentinelOnboardingState+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+2": { + "Get-AzSentinelOnboardingState+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "229" ], - "x-ms-client-request-id": [ "4188d068-5f91-423a-8384-f7ea324c46a3" ], + "x-ms-unique-id": [ "72" ], + "x-ms-client-request-id": [ "a6cf819f-b92a-429b-879e-4132fe25e39e" ], "CommandName": [ "Get-AzSentinelonboardingState" ], "FullCommandName": [ "Get-AzSentinelOnboardingState_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -145,21 +154,24 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "8" ], - "x-ms-request-id": [ "bbe6b5de-7ac4-41ff-8d3e-44c182030343" ], - "x-ms-correlation-request-id": [ "bbe6b5de-7ac4-41ff-8d3e-44c182030343" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160748Z:bbe6b5de-7ac4-41ff-8d3e-44c182030343" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/037dfcb0-8bfe-43ed-bfd7-aa575b05fc07" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "ae457329-7df9-4265-9b33-b768368073cf" ], + "x-ms-correlation-request-id": [ "ae457329-7df9-4265-9b33-b768368073cf" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074508Z:ae457329-7df9-4265-9b33-b768368073cf" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:47 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 62678856176A4A74A44033D262B7E332 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:08Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:08 GMT" ] }, "ContentHeaders": { "Content-Length": [ "319" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"properties\":{},\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{}}", + "Content": "{\"properties\":{},\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelSetting.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelSetting.Recording.json index 248630d4a85e..c4df8c510c73 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelSetting.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelSetting.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelSetting+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview+1": { + "Get-AzSentinelSetting+[NoContext]+List+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "230" ], - "x-ms-client-request-id": [ "fc4b66a1-a8bf-4b30-8286-3fa447c99e43" ], + "x-ms-unique-id": [ "73" ], + "x-ms-client-request-id": [ "72946f09-a246-49fa-89d5-881778d57759" ], "CommandName": [ "Get-AzSentinelSetting" ], "FullCommandName": [ "Get-AzSentinelSetting_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,37 +22,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11948" ], - "x-ms-request-id": [ "a0644e0a-bcc7-4164-aaca-c635992e2388" ], - "x-ms-correlation-request-id": [ "a0644e0a-bcc7-4164-aaca-c635992e2388" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160749Z:a0644e0a-bcc7-4164-aaca-c635992e2388" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/256968e6-9688-4d1b-b7fd-80818c68d58f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "ea5efa5a-b52d-4063-a533-095472662543" ], + "x-ms-correlation-request-id": [ "ea5efa5a-b52d-4063-a533-095472662543" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074510Z:ea5efa5a-b52d-4063-a533-095472662543" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:48 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: B3DF2F612F674A2EAEA2EAA587CD3B1F Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:09Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:10 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1178" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings/EyesOn\",\"name\":\"EyesOn\",\"etag\":\"\\\"300268ed-0000-0300-0000-62fbb75e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"EyesOn\",\"systemData\":{},\"properties\":{\"isEnabled\":true}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings/IPSyncer\",\"name\":\"IPSyncer\",\"etag\":\"\\\"300210ec-0000-0300-0000-62fbb75b0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"IPSyncer\",\"systemData\":{},\"properties\":{\"isEnabled\":true}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings/Anomalies\",\"name\":\"Anomalies\",\"etag\":\"\\\"300235ec-0000-0300-0000-62fbb75c0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"Anomalies\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/settings/EyesOn\",\"name\":\"EyesOn\",\"etag\":\"\\\"32004b66-0000-0800-0000-69c38b0a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"EyesOn\",\"systemData\":{},\"properties\":{\"isEnabled\":true}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/settings/IPSyncer\",\"name\":\"IPSyncer\",\"etag\":\"\\\"32006166-0000-0800-0000-69c38b0b0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"IPSyncer\",\"systemData\":{},\"properties\":{\"isEnabled\":true}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/settings/Anomalies\",\"name\":\"Anomalies\",\"etag\":\"\\\"32002466-0000-0800-0000-69c38b080000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"Anomalies\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}]}", "isContentBase64": false } }, - "Get-AzSentinelSetting+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings/Anomalies?api-version=2021-09-01-preview+1": { + "Get-AzSentinelSetting+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/settings/Anomalies?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings/Anomalies?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/settings/Anomalies?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "231" ], - "x-ms-client-request-id": [ "fe2af9af-3f72-499f-9919-608f8fa92d19" ], + "x-ms-unique-id": [ "74" ], + "x-ms-client-request-id": [ "b2ac1c3a-beb6-49a0-a9e7-accd3ee90849" ], "CommandName": [ "Get-AzSentinelSetting" ], "FullCommandName": [ "Get-AzSentinelSetting_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,21 +67,25 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11947" ], - "x-ms-request-id": [ "f9bf9534-dc4e-4aaf-9dfc-3ca150643f42" ], - "x-ms-correlation-request-id": [ "f9bf9534-dc4e-4aaf-9dfc-3ca150643f42" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160749Z:f9bf9534-dc4e-4aaf-9dfc-3ca150643f42" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/da4b3997-8736-4609-838b-2d10aca07dc9" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "b125a7e0-b0a1-4bef-9df1-8994f050abc6" ], + "x-ms-correlation-request-id": [ "b125a7e0-b0a1-4bef-9df1-8994f050abc6" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074511Z:b125a7e0-b0a1-4bef-9df1-8994f050abc6" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:48 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 30DEC948152E42428890A47D88CAB3E1 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:11Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:11 GMT" ] }, "ContentHeaders": { "Content-Length": [ "392" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings/Anomalies\",\"name\":\"Anomalies\",\"etag\":\"\\\"300235ec-0000-0300-0000-62fbb75c0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"Anomalies\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/settings/Anomalies\",\"name\":\"Anomalies\",\"etag\":\"\\\"32002466-0000-0800-0000-69c38b080000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"Anomalies\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelThreatIntelligenceIndicator.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelThreatIntelligenceIndicator.Recording.json index 3ba0ff369571..70b9ac5ebf3c 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelThreatIntelligenceIndicator.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelThreatIntelligenceIndicator.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelThreatIntelligenceIndicator+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2021-09-01-preview+1": { + "Get-AzSentinelThreatIntelligenceIndicator+[NoContext]+List+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "232" ], - "x-ms-client-request-id": [ "bb37cf43-c191-49bb-8650-a1e840e60db1" ], + "x-ms-unique-id": [ "75" ], + "x-ms-client-request-id": [ "e9564fce-d8cf-4723-9337-d206e2649334" ], "CommandName": [ "Get-AzSentinelthreatIntelligenceIndicator" ], "FullCommandName": [ "Get-AzSentinelThreatIntelligenceIndicator_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,37 +22,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11946" ], - "x-ms-request-id": [ "ce83e5e5-9186-4a5b-9f09-12634870fec9" ], - "x-ms-correlation-request-id": [ "ce83e5e5-9186-4a5b-9f09-12634870fec9" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160751Z:ce83e5e5-9186-4a5b-9f09-12634870fec9" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/455dcfad-6a13-40c6-a642-aaa27162007a" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "25d33e72-acb8-463f-9128-a8afbcd4517f" ], + "x-ms-correlation-request-id": [ "25d33e72-acb8-463f-9128-a8afbcd4517f" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074513Z:25d33e72-acb8-463f-9128-a8afbcd4517f" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:51 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: A69B4859F65D42589979AD7D4A464FDB Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:12Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:12 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "5012" ], + "Content-Length": [ "5372" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/4b4270c1-7b75-b9ba-58c7-b8420b7e6291\",\"name\":\"4b4270c1-7b75-b9ba-58c7-b8420b7e6291\",\"etag\":\"\\\"f201820f-0000-0100-0000-62fbc0990000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-08-16T16:06:44.5967724Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--e6a04e80-47b0-6528-bd57-ed3840d7e56a\",\"lastUpdatedTimeUtc\":\"2022-08-16T16:06:44.6006111Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"UpdateViaIdthreatIntelligenceIndicatortefl3d\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.5\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.5\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-08-16T04:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/a40d90cd-3425-dcc7-87c9-8c9298f3641d\",\"name\":\"a40d90cd-3425-dcc7-87c9-8c9298f3641d\",\"etag\":\"\\\"f201c40e-0000-0100-0000-62fbc0960000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-08-16T16:06:44.0501277Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--829fe799-e4bd-6619-9c4d-3947faf519ca\",\"lastUpdatedTimeUtc\":\"2022-08-16T16:06:44.0682385Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"UpdatethreatIntelligenceIndicator6zjacg\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.4\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.4\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-08-16T04:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/8bc7c1a2-ceb7-dea2-025b-a90dc873bf63\",\"name\":\"8bc7c1a2-ceb7-dea2-025b-a90dc873bf63\",\"etag\":\"\\\"f201060e-0000-0100-0000-62fbc0930000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-08-16T16:06:43.3658923Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--2980def0-bd4a-78b5-1fa4-1be337609a85\",\"lastUpdatedTimeUtc\":\"2022-08-16T16:06:43.4186153Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"RemoveViaIdthreatIntelligenceIndicatorty5w74\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.3\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.3\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-08-16T04:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/aba922f2-cd9e-75df-4232-a8d47c94bc03\",\"name\":\"aba922f2-cd9e-75df-4232-a8d47c94bc03\",\"etag\":\"\\\"1800a99f-0000-0500-0000-62fbc09a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-08-16T16:06:42.720134Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--d4498499-c9ed-7c0e-0fc3-92fb16d27879\",\"lastUpdatedTimeUtc\":\"2022-08-16T16:06:42.7395321Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"RemovethreatIntelligenceIndicatorzeqho5\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.2\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.2\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-08-16T04:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/bd45b979-3f35-b698-a82a-23f3058f60bc\",\"name\":\"bd45b979-3f35-b698-a82a-23f3058f60bc\",\"etag\":\"\\\"1800899f-0000-0500-0000-62fbc0920000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-08-16T16:06:33.5767612Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--f894ccd9-d5a5-b553-4496-649bd57372ad\",\"lastUpdatedTimeUtc\":\"2022-08-16T16:06:37.7160124Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"GetthreatIntelligenceIndicatoro4mh0q\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.1\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.1\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-08-16T04:00:00Z\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/4b4270c1-7b75-b9ba-58c7-b8420b7e6291\",\"name\":\"4b4270c1-7b75-b9ba-58c7-b8420b7e6291\",\"etag\":\"\\\"00008bdc-0000-0200-0000-69c38f9a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence/main/indicators\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2026-03-25T07:32:30.5895427Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--e6a04e80-47b0-6528-bd57-ed3840d7e56a\",\"labels\":[],\"lastUpdatedTimeUtc\":\"2026-03-25T07:32:30.6333124Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"threatIntelligenceTags\":[],\"displayName\":\"UpdateViaIdthreatIntelligenceIndicatorgchleb\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.5\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.5\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2026-03-25T07:00:00Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/a40d90cd-3425-dcc7-87c9-8c9298f3641d\",\"name\":\"a40d90cd-3425-dcc7-87c9-8c9298f3641d\",\"etag\":\"\\\"0000acdc-0000-0200-0000-69c38f9c0000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence/main/indicators\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2026-03-25T07:32:29.2590906Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--829fe799-e4bd-6619-9c4d-3947faf519ca\",\"labels\":[],\"lastUpdatedTimeUtc\":\"2026-03-25T07:32:29.6081309Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"threatIntelligenceTags\":[],\"displayName\":\"UpdatethreatIntelligenceIndicatoru2047t\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.4\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.4\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2026-03-25T07:00:00Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/8bc7c1a2-ceb7-dea2-025b-a90dc873bf63\",\"name\":\"8bc7c1a2-ceb7-dea2-025b-a90dc873bf63\",\"etag\":\"\\\"000077dc-0000-0200-0000-69c38f970000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence/main/indicators\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2026-03-25T07:32:28.0596975Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--2980def0-bd4a-78b5-1fa4-1be337609a85\",\"labels\":[],\"lastUpdatedTimeUtc\":\"2026-03-25T07:32:28.0935816Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"threatIntelligenceTags\":[],\"displayName\":\"RemoveViaIdthreatIntelligenceIndicatorn5hj0p\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.3\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.3\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2026-03-25T07:00:00Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/aba922f2-cd9e-75df-4232-a8d47c94bc03\",\"name\":\"aba922f2-cd9e-75df-4232-a8d47c94bc03\",\"etag\":\"\\\"00005cdc-0000-0200-0000-69c38f960000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence/main/indicators\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2026-03-25T07:32:26.7821291Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--d4498499-c9ed-7c0e-0fc3-92fb16d27879\",\"labels\":[],\"lastUpdatedTimeUtc\":\"2026-03-25T07:32:27.0530774Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"threatIntelligenceTags\":[],\"displayName\":\"RemovethreatIntelligenceIndicatorpf94ha\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.2\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.2\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2026-03-25T07:00:00Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/bd45b979-3f35-b698-a82a-23f3058f60bc\",\"name\":\"bd45b979-3f35-b698-a82a-23f3058f60bc\",\"etag\":\"\\\"000035dc-0000-0200-0000-69c38f940000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence/main/indicators\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2026-03-25T07:32:25.329016Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--f894ccd9-d5a5-b553-4496-649bd57372ad\",\"labels\":[],\"lastUpdatedTimeUtc\":\"2026-03-25T07:32:25.6325905Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"threatIntelligenceTags\":[],\"displayName\":\"GetthreatIntelligenceIndicator415vxn\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.1\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.1\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2026-03-25T07:00:00Z\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelThreatIntelligenceIndicator+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/bd45b979-3f35-b698-a82a-23f3058f60bc?api-version=2021-09-01-preview+1": { + "Get-AzSentinelThreatIntelligenceIndicator+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/bd45b979-3f35-b698-a82a-23f3058f60bc?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/bd45b979-3f35-b698-a82a-23f3058f60bc?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/bd45b979-3f35-b698-a82a-23f3058f60bc?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "233" ], - "x-ms-client-request-id": [ "b82efd34-e236-49ac-a78d-76c9b2c40f23" ], + "x-ms-unique-id": [ "76" ], + "x-ms-client-request-id": [ "590b7c5b-6fc3-4bde-a7a9-abbf02e06fdf" ], "CommandName": [ "Get-AzSentinelthreatIntelligenceIndicator" ], "FullCommandName": [ "Get-AzSentinelThreatIntelligenceIndicator_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,21 +67,25 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11945" ], - "x-ms-request-id": [ "20e512c2-0dbe-4c9d-954f-e9dece46ed62" ], - "x-ms-correlation-request-id": [ "20e512c2-0dbe-4c9d-954f-e9dece46ed62" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160751Z:20e512c2-0dbe-4c9d-954f-e9dece46ed62" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/df9d6788-9da1-4c07-9a97-68666143bc1a" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "3da437f0-79f3-46ec-abeb-3c67be203b42" ], + "x-ms-correlation-request-id": [ "3da437f0-79f3-46ec-abeb-3c67be203b42" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074513Z:3da437f0-79f3-46ec-abeb-3c67be203b42" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:51 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: DEF7A15B0CC447D6A68F540FC1F1CF86 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:13Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:13 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "995" ], + "Content-Length": [ "1066" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/bd45b979-3f35-b698-a82a-23f3058f60bc\",\"name\":\"bd45b979-3f35-b698-a82a-23f3058f60bc\",\"etag\":\"\\\"1800899f-0000-0500-0000-62fbc0920000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-08-16T16:06:33.5767612Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--f894ccd9-d5a5-b553-4496-649bd57372ad\",\"lastUpdatedTimeUtc\":\"2022-08-16T16:06:37.7160124Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"GetthreatIntelligenceIndicatoro4mh0q\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.1\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.1\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-08-16T04:00:00Z\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/bd45b979-3f35-b698-a82a-23f3058f60bc\",\"name\":\"bd45b979-3f35-b698-a82a-23f3058f60bc\",\"etag\":\"\\\"000035dc-0000-0200-0000-69c38f940000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence/main/indicators\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2026-03-25T07:32:25.329016Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--f894ccd9-d5a5-b553-4496-649bd57372ad\",\"labels\":[],\"lastUpdatedTimeUtc\":\"2026-03-25T07:32:25.6325905Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"threatIntelligenceTags\":[],\"displayName\":\"GetthreatIntelligenceIndicator415vxn\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.1\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.1\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2026-03-25T07:00:00Z\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Recording.json index 51ca6f697242..e87a58a78d58 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelThreatIntelligenceIndicatorMetric+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/main/metrics?api-version=2021-09-01-preview+1": { + "Get-AzSentinelThreatIntelligenceIndicatorMetric+[NoContext]+List+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/threatIntelligence/main/metrics?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/main/metrics?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/threatIntelligence/main/metrics?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "234" ], - "x-ms-client-request-id": [ "07d98062-c08a-4688-902e-85c26b209796" ], + "x-ms-unique-id": [ "1" ], + "x-ms-client-request-id": [ "377faafd-85e3-4350-8644-aba689ec4bef" ], "CommandName": [ "Get-AzSentinelthreatIntelligenceIndicatorMetric" ], "FullCommandName": [ "Get-AzSentinelThreatIntelligenceIndicatorMetric_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,21 +22,25 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11944" ], - "x-ms-request-id": [ "7a9bc93d-0d83-4bd1-b3fd-502c8102036f" ], - "x-ms-correlation-request-id": [ "7a9bc93d-0d83-4bd1-b3fd-502c8102036f" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160752Z:7a9bc93d-0d83-4bd1-b3fd-502c8102036f" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/c935246b-2493-429f-aaca-9c5dd18954a2" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "333c83bf-4668-4a28-b407-93418fe28740" ], + "x-ms-correlation-request-id": [ "333c83bf-4668-4a28-b407-93418fe28740" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T075240Z:333c83bf-4668-4a28-b407-93418fe28740" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:52 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 189D4EC467674E94BCE84D56B1346CA8 Ref B: AMS231020615049 Ref C: 2026-03-25T07:52:40Z" ], + "Date": [ "Wed, 25 Mar 2026 07:52:40 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "278" ], + "Content-Length": [ "279" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"properties\":{\"lastUpdatedTimeUtc\":\"2022-08-16T16:07:52.700472Z\",\"threatTypeMetrics\":[{\"metricName\":\"unknown\",\"metricValue\":5}],\"patternTypeMetrics\":[{\"metricName\":\"ipv4-addr\",\"metricValue\":5}],\"sourceMetrics\":[{\"metricName\":\"Microsoft Sentinel\",\"metricValue\":5}]}}]}", + "Content": "{\"value\":[{\"properties\":{\"lastUpdatedTimeUtc\":\"2026-03-25T07:45:15.4413387Z\",\"threatTypeMetrics\":[{\"metricName\":\"unknown\",\"metricValue\":0}],\"patternTypeMetrics\":[{\"metricName\":\"ipv4-addr\",\"metricValue\":0}],\"sourceMetrics\":[{\"metricName\":\"Microsoft Sentinel\",\"metricValue\":5}]}}]}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Recording.json index f7c10a73344a..6220abe3e7d0 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Recording.json @@ -1,15 +1,15 @@ { - "Invoke-AzSentinelThreatIntelligenceIndicatorQuery+[NoContext]+QueryExpanded+$POST+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators?api-version=2021-09-01-preview+1": { + "Invoke-AzSentinelThreatIntelligenceIndicatorQuery+[NoContext]+QueryExpanded+$POST+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators?api-version=2021-09-01-preview+1": { "Request": { "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators?api-version=2021-09-01-preview", - "Content": "{\n \"pageSize\": 10,\n \"includeDisabled\": true\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators?api-version=2021-09-01-preview", + "Content": "{\r\n \"pageSize\": 10,\r\n \"includeDisabled\": true\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "47" ] + "Content-Length": [ "50" ] } }, "Response": { @@ -17,21 +17,25 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11943" ], - "x-ms-request-id": [ "5c61c462-0aaf-44d8-9cf7-a1e17c413736" ], - "x-ms-correlation-request-id": [ "5c61c462-0aaf-44d8-9cf7-a1e17c413736" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160753Z:5c61c462-0aaf-44d8-9cf7-a1e17c413736" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/24899ed6-74c5-4270-85e5-6a91ed3814a6" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "5393897a-c74b-4f56-934e-29db43ec9e8d" ], + "x-ms-correlation-request-id": [ "5393897a-c74b-4f56-934e-29db43ec9e8d" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074516Z:5393897a-c74b-4f56-934e-29db43ec9e8d" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:52 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 6FFF874097004004B8AD79B5B276D3BE Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:15Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:15 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "5012" ], + "Content-Length": [ "5372" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/4b4270c1-7b75-b9ba-58c7-b8420b7e6291\",\"name\":\"4b4270c1-7b75-b9ba-58c7-b8420b7e6291\",\"etag\":\"\\\"f201820f-0000-0100-0000-62fbc0990000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-08-16T16:06:44.5967724Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--e6a04e80-47b0-6528-bd57-ed3840d7e56a\",\"lastUpdatedTimeUtc\":\"2022-08-16T16:06:44.6006111Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"UpdateViaIdthreatIntelligenceIndicatortefl3d\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.5\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.5\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-08-16T04:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/a40d90cd-3425-dcc7-87c9-8c9298f3641d\",\"name\":\"a40d90cd-3425-dcc7-87c9-8c9298f3641d\",\"etag\":\"\\\"f201c40e-0000-0100-0000-62fbc0960000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-08-16T16:06:44.0501277Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--829fe799-e4bd-6619-9c4d-3947faf519ca\",\"lastUpdatedTimeUtc\":\"2022-08-16T16:06:44.0682385Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"UpdatethreatIntelligenceIndicator6zjacg\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.4\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.4\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-08-16T04:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/8bc7c1a2-ceb7-dea2-025b-a90dc873bf63\",\"name\":\"8bc7c1a2-ceb7-dea2-025b-a90dc873bf63\",\"etag\":\"\\\"f201060e-0000-0100-0000-62fbc0930000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-08-16T16:06:43.3658923Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--2980def0-bd4a-78b5-1fa4-1be337609a85\",\"lastUpdatedTimeUtc\":\"2022-08-16T16:06:43.4186153Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"RemoveViaIdthreatIntelligenceIndicatorty5w74\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.3\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.3\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-08-16T04:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/aba922f2-cd9e-75df-4232-a8d47c94bc03\",\"name\":\"aba922f2-cd9e-75df-4232-a8d47c94bc03\",\"etag\":\"\\\"1800a99f-0000-0500-0000-62fbc09a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-08-16T16:06:42.720134Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--d4498499-c9ed-7c0e-0fc3-92fb16d27879\",\"lastUpdatedTimeUtc\":\"2022-08-16T16:06:42.7395321Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"RemovethreatIntelligenceIndicatorzeqho5\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.2\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.2\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-08-16T04:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/bd45b979-3f35-b698-a82a-23f3058f60bc\",\"name\":\"bd45b979-3f35-b698-a82a-23f3058f60bc\",\"etag\":\"\\\"1800899f-0000-0500-0000-62fbc0920000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-08-16T16:06:33.5767612Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--f894ccd9-d5a5-b553-4496-649bd57372ad\",\"lastUpdatedTimeUtc\":\"2022-08-16T16:06:37.7160124Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"GetthreatIntelligenceIndicatoro4mh0q\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.1\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.1\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-08-16T04:00:00Z\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/4b4270c1-7b75-b9ba-58c7-b8420b7e6291\",\"name\":\"4b4270c1-7b75-b9ba-58c7-b8420b7e6291\",\"etag\":\"\\\"00008bdc-0000-0200-0000-69c38f9a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence/main/indicators\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2026-03-25T07:32:30.5895427Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--e6a04e80-47b0-6528-bd57-ed3840d7e56a\",\"labels\":[],\"lastUpdatedTimeUtc\":\"2026-03-25T07:32:30.6333124Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"threatIntelligenceTags\":[],\"displayName\":\"UpdateViaIdthreatIntelligenceIndicatorgchleb\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.5\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.5\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2026-03-25T07:00:00Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/a40d90cd-3425-dcc7-87c9-8c9298f3641d\",\"name\":\"a40d90cd-3425-dcc7-87c9-8c9298f3641d\",\"etag\":\"\\\"0000acdc-0000-0200-0000-69c38f9c0000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence/main/indicators\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2026-03-25T07:32:29.2590906Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--829fe799-e4bd-6619-9c4d-3947faf519ca\",\"labels\":[],\"lastUpdatedTimeUtc\":\"2026-03-25T07:32:29.6081309Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"threatIntelligenceTags\":[],\"displayName\":\"UpdatethreatIntelligenceIndicatoru2047t\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.4\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.4\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2026-03-25T07:00:00Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/8bc7c1a2-ceb7-dea2-025b-a90dc873bf63\",\"name\":\"8bc7c1a2-ceb7-dea2-025b-a90dc873bf63\",\"etag\":\"\\\"000077dc-0000-0200-0000-69c38f970000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence/main/indicators\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2026-03-25T07:32:28.0596975Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--2980def0-bd4a-78b5-1fa4-1be337609a85\",\"labels\":[],\"lastUpdatedTimeUtc\":\"2026-03-25T07:32:28.0935816Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"threatIntelligenceTags\":[],\"displayName\":\"RemoveViaIdthreatIntelligenceIndicatorn5hj0p\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.3\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.3\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2026-03-25T07:00:00Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/aba922f2-cd9e-75df-4232-a8d47c94bc03\",\"name\":\"aba922f2-cd9e-75df-4232-a8d47c94bc03\",\"etag\":\"\\\"00005cdc-0000-0200-0000-69c38f960000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence/main/indicators\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2026-03-25T07:32:26.7821291Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--d4498499-c9ed-7c0e-0fc3-92fb16d27879\",\"labels\":[],\"lastUpdatedTimeUtc\":\"2026-03-25T07:32:27.0530774Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"threatIntelligenceTags\":[],\"displayName\":\"RemovethreatIntelligenceIndicatorpf94ha\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.2\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.2\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2026-03-25T07:00:00Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/bd45b979-3f35-b698-a82a-23f3058f60bc\",\"name\":\"bd45b979-3f35-b698-a82a-23f3058f60bc\",\"etag\":\"\\\"000035dc-0000-0200-0000-69c38f940000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence/main/indicators\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2026-03-25T07:32:25.329016Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--f894ccd9-d5a5-b553-4496-649bd57372ad\",\"labels\":[],\"lastUpdatedTimeUtc\":\"2026-03-25T07:32:25.6325905Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"threatIntelligenceTags\":[],\"displayName\":\"GetthreatIntelligenceIndicator415vxn\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.1\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.1\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2026-03-25T07:00:00Z\"}}]}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelAlertRule.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelAlertRule.Recording.json index 089b7fc1d6c8..4500a814d42b 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelAlertRule.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelAlertRule.Recording.json @@ -1,15 +1,15 @@ { - "New-AzSentinelAlertRule+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/12d8cb29-d001-4576-a336-77050c60a1f3?api-version=2021-09-01-preview+1": { + "New-AzSentinelAlertRule+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/d65a3750-5f16-4b60-a0c2-ca1ee7a40899?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/12d8cb29-d001-4576-a336-77050c60a1f3?api-version=2021-09-01-preview", - "Content": "{\n \"kind\": \"Scheduled\",\n \"properties\": {\n \"queryFrequency\": \"PT1H\",\n \"queryPeriod\": \"P1D\",\n \"triggerOperator\": \"GreaterThan\",\n \"triggerThreshold\": 1,\n \"incidentConfiguration\": {\n \"groupingConfiguration\": {\n \"enabled\": false,\n \"reopenClosedIncident\": false,\n \"lookbackDuration\": \"PT5H\",\n \"matchingMethod\": \"AllEntities\"\n },\n \"createIncident\": false\n },\n \"query\": \"SecurityEvent | take 1\",\n \"displayName\": \"NewAlertRulel98w03\",\n \"enabled\": false,\n \"suppressionDuration\": \"PT5H\",\n \"suppressionEnabled\": false,\n \"severity\": \"Informational\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/d65a3750-5f16-4b60-a0c2-ca1ee7a40899?api-version=2021-09-01-preview", + "Content": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 1,\r\n \"incidentConfiguration\": {\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5H\",\r\n \"matchingMethod\": \"AllEntities\"\r\n },\r\n \"createIncident\": false\r\n },\r\n \"query\": \"SecurityEvent | take 1\",\r\n \"displayName\": \"NewAlertRule38x7ic\",\r\n \"enabled\": false,\r\n \"suppressionDuration\": \"PT5H\",\r\n \"suppressionEnabled\": false,\r\n \"severity\": \"Informational\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "622" ] + "Content-Length": [ "645" ] } }, "Response": { @@ -17,21 +17,24 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1199" ], - "x-ms-request-id": [ "fe16e0a3-61ba-4872-be3f-044a0eb6ffbd" ], - "x-ms-correlation-request-id": [ "fe16e0a3-61ba-4872-be3f-044a0eb6ffbd" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160754Z:fe16e0a3-61ba-4872-be3f-044a0eb6ffbd" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/f3ed1719-6f4b-40ee-8a2a-e0f6abb472ec" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "799" ], + "x-ms-ratelimit-remaining-subscription-global-writes": [ "11999" ], + "x-ms-request-id": [ "f8bb5403-c190-4268-bce3-60c802589b25" ], + "x-ms-correlation-request-id": [ "f8bb5403-c190-4268-bce3-60c802589b25" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074517Z:f8bb5403-c190-4268-bce3-60c802589b25" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:54 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 6CD2578E43CD4736BC10F60027547366 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:17Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:17 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1048" ], + "Content-Length": [ "1047" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/12d8cb29-d001-4576-a336-77050c60a1f3\",\"name\":\"12d8cb29-d001-4576-a336-77050c60a1f3\",\"etag\":\"\\\"06007d41-0000-0100-0000-62fbc0da0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":false,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":null,\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"SecurityEvent | take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":null,\"displayName\":\"NewAlertRulel98w03\",\"enabled\":false,\"description\":null,\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:07:54.7075662Z\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/d65a3750-5f16-4b60-a0c2-ca1ee7a40899\",\"name\":\"d65a3750-5f16-4b60-a0c2-ca1ee7a40899\",\"etag\":\"\\\"61004e36-0000-0100-0000-69c3928d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":false,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":null,\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"SecurityEvent | take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":null,\"displayName\":\"NewAlertRule38x7ic\",\"enabled\":false,\"description\":null,\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:45:17.671388Z\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelAlertRuleAction.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelAlertRuleAction.Recording.json index 318f977eb2ae..4203f2456db6 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelAlertRuleAction.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelAlertRuleAction.Recording.json @@ -1,15 +1,15 @@ { - "New-AzSentinelAlertRuleAction+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/257e1543-c5bf-47a0-a346-35a29c8a0d71?api-version=2021-09-01-preview+1": { + "New-AzSentinelAlertRuleAction+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/b8a12f56-c73c-4650-a18f-76c331764148?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/257e1543-c5bf-47a0-a346-35a29c8a0d71?api-version=2021-09-01-preview", - "Content": "{\n \"kind\": \"Scheduled\",\n \"properties\": {\n \"queryFrequency\": \"PT1H\",\n \"queryPeriod\": \"P1D\",\n \"triggerOperator\": \"GreaterThan\",\n \"triggerThreshold\": 1,\n \"incidentConfiguration\": {\n \"groupingConfiguration\": {\n \"enabled\": false,\n \"reopenClosedIncident\": false,\n \"lookbackDuration\": \"PT5H\",\n \"matchingMethod\": \"AllEntities\"\n },\n \"createIncident\": false\n },\n \"query\": \"SecurityEvent | take 1\",\n \"displayName\": \"NewalertRuleActionRuleNamexmy37l\",\n \"enabled\": false,\n \"suppressionDuration\": \"PT5H\",\n \"suppressionEnabled\": false,\n \"severity\": \"Informational\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/b8a12f56-c73c-4650-a18f-76c331764148?api-version=2021-09-01-preview", + "Content": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 1,\r\n \"incidentConfiguration\": {\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5H\",\r\n \"matchingMethod\": \"AllEntities\"\r\n },\r\n \"createIncident\": false\r\n },\r\n \"query\": \"SecurityEvent | take 1\",\r\n \"displayName\": \"NewalertRuleActionRuleNamenbm3jx\",\r\n \"enabled\": false,\r\n \"suppressionDuration\": \"PT5H\",\r\n \"suppressionEnabled\": false,\r\n \"severity\": \"Informational\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "636" ] + "Content-Length": [ "659" ] } }, "Response": { @@ -17,35 +17,38 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1198" ], - "x-ms-request-id": [ "bcbffb7e-80a2-41e7-9abf-1a9f8eb1eeb6" ], - "x-ms-correlation-request-id": [ "bcbffb7e-80a2-41e7-9abf-1a9f8eb1eeb6" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160755Z:bcbffb7e-80a2-41e7-9abf-1a9f8eb1eeb6" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/9d2ef7d1-d185-4c60-bb2a-45d3e8c8c1ee" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "799" ], + "x-ms-ratelimit-remaining-subscription-global-writes": [ "11999" ], + "x-ms-request-id": [ "dd7328eb-550b-4457-baf9-503a378b467b" ], + "x-ms-correlation-request-id": [ "dd7328eb-550b-4457-baf9-503a378b467b" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074518Z:dd7328eb-550b-4457-baf9-503a378b467b" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:55 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 1B1600D181B64CDA99EF8F4C58DE588F Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:18Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:18 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1062" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/257e1543-c5bf-47a0-a346-35a29c8a0d71\",\"name\":\"257e1543-c5bf-47a0-a346-35a29c8a0d71\",\"etag\":\"\\\"06007e41-0000-0100-0000-62fbc0db0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":false,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":null,\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"SecurityEvent | take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":null,\"displayName\":\"NewalertRuleActionRuleNamexmy37l\",\"enabled\":false,\"description\":null,\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:07:55.6806296Z\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/b8a12f56-c73c-4650-a18f-76c331764148\",\"name\":\"b8a12f56-c73c-4650-a18f-76c331764148\",\"etag\":\"\\\"61007a36-0000-0100-0000-69c3928e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":false,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":null,\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"SecurityEvent | take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":null,\"displayName\":\"NewalertRuleActionRuleNamenbm3jx\",\"enabled\":false,\"description\":null,\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:45:18.8922845Z\"}}", "isContentBase64": false } }, - "New-AzSentinelAlertRuleAction+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/257e1543-c5bf-47a0-a346-35a29c8a0d71/actions/9c045509-e461-450d-bf07-d550536d3d95?api-version=2021-09-01-preview+2": { + "New-AzSentinelAlertRuleAction+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/b8a12f56-c73c-4650-a18f-76c331764148/actions/2acd3d9d-f30c-4b07-88af-821fa8edbad4?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/257e1543-c5bf-47a0-a346-35a29c8a0d71/actions/9c045509-e461-450d-bf07-d550536d3d95?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"logicAppResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\",\n \"triggerUri\": \"https://prod-05.centralus.logic.azure.com:443/workflows/eb03b1bc818942e0a642c05aeef2614b/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01\\u0026sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun\\u0026sv=1.0\\u0026sig=BiTp33mQqq5owtlDqGQFUmo-TdKtHaQskA16bOn1p8g\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/b8a12f56-c73c-4650-a18f-76c331764148/actions/2acd3d9d-f30c-4b07-88af-821fa8edbad4?api-version=2021-09-01-preview", + "Content": "{\r\n \"properties\": {\r\n \"logicAppResourceId\": \"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\",\r\n \"triggerUri\": \"https://prod-18.centralus.logic.azure.com:443/workflows/fdce5d8d4e914b7b99bd10b290075cc2/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01\\u0026sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun\\u0026sv=1.0\\u0026sig=OV1Z3sQTFbx35g3KA-kqWwdvdY2DLKcq1wcLPj5VjRU\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "551" ] + "Content-Length": [ "556" ] } }, "Response": { @@ -53,21 +56,23 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "25ad87b8-a50f-41ee-8d0e-4d2fe7c03339" ], - "x-ms-correlation-request-id": [ "25ad87b8-a50f-41ee-8d0e-4d2fe7c03339" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160757Z:25ad87b8-a50f-41ee-8d0e-4d2fe7c03339" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/17a9fc58-82fe-44a7-aea0-c0ea0aa3fc06" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-request-id": [ "c9e03116-7edc-4439-a2f3-3607712eccc3" ], + "x-ms-correlation-request-id": [ "c9e03116-7edc-4439-a2f3-3607712eccc3" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074519Z:c9e03116-7edc-4439-a2f3-3607712eccc3" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:56 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 44D1927802B943F393FEF1FA81522D8C Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:19Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:19 GMT" ] }, "ContentHeaders": { "Content-Length": [ "610" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/257e1543-c5bf-47a0-a346-35a29c8a0d71/actions/9c045509-e461-450d-bf07-d550536d3d95\",\"name\":\"9c045509-e461-450d-bf07-d550536d3d95\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"eb03b1bc818942e0a642c05aeef2614b\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/b8a12f56-c73c-4650-a18f-76c331764148/actions/2acd3d9d-f30c-4b07-88af-821fa8edbad4\",\"name\":\"2acd3d9d-f30c-4b07-88af-821fa8edbad4\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"fdce5d8d4e914b7b99bd10b290075cc2\",\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelAutomationRule.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelAutomationRule.Recording.json index ec0933cd59b5..214ecdd086cf 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelAutomationRule.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelAutomationRule.Recording.json @@ -1,15 +1,15 @@ { - "New-AzSentinelAutomationRule+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/a46bcfa9-0dd0-4856-8b10-10ec6bb12920?api-version=2021-09-01-preview+1": { + "New-AzSentinelAutomationRule+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/automationRules/efd77672-4626-48fa-8d7b-b0e260443740?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/a46bcfa9-0dd0-4856-8b10-10ec6bb12920?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"triggeringLogic\": {\n \"isEnabled\": true,\n \"triggersOn\": \"Incidents\",\n \"triggersWhen\": \"Created\"\n },\n \"displayName\": \"NewAutomationRuleaf2x1t\",\n \"order\": 2,\n \"actions\": [\n {\n \"order\": 1,\n \"actionType\": \"RunPlaybook\",\n \"actionConfiguration\": {\n \"logicAppResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\"\n }\n }\n ]\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/automationRules/efd77672-4626-48fa-8d7b-b0e260443740?api-version=2021-09-01-preview", + "Content": "{\r\n \"properties\": {\r\n \"triggeringLogic\": {\r\n \"isEnabled\": true,\r\n \"triggersOn\": \"Incidents\",\r\n \"triggersWhen\": \"Created\"\r\n },\r\n \"displayName\": \"NewAutomationRulehtax8v\",\r\n \"order\": 2,\r\n \"actions\": [\r\n {\r\n \"order\": 1,\r\n \"actionType\": \"RunPlaybook\",\r\n \"actionConfiguration\": {\r\n \"logicAppResourceId\": \"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\r\n \"tenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n }\r\n ]\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "585" ] + "Content-Length": [ "605" ] } }, "Response": { @@ -17,21 +17,23 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "ef63a64c-65b7-4c2d-a51a-a727cdea42be" ], - "x-ms-correlation-request-id": [ "ef63a64c-65b7-4c2d-a51a-a727cdea42be" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160759Z:ef63a64c-65b7-4c2d-a51a-a727cdea42be" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/373367a3-4791-4ca8-b486-5a56b8fea2b1" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-request-id": [ "5b82cd9a-4a58-4eda-a20a-fe08024cffd8" ], + "x-ms-correlation-request-id": [ "5b82cd9a-4a58-4eda-a20a-fe08024cffd8" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074522Z:5b82cd9a-4a58-4eda-a20a-fe08024cffd8" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:58 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: A05C29C9F4AD48D2AF9771A4DDF293C3 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:20Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:21 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1286" ], + "Content-Length": [ "1272" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AutomationRules/a46bcfa9-0dd0-4856-8b10-10ec6bb12920\",\"name\":\"a46bcfa9-0dd0-4856-8b10-10ec6bb12920\",\"etag\":\"\\\"26002a5c-0000-0100-0000-62fbc0df0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"NewAutomationRuleaf2x1t\",\"order\":2,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-08-16T16:07:59Z\",\"createdTimeUtc\":\"2022-08-16T16:07:59Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AutomationRules/efd77672-4626-48fa-8d7b-b0e260443740\",\"name\":\"efd77672-4626-48fa-8d7b-b0e260443740\",\"etag\":\"\\\"1600633d-0000-0100-0000-69c392910000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"NewAutomationRulehtax8v\",\"order\":2,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"72f988bf-86f1-41af-91ab-2d7cd011db47\"}}],\"lastModifiedTimeUtc\":\"2026-03-25T07:45:21Z\",\"createdTimeUtc\":\"2026-03-25T07:45:21Z\",\"lastModifiedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"},\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelBookmark.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelBookmark.Recording.json index 6f4b430825c2..1619753f79d9 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelBookmark.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelBookmark.Recording.json @@ -1,15 +1,15 @@ { - "New-AzSentinelBookmark+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/fa86b82d-4392-4288-846a-5d886fb4edce?api-version=2021-09-01-preview+1": { + "New-AzSentinelBookmark+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/9d255940-5211-4484-9fe6-7c750f10d111?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/fa86b82d-4392-4288-846a-5d886fb4edce?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"displayName\": \"Newbookmarkq1l5sv\",\n \"query\": \"SecurityEvent | take 1\",\n \"eventTime\": \"2022-08-16T16:07:59.7884184Z\",\n \"queryStartTime\": \"2022-08-15T16:07:59.7881515Z\",\n \"queryEndTime\": \"2022-08-16T16:07:59.7883120Z\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/9d255940-5211-4484-9fe6-7c750f10d111?api-version=2021-09-01-preview", + "Content": "{\r\n \"properties\": {\r\n \"displayName\": \"Newbookmark5dsb9l\",\r\n \"query\": \"SecurityEvent | take 1\",\r\n \"eventTime\": \"2026-03-25T07:45:21.7928930Z\",\r\n \"queryStartTime\": \"2026-03-24T07:45:21.7927991Z\",\r\n \"queryEndTime\": \"2026-03-25T07:45:21.7928805Z\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "258" ] + "Content-Length": [ "266" ] } }, "Response": { @@ -17,21 +17,25 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1197" ], - "x-ms-request-id": [ "699e1226-1b61-4b72-891b-924e4c1d5230" ], - "x-ms-correlation-request-id": [ "699e1226-1b61-4b72-891b-924e4c1d5230" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160759Z:699e1226-1b61-4b72-891b-924e4c1d5230" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "799" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/ad22d93f-fe07-4106-82db-b962cb424a2d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-writes": [ "11999" ], + "x-ms-request-id": [ "6d812520-f7bd-4997-8638-2b18a2578079" ], + "x-ms-correlation-request-id": [ "6d812520-f7bd-4997-8638-2b18a2578079" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074523Z:6d812520-f7bd-4997-8638-2b18a2578079" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:07:59 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 6B4511F927A1445EBB681C0DAC6F8163 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:22Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:22 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1044" ], + "Content-Length": [ "1034" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/fa86b82d-4392-4288-846a-5d886fb4edce\",\"name\":\"fa86b82d-4392-4288-846a-5d886fb4edce\",\"etag\":\"\\\"3c00b18c-0000-0100-0000-62fbc0df0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Newbookmarkq1l5sv\",\"created\":\"2022-08-16T16:07:59.9624975+00:00\",\"updated\":\"2022-08-16T16:07:59+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T16:07:59.7884184+00:00\",\"labels\":[],\"query\":\"SecurityEvent | take 1\",\"queryStartTime\":\"2022-08-15T16:07:59.7881515+00:00\",\"queryEndTime\":\"2022-08-16T16:07:59.788312+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/9d255940-5211-4484-9fe6-7c750f10d111\",\"name\":\"9d255940-5211-4484-9fe6-7c750f10d111\",\"etag\":\"\\\"3c009cb1-0000-0100-0000-69c392930000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Newbookmark5dsb9l\",\"created\":\"2026-03-25T07:45:23.1319549+00:00\",\"updated\":\"2026-03-25T07:45:23+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:45:21.792893+00:00\",\"labels\":[],\"query\":\"SecurityEvent | take 1\",\"queryStartTime\":\"2026-03-24T07:45:21.7927991+00:00\",\"queryEndTime\":\"2026-03-25T07:45:21.7928805+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelBookmarkRelation.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelBookmarkRelation.Recording.json index 2d92d9a182a0..e26c07b3f06d 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelBookmarkRelation.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelBookmarkRelation.Recording.json @@ -1,15 +1,15 @@ { - "New-AzSentinelBookmarkRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/d264025f-7598-40f3-8b21-a78f07d46056?api-version=2021-09-01-preview+1": { + "New-AzSentinelBookmarkRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/07f5b7c6-84d9-4c37-a592-ab84c153d2a1?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/d264025f-7598-40f3-8b21-a78f07d46056?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"displayName\": \"NewbookmarkRelationBookmarkNameo9bngs\",\n \"query\": \"SecurityEvent\\\\n| take 1\",\n \"eventTime\": \"2022-08-16T16:08:00.5011008Z\",\n \"queryStartTime\": \"2022-08-15T16:08:00.5008418Z\",\n \"queryEndTime\": \"2022-08-16T16:08:00.5009934Z\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/07f5b7c6-84d9-4c37-a592-ab84c153d2a1?api-version=2021-09-01-preview", + "Content": "{\r\n \"properties\": {\r\n \"displayName\": \"NewbookmarkRelationBookmarkNameonq6pw\",\r\n \"query\": \"SecurityEvent\\\\n| take 1\",\r\n \"eventTime\": \"2026-03-25T07:45:23.0078286Z\",\r\n \"queryStartTime\": \"2026-03-24T07:45:23.0077358Z\",\r\n \"queryEndTime\": \"2026-03-25T07:45:23.0078154Z\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "280" ] + "Content-Length": [ "288" ] } }, "Response": { @@ -17,35 +17,39 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1196" ], - "x-ms-request-id": [ "381df517-5538-4a9f-983d-de8fcc21b3c5" ], - "x-ms-correlation-request-id": [ "381df517-5538-4a9f-983d-de8fcc21b3c5" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160800Z:381df517-5538-4a9f-983d-de8fcc21b3c5" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "799" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/213c2f63-31ec-4d9b-a459-2864f6bc20c1" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-writes": [ "11999" ], + "x-ms-request-id": [ "f61e57c0-71b3-4f57-ac40-781be259d047" ], + "x-ms-correlation-request-id": [ "f61e57c0-71b3-4f57-ac40-781be259d047" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074524Z:f61e57c0-71b3-4f57-ac40-781be259d047" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:00 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 9695A6AE05A44118BC5F0BB42FDD84F5 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:24Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:23 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1067" ], + "Content-Length": [ "1057" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/d264025f-7598-40f3-8b21-a78f07d46056\",\"name\":\"d264025f-7598-40f3-8b21-a78f07d46056\",\"etag\":\"\\\"3c00b28c-0000-0100-0000-62fbc0e00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"NewbookmarkRelationBookmarkNameo9bngs\",\"created\":\"2022-08-16T16:08:00.6638743+00:00\",\"updated\":\"2022-08-16T16:08:00+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T16:08:00.5011008+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2022-08-15T16:08:00.5008418+00:00\",\"queryEndTime\":\"2022-08-16T16:08:00.5009934+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/07f5b7c6-84d9-4c37-a592-ab84c153d2a1\",\"name\":\"07f5b7c6-84d9-4c37-a592-ab84c153d2a1\",\"etag\":\"\\\"3c00d3b1-0000-0100-0000-69c392940000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"NewbookmarkRelationBookmarkNameonq6pw\",\"created\":\"2026-03-25T07:45:24.3681993+00:00\",\"updated\":\"2026-03-25T07:45:24+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:45:23.0078286+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2026-03-24T07:45:23.0077358+00:00\",\"queryEndTime\":\"2026-03-25T07:45:23.0078154+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "New-AzSentinelBookmarkRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/b9e4ef3a-221a-49dc-98d8-9bdf1faf8a4f?api-version=2021-09-01-preview+2": { + "New-AzSentinelBookmarkRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/59d28eeb-8f1e-4841-9e69-86654e548e74?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/b9e4ef3a-221a-49dc-98d8-9bdf1faf8a4f?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NewbookmarkRelationIncidentName49uk0b\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/59d28eeb-8f1e-4841-9e69-86654e548e74?api-version=2021-09-01-preview", + "Content": "{\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"status\": \"New\",\r\n \"title\": \"NewbookmarkRelationIncidentName1iu8hf\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "132" ] + "Content-Length": [ "138" ] } }, "Response": { @@ -53,35 +57,37 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "c4e19eb5-4e05-4132-8041-390377e2f46c" ], - "x-ms-correlation-request-id": [ "c4e19eb5-4e05-4132-8041-390377e2f46c" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160800Z:c4e19eb5-4e05-4132-8041-390377e2f46c" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/f2fdc57c-3092-44d7-ae73-1fad1021bd35" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-request-id": [ "526a01ef-f27e-4979-8106-35fb6cad80d3" ], + "x-ms-correlation-request-id": [ "526a01ef-f27e-4979-8106-35fb6cad80d3" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074525Z:526a01ef-f27e-4979-8106-35fb6cad80d3" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:00 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 6100CC4E763248A5AAABB017057DD692 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:24Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:24 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1233" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b9e4ef3a-221a-49dc-98d8-9bdf1faf8a4f\",\"name\":\"b9e4ef3a-221a-49dc-98d8-9bdf1faf8a4f\",\"etag\":\"\\\"4a00a452-0000-0100-0000-62fbc0e00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewbookmarkRelationIncidentName49uk0b\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:08:00.9081792Z\",\"createdTimeUtc\":\"2022-08-16T16:08:00.9081792Z\",\"incidentNumber\":22,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b9e4ef3a-221a-49dc-98d8-9bdf1faf8a4f\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"22\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/59d28eeb-8f1e-4841-9e69-86654e548e74\",\"name\":\"59d28eeb-8f1e-4841-9e69-86654e548e74\",\"etag\":\"\\\"2f00a19b-0000-0100-0000-69c392950000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewbookmarkRelationIncidentName1iu8hf\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:45:25.0355107Z\",\"createdTimeUtc\":\"2026-03-25T07:45:25.0355107Z\",\"incidentNumber\":22,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/59d28eeb-8f1e-4841-9e69-86654e548e74\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"22\"}}", "isContentBase64": false } }, - "New-AzSentinelBookmarkRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/d264025f-7598-40f3-8b21-a78f07d46056/relations/f26c73a8-917d-4364-842e-8de0d3e9153b?api-version=2021-09-01-preview+3": { + "New-AzSentinelBookmarkRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/07f5b7c6-84d9-4c37-a592-ab84c153d2a1/relations/f47459d1-5c8a-4810-b394-9f24596dbfe8?api-version=2021-09-01-preview+3": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/d264025f-7598-40f3-8b21-a78f07d46056/relations/f26c73a8-917d-4364-842e-8de0d3e9153b?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b9e4ef3a-221a-49dc-98d8-9bdf1faf8a4f\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/07f5b7c6-84d9-4c37-a592-ab84c153d2a1/relations/f47459d1-5c8a-4810-b394-9f24596dbfe8?api-version=2021-09-01-preview", + "Content": "{\r\n \"properties\": {\r\n \"relatedResourceId\": \"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/59d28eeb-8f1e-4841-9e69-86654e548e74\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "283" ] + "Content-Length": [ "287" ] } }, "Response": { @@ -89,21 +95,25 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1195" ], - "x-ms-request-id": [ "6b499681-301d-43d4-b4b7-2b6e301ce95f" ], - "x-ms-correlation-request-id": [ "6b499681-301d-43d4-b4b7-2b6e301ce95f" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160801Z:6b499681-301d-43d4-b4b7-2b6e301ce95f" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "799" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/075335e5-cf01-4ddf-b37e-66fc22269ffc" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-writes": [ "11999" ], + "x-ms-request-id": [ "13d0faed-bc66-4175-a0c6-e05c3d9db3d3" ], + "x-ms-correlation-request-id": [ "13d0faed-bc66-4175-a0c6-e05c3d9db3d3" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074526Z:13d0faed-bc66-4175-a0c6-e05c3d9db3d3" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:00 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: A1D73E8D8D974D73B192687D130AD8A5 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:25Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:25 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/d264025f-7598-40f3-8b21-a78f07d46056/relations/f26c73a8-917d-4364-842e-8de0d3e9153b\",\"name\":\"f26c73a8-917d-4364-842e-8de0d3e9153b\",\"etag\":\"\\\"3c00b38c-0000-0100-0000-62fbc0e10000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b9e4ef3a-221a-49dc-98d8-9bdf1faf8a4f\",\"relatedResourceName\":\"b9e4ef3a-221a-49dc-98d8-9bdf1faf8a4f\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/07f5b7c6-84d9-4c37-a592-ab84c153d2a1/relations/f47459d1-5c8a-4810-b394-9f24596dbfe8\",\"name\":\"f47459d1-5c8a-4810-b394-9f24596dbfe8\",\"etag\":\"\\\"3c0010b2-0000-0100-0000-69c392960000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/59d28eeb-8f1e-4841-9e69-86654e548e74\",\"relatedResourceName\":\"59d28eeb-8f1e-4841-9e69-86654e548e74\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelDataConnector.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelDataConnector.Recording.json index 51b352008abf..8806eaff5d60 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelDataConnector.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelDataConnector.Recording.json @@ -1,15 +1,15 @@ { - "New-AzSentinelDataConnector+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/5fcca10d-4c38-42a7-b811-a33d367ef23f?api-version=2021-09-01-preview+1": { + "New-AzSentinelDataConnector+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/dataConnectors/c05dcef2-870f-4e2e-82e4-700b377c9cc5?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/5fcca10d-4c38-42a7-b811-a33d367ef23f?api-version=2021-09-01-preview", - "Content": "{\n \"kind\": \"MicrosoftThreatIntelligence\",\n \"properties\": {\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\",\n \"dataTypes\": {\n \"bingSafetyPhishingURL\": {\n \"state\": \"Enabled\",\n \"lookbackPeriod\": \"1970-01-01T00:00:00.000Z\"\n },\n \"microsoftEmergingThreatFeed\": {\n \"state\": \"Enabled\",\n \"lookbackPeriod\": \"1970-01-01T00:00:00.000Z\"\n }\n }\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/dataConnectors/c05dcef2-870f-4e2e-82e4-700b377c9cc5?api-version=2021-09-01-preview", + "Content": "{\r\n \"kind\": \"MicrosoftThreatIntelligence\",\r\n \"properties\": {\r\n \"tenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\",\r\n \"dataTypes\": {\r\n \"bingSafetyPhishingURL\": {\r\n \"state\": \"Enabled\",\r\n \"lookbackPeriod\": \"1970-01-01T00:00:00.000Z\"\r\n },\r\n \"microsoftEmergingThreatFeed\": {\r\n \"state\": \"Enabled\",\r\n \"lookbackPeriod\": \"1970-01-01T00:00:00.000Z\"\r\n }\r\n }\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "398" ] + "Content-Length": [ "413" ] } }, "Response": { @@ -17,21 +17,23 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "e69cbb16-8b5c-48cd-a25c-bd7b864943d3" ], - "x-ms-correlation-request-id": [ "e69cbb16-8b5c-48cd-a25c-bd7b864943d3" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160802Z:e69cbb16-8b5c-48cd-a25c-bd7b864943d3" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/16a4677e-929a-465b-bd89-2343a8a9ba1c" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-request-id": [ "3e21bcfe-7d8b-49fb-aa50-1403bc7abb10" ], + "x-ms-correlation-request-id": [ "3e21bcfe-7d8b-49fb-aa50-1403bc7abb10" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074528Z:3e21bcfe-7d8b-49fb-aa50-1403bc7abb10" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:01 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 18153F61E27A4D84A3D92DC0D865E063 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:27Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:28 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "675" ], + "Content-Length": [ "593" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/5fcca10d-4c38-42a7-b811-a33d367ef23f\",\"name\":\"5fcca10d-4c38-42a7-b811-a33d367ef23f\",\"etag\":\"9a259b91-05b8-4378-a10c-38ece73d38f1\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"MicrosoftThreatIntelligence\",\"properties\":{\"dataTypes\":{\"bingSafetyPhishingURL\":{\"state\":\"enabled\",\"lookbackPeriod\":\"01/01/1970 00:00:00\"},\"microsoftEmergingThreatFeed\":{\"state\":\"enabled\",\"lookbackPeriod\":\"01/01/1970 00:00:00\"}},\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/dataConnectors/c05dcef2-870f-4e2e-82e4-700b377c9cc5\",\"name\":\"c05dcef2-870f-4e2e-82e4-700b377c9cc5\",\"etag\":\"9700d6c2-0000-0500-0000-69c392980000\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"MicrosoftThreatIntelligence\",\"properties\":{\"dataTypes\":{\"microsoftEmergingThreatFeed\":{\"state\":\"enabled\",\"lookbackPeriod\":\"1970-01-01T00:00:00Z\"}},\"tenantId\":\"72f988bf-86f1-41af-91ab-2d7cd011db47\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelEntityQuery.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelEntityQuery.Recording.json index 409a8dd1f08d..20c5c5d59b24 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelEntityQuery.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelEntityQuery.Recording.json @@ -1,15 +1,15 @@ { - "New-AzSentinelEntityQuery+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/0e70df5c-6ced-4480-b336-bc8491f9cd33?api-version=2021-09-01-preview+1": { + "New-AzSentinelEntityQuery+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/5f3d0db2-ddba-432a-9dc4-9ac9d078d9f9?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/0e70df5c-6ced-4480-b336-bc8491f9cd33?api-version=2021-09-01-preview", - "Content": "{\n \"kind\": \"Activity\",\n \"properties\": {\n \"queryDefinitions\": {\n \"query\": \"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\r\\n let account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\", strcat(Account_Name,\\\"@\\\",Account_UPNSuffix),\\\"\\\" );\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Consent to application\\\"\\r\\n | extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\r\\n | where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\r\\n or (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\r\\n | extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\r\\n };\\r\\n UserConsentToApplication(\\u0027{{Account_Name}}\\u0027, \\u0027{{Account_UPNSuffix}}\\u0027, \\u0027{{Account_AadUserId}}\\u0027) \\r\\n | project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"\n },\n \"title\": \"The user consented to OAuth application\",\n \"content\": \"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\n \"description\": \"This activity lists user\\u0027s consents to an OAuth applications.\",\n \"inputEntityType\": \"Account\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/5f3d0db2-ddba-432a-9dc4-9ac9d078d9f9?api-version=2021-09-01-preview", + "Content": "{\r\n \"kind\": \"Activity\",\r\n \"properties\": {\r\n \"queryDefinitions\": {\r\n \"query\": \"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\r\\n let account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\", strcat(Account_Name,\\\"@\\\",Account_UPNSuffix),\\\"\\\" );\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Consent to application\\\"\\r\\n | extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\r\\n | where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\r\\n or (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\r\\n | extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\r\\n };\\r\\n UserConsentToApplication(\\u0027{{Account_Name}}\\u0027, \\u0027{{Account_UPNSuffix}}\\u0027, \\u0027{{Account_AadUserId}}\\u0027) \\r\\n | project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"\r\n },\r\n \"title\": \"The user consented to OAuth application\",\r\n \"content\": \"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\r\n \"description\": \"This activity lists user\\u0027s consents to an OAuth applications.\",\r\n \"inputEntityType\": \"Account\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "1571" ] + "Content-Length": [ "1582" ] } }, "Response": { @@ -17,21 +17,24 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1194" ], - "x-ms-request-id": [ "4edc69b0-fe10-48dd-a514-dcaa8d620bc0" ], - "x-ms-correlation-request-id": [ "4edc69b0-fe10-48dd-a514-dcaa8d620bc0" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160804Z:4edc69b0-fe10-48dd-a514-dcaa8d620bc0" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/868696cf-c8d3-459c-afe8-132afa39639d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "798" ], + "x-ms-ratelimit-remaining-subscription-global-writes": [ "11998" ], + "x-ms-request-id": [ "a3cd97a2-d563-4798-b9bc-4f86e7184bdd" ], + "x-ms-correlation-request-id": [ "a3cd97a2-d563-4798-b9bc-4f86e7184bdd" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074531Z:a3cd97a2-d563-4798-b9bc-4f86e7184bdd" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:03 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 805C0EB1E9AA43DA895CB87EF3C5420E Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:29Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:31 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2034" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/0e70df5c-6ced-4480-b336-bc8491f9cd33\",\"name\":\"0e70df5c-6ced-4480-b336-bc8491f9cd33\",\"etag\":\"\\\"0c007c13-0000-0100-0000-62fbc0e40000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user consented to OAuth application\",\"content\":\"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s consents to an OAuth applications.\",\"queryDefinitions\":{\"query\":\"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\r\\n let account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\", strcat(Account_Name,\\\"@\\\",Account_UPNSuffix),\\\"\\\" );\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Consent to application\\\"\\r\\n | extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\r\\n | where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\r\\n or (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\r\\n | extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\r\\n };\\r\\n UserConsentToApplication(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\r\\n | project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"},\"requiredInputFieldsSets\":[],\"entitiesFilter\":{},\"enabled\":true,\"createdTimeUtc\":\"2022-08-16T16:08:04.5255986Z\",\"lastModifiedTimeUtc\":\"2022-08-16T16:08:04.5255986Z\",\"inputEntityType\":\"Account\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/5f3d0db2-ddba-432a-9dc4-9ac9d078d9f9\",\"name\":\"5f3d0db2-ddba-432a-9dc4-9ac9d078d9f9\",\"etag\":\"\\\"0d00e70c-0000-0100-0000-69c3929b0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user consented to OAuth application\",\"content\":\"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s consents to an OAuth applications.\",\"queryDefinitions\":{\"query\":\"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\r\\n let account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\", strcat(Account_Name,\\\"@\\\",Account_UPNSuffix),\\\"\\\" );\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Consent to application\\\"\\r\\n | extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\r\\n | where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\r\\n or (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\r\\n | extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\r\\n };\\r\\n UserConsentToApplication(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\r\\n | project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"},\"requiredInputFieldsSets\":[],\"entitiesFilter\":{},\"enabled\":true,\"createdTimeUtc\":\"2026-03-25T07:45:31.5549058Z\",\"lastModifiedTimeUtc\":\"2026-03-25T07:45:31.5549058Z\",\"inputEntityType\":\"Account\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncident.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncident.Recording.json index 2d4522f7e44a..fe1f88b788fc 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncident.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncident.Recording.json @@ -1,15 +1,15 @@ { - "New-AzSentinelIncident+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/3eb00428-aed8-405a-a24b-b665c65173a1?api-version=2021-09-01-preview+1": { + "New-AzSentinelIncident+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/00e9d3c0-f5d7-4ad1-95cc-a0c481ce6e17?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/3eb00428-aed8-405a-a24b-b665c65173a1?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"Newincidentx3os45\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/00e9d3c0-f5d7-4ad1-95cc-a0c481ce6e17?api-version=2021-09-01-preview", + "Content": "{\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"status\": \"New\",\r\n \"title\": \"Newincidentpgsxh2\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "112" ] + "Content-Length": [ "118" ] } }, "Response": { @@ -17,21 +17,23 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "936998bd-2bda-40c1-a2fc-621b0d49091d" ], - "x-ms-correlation-request-id": [ "936998bd-2bda-40c1-a2fc-621b0d49091d" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160805Z:936998bd-2bda-40c1-a2fc-621b0d49091d" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/e740f8cc-807c-4a80-9d2f-c677027290b9" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-request-id": [ "4c3d709d-e8d0-4d7e-8b82-8ffad00465d5" ], + "x-ms-correlation-request-id": [ "4c3d709d-e8d0-4d7e-8b82-8ffad00465d5" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074532Z:4c3d709d-e8d0-4d7e-8b82-8ffad00465d5" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:04 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: DA5F0519C8144D4BB1F329721F4733F7 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:32Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:32 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1213" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3eb00428-aed8-405a-a24b-b665c65173a1\",\"name\":\"3eb00428-aed8-405a-a24b-b665c65173a1\",\"etag\":\"\\\"4a00a752-0000-0100-0000-62fbc0e50000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"Newincidentx3os45\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:08:05.3571622Z\",\"createdTimeUtc\":\"2022-08-16T16:08:05.3571622Z\",\"incidentNumber\":23,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3eb00428-aed8-405a-a24b-b665c65173a1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"23\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/00e9d3c0-f5d7-4ad1-95cc-a0c481ce6e17\",\"name\":\"00e9d3c0-f5d7-4ad1-95cc-a0c481ce6e17\",\"etag\":\"\\\"2f00d49c-0000-0100-0000-69c3929c0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"Newincidentpgsxh2\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:45:32.8870612Z\",\"createdTimeUtc\":\"2026-03-25T07:45:32.8870612Z\",\"incidentNumber\":23,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/00e9d3c0-f5d7-4ad1-95cc-a0c481ce6e17\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"23\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncidentComment.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncidentComment.Recording.json index 2877b03f293d..8a6000685978 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncidentComment.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncidentComment.Recording.json @@ -1,15 +1,15 @@ { - "New-AzSentinelIncidentComment+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/8633863a-bc7c-40b0-9ad1-59f72db97042?api-version=2021-09-01-preview+1": { + "New-AzSentinelIncidentComment+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/ed30052a-d1e4-4394-9251-3682ea30827c?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/8633863a-bc7c-40b0-9ad1-59f72db97042?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NewincidentCommentIncident0xng1h\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/ed30052a-d1e4-4394-9251-3682ea30827c?api-version=2021-09-01-preview", + "Content": "{\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"status\": \"New\",\r\n \"title\": \"NewincidentCommentIncidentlj0gu1\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "127" ] + "Content-Length": [ "133" ] } }, "Response": { @@ -17,35 +17,37 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], - "x-ms-request-id": [ "f1608e98-bb8f-4335-b80c-81ec8028f4c5" ], - "x-ms-correlation-request-id": [ "f1608e98-bb8f-4335-b80c-81ec8028f4c5" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160806Z:f1608e98-bb8f-4335-b80c-81ec8028f4c5" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/787e471e-9f83-422a-a495-dd273d7c907f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-request-id": [ "ffec7b04-66e2-4a6c-880d-ed1287a31a1e" ], + "x-ms-correlation-request-id": [ "ffec7b04-66e2-4a6c-880d-ed1287a31a1e" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074534Z:ffec7b04-66e2-4a6c-880d-ed1287a31a1e" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:05 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: F492BFBA6C02473AA35DAAFFA749D0BC Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:33Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:33 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1228" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/8633863a-bc7c-40b0-9ad1-59f72db97042\",\"name\":\"8633863a-bc7c-40b0-9ad1-59f72db97042\",\"etag\":\"\\\"4a00a852-0000-0100-0000-62fbc0e60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewincidentCommentIncident0xng1h\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:08:06.1404374Z\",\"createdTimeUtc\":\"2022-08-16T16:08:06.1404374Z\",\"incidentNumber\":24,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/8633863a-bc7c-40b0-9ad1-59f72db97042\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"24\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/ed30052a-d1e4-4394-9251-3682ea30827c\",\"name\":\"ed30052a-d1e4-4394-9251-3682ea30827c\",\"etag\":\"\\\"2f00fa9c-0000-0100-0000-69c3929e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewincidentCommentIncidentlj0gu1\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:45:34.3471817Z\",\"createdTimeUtc\":\"2026-03-25T07:45:34.3471817Z\",\"incidentNumber\":24,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/ed30052a-d1e4-4394-9251-3682ea30827c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"24\"}}", "isContentBase64": false } }, - "New-AzSentinelIncidentComment+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/8633863a-bc7c-40b0-9ad1-59f72db97042/comments/e0d62b0f-55ba-423c-bd1c-13d72489e2c6?api-version=2021-09-01-preview+2": { + "New-AzSentinelIncidentComment+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/ed30052a-d1e4-4394-9251-3682ea30827c/comments/04881f12-f42e-4359-a1ae-b8f409c0777f?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/8633863a-bc7c-40b0-9ad1-59f72db97042/comments/e0d62b0f-55ba-423c-bd1c-13d72489e2c6?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"message\": \"NewincidentCommentyo7r3v\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/ed30052a-d1e4-4394-9251-3682ea30827c/comments/04881f12-f42e-4359-a1ae-b8f409c0777f?api-version=2021-09-01-preview", + "Content": "{\r\n \"properties\": {\r\n \"message\": \"NewincidentCommentsob43m\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "67" ] + "Content-Length": [ "71" ] } }, "Response": { @@ -53,21 +55,23 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "72cfcaf2-f191-4260-9e31-e0871f2ad84f" ], - "x-ms-correlation-request-id": [ "72cfcaf2-f191-4260-9e31-e0871f2ad84f" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160806Z:72cfcaf2-f191-4260-9e31-e0871f2ad84f" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/42cd95f5-8d4a-43de-b203-db8bd17a1c5a" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-request-id": [ "fe76b6c6-9ca4-4fc1-a824-386a73c68bb6" ], + "x-ms-correlation-request-id": [ "fe76b6c6-9ca4-4fc1-a824-386a73c68bb6" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074535Z:fe76b6c6-9ca4-4fc1-a824-386a73c68bb6" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:05 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: E3F3AC2D6B8D4F3CBA7FCC974EE4943A Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:34Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:34 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "759" ], + "Content-Length": [ "752" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/8633863a-bc7c-40b0-9ad1-59f72db97042/Comments/e0d62b0f-55ba-423c-bd1c-13d72489e2c6\",\"name\":\"e0d62b0f-55ba-423c-bd1c-13d72489e2c6\",\"etag\":\"\\\"4a00a952-0000-0100-0000-62fbc0e60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"NewincidentCommentyo7r3v\",\"createdTimeUtc\":\"2022-08-16T16:08:06.4231604Z\",\"lastModifiedTimeUtc\":\"2022-08-16T16:08:06.4231604Z\",\"author\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/ed30052a-d1e4-4394-9251-3682ea30827c/Comments/04881f12-f42e-4359-a1ae-b8f409c0777f\",\"name\":\"04881f12-f42e-4359-a1ae-b8f409c0777f\",\"etag\":\"\\\"2f000d9d-0000-0100-0000-69c3929e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"NewincidentCommentsob43m\",\"createdTimeUtc\":\"2026-03-25T07:45:34.9952961Z\",\"lastModifiedTimeUtc\":\"2026-03-25T07:45:34.9952961Z\",\"author\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncidentRelation.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncidentRelation.Recording.json index ff7d9ff5bbe5..fe68d3d3b9c3 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncidentRelation.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncidentRelation.Recording.json @@ -1,15 +1,15 @@ { - "New-AzSentinelIncidentRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/bba93c64-4a68-46b3-8015-f129ad1597cf?api-version=2021-09-01-preview+1": { + "New-AzSentinelIncidentRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/5720e8cf-09ab-4bc7-9743-d0737ee68203?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/bba93c64-4a68-46b3-8015-f129ad1597cf?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"displayName\": \"NewincidentRelationBookmarkNamefjwc8p\",\n \"query\": \"SecurityEvent\\\\n| take 1\",\n \"eventTime\": \"2022-08-16T16:08:07.0287586Z\",\n \"queryStartTime\": \"2022-08-15T16:08:07.0283861Z\",\n \"queryEndTime\": \"2022-08-16T16:08:07.0286258Z\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/5720e8cf-09ab-4bc7-9743-d0737ee68203?api-version=2021-09-01-preview", + "Content": "{\r\n \"properties\": {\r\n \"displayName\": \"NewincidentRelationBookmarkNameaxmcdt\",\r\n \"query\": \"SecurityEvent\\\\n| take 1\",\r\n \"eventTime\": \"2026-03-25T07:45:34.8886504Z\",\r\n \"queryStartTime\": \"2026-03-24T07:45:34.8885321Z\",\r\n \"queryEndTime\": \"2026-03-25T07:45:34.8886345Z\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "280" ] + "Content-Length": [ "288" ] } }, "Response": { @@ -17,35 +17,39 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1193" ], - "x-ms-request-id": [ "2672e821-018f-4b47-b0ea-59790aaf839b" ], - "x-ms-correlation-request-id": [ "2672e821-018f-4b47-b0ea-59790aaf839b" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160807Z:2672e821-018f-4b47-b0ea-59790aaf839b" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "799" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/718b66db-12a2-48ec-b90d-43e8c894d15f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-writes": [ "11999" ], + "x-ms-request-id": [ "d01f2014-517b-4345-b931-930ef67e7022" ], + "x-ms-correlation-request-id": [ "d01f2014-517b-4345-b931-930ef67e7022" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074536Z:d01f2014-517b-4345-b931-930ef67e7022" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:06 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 32F961587D45417CACCFF84690F0BF1E Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:35Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:35 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1067" ], + "Content-Length": [ "1057" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/bba93c64-4a68-46b3-8015-f129ad1597cf\",\"name\":\"bba93c64-4a68-46b3-8015-f129ad1597cf\",\"etag\":\"\\\"3c00b48c-0000-0100-0000-62fbc0e70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"NewincidentRelationBookmarkNamefjwc8p\",\"created\":\"2022-08-16T16:08:07.2011051+00:00\",\"updated\":\"2022-08-16T16:08:07+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T16:08:07.0287586+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2022-08-15T16:08:07.0283861+00:00\",\"queryEndTime\":\"2022-08-16T16:08:07.0286258+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/5720e8cf-09ab-4bc7-9743-d0737ee68203\",\"name\":\"5720e8cf-09ab-4bc7-9743-d0737ee68203\",\"etag\":\"\\\"3c0077b3-0000-0100-0000-69c392a00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"NewincidentRelationBookmarkNameaxmcdt\",\"created\":\"2026-03-25T07:45:36.2002591+00:00\",\"updated\":\"2026-03-25T07:45:36+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:45:34.8886504+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2026-03-24T07:45:34.8885321+00:00\",\"queryEndTime\":\"2026-03-25T07:45:34.8886345+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "New-AzSentinelIncidentRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/a56f41af-0d66-44c8-90bc-c8b8e8116984?api-version=2021-09-01-preview+2": { + "New-AzSentinelIncidentRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/0ae21631-acb7-4c47-be55-a12de58daf93?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/a56f41af-0d66-44c8-90bc-c8b8e8116984?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NewincidentRelationIncidentName9m3qew\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/0ae21631-acb7-4c47-be55-a12de58daf93?api-version=2021-09-01-preview", + "Content": "{\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"status\": \"New\",\r\n \"title\": \"NewincidentRelationIncidentNamei7l8jk\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "132" ] + "Content-Length": [ "138" ] } }, "Response": { @@ -53,35 +57,37 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "496" ], - "x-ms-request-id": [ "1bf67a74-8d0f-4d43-a32b-32a3e77b8a69" ], - "x-ms-correlation-request-id": [ "1bf67a74-8d0f-4d43-a32b-32a3e77b8a69" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160807Z:1bf67a74-8d0f-4d43-a32b-32a3e77b8a69" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/5fdab8b1-4c39-46ac-ac14-0b3c3fbc9c0d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-request-id": [ "18bb9481-de7f-47c1-8b59-b4197af3c6e2" ], + "x-ms-correlation-request-id": [ "18bb9481-de7f-47c1-8b59-b4197af3c6e2" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074536Z:18bb9481-de7f-47c1-8b59-b4197af3c6e2" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:06 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 64322E75715E401BA3FA86CA16C88BB2 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:36Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:36 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1233" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/a56f41af-0d66-44c8-90bc-c8b8e8116984\",\"name\":\"a56f41af-0d66-44c8-90bc-c8b8e8116984\",\"etag\":\"\\\"4a00ac52-0000-0100-0000-62fbc0e70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewincidentRelationIncidentName9m3qew\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:08:07.4337561Z\",\"createdTimeUtc\":\"2022-08-16T16:08:07.4337561Z\",\"incidentNumber\":25,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/a56f41af-0d66-44c8-90bc-c8b8e8116984\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"25\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/0ae21631-acb7-4c47-be55-a12de58daf93\",\"name\":\"0ae21631-acb7-4c47-be55-a12de58daf93\",\"etag\":\"\\\"2f00499d-0000-0100-0000-69c392a00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewincidentRelationIncidentNamei7l8jk\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:45:36.7941186Z\",\"createdTimeUtc\":\"2026-03-25T07:45:36.7941186Z\",\"incidentNumber\":25,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/0ae21631-acb7-4c47-be55-a12de58daf93\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"25\"}}", "isContentBase64": false } }, - "New-AzSentinelIncidentRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/a56f41af-0d66-44c8-90bc-c8b8e8116984/relations/f4dd61ae-4c28-40ed-9e41-2285e59ec616?api-version=2021-09-01-preview+3": { + "New-AzSentinelIncidentRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/0ae21631-acb7-4c47-be55-a12de58daf93/relations/da8feb99-eb8e-4920-aaa3-65499e29d020?api-version=2021-09-01-preview+3": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/a56f41af-0d66-44c8-90bc-c8b8e8116984/relations/f4dd61ae-4c28-40ed-9e41-2285e59ec616?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/bba93c64-4a68-46b3-8015-f129ad1597cf\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/0ae21631-acb7-4c47-be55-a12de58daf93/relations/da8feb99-eb8e-4920-aaa3-65499e29d020?api-version=2021-09-01-preview", + "Content": "{\r\n \"properties\": {\r\n \"relatedResourceId\": \"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/5720e8cf-09ab-4bc7-9743-d0737ee68203\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "283" ] + "Content-Length": [ "287" ] } }, "Response": { @@ -89,21 +95,24 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "83602b22-e2a5-4e6c-8717-6cc34c2b151f" ], - "x-ms-correlation-request-id": [ "83602b22-e2a5-4e6c-8717-6cc34c2b151f" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160807Z:83602b22-e2a5-4e6c-8717-6cc34c2b151f" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/07999c5c-a0f1-44cd-b4a6-6511a4fa4d83" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "a627b3b2-9587-43b3-91d0-8a1f35527ceb" ], + "x-ms-correlation-request-id": [ "a627b3b2-9587-43b3-91d0-8a1f35527ceb" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074537Z:a627b3b2-9587-43b3-91d0-8a1f35527ceb" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:06 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: CBFC23A448044F9B93A022DF3F975BD5 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:37Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:37 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/a56f41af-0d66-44c8-90bc-c8b8e8116984/relations/f4dd61ae-4c28-40ed-9e41-2285e59ec616\",\"name\":\"f4dd61ae-4c28-40ed-9e41-2285e59ec616\",\"etag\":\"\\\"4a00ad52-0000-0100-0000-62fbc0e70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/bba93c64-4a68-46b3-8015-f129ad1597cf\",\"relatedResourceName\":\"bba93c64-4a68-46b3-8015-f129ad1597cf\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/0ae21631-acb7-4c47-be55-a12de58daf93/relations/da8feb99-eb8e-4920-aaa3-65499e29d020\",\"name\":\"da8feb99-eb8e-4920-aaa3-65499e29d020\",\"etag\":\"\\\"2f00719d-0000-0100-0000-69c392a10000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/5720e8cf-09ab-4bc7-9743-d0737ee68203\",\"relatedResourceName\":\"5720e8cf-09ab-4bc7-9743-d0737ee68203\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncidentTeam.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncidentTeam.Recording.json index d36517e3fe8e..9ca6a0b51f75 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncidentTeam.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncidentTeam.Recording.json @@ -1,15 +1,15 @@ { - "New-AzSentinelIncidentTeam+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/4354e208-22e9-4185-b549-2f958633bed6?api-version=2021-09-01-preview+1": { + "New-AzSentinelIncidentTeam+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/e4719943-91c5-45c6-a8c1-8dc6698191a6?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/4354e208-22e9-4185-b549-2f958633bed6?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NewincidentTeamIncidentName1pg5hu\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/e4719943-91c5-45c6-a8c1-8dc6698191a6?api-version=2021-09-01-preview", + "Content": "{\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"status\": \"New\",\r\n \"title\": \"NewincidentTeamIncidentName7u2zch\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "128" ] + "Content-Length": [ "134" ] } }, "Response": { @@ -17,35 +17,37 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "495" ], - "x-ms-request-id": [ "adbc6a77-6a49-4ce8-89da-aac2644f42e1" ], - "x-ms-correlation-request-id": [ "adbc6a77-6a49-4ce8-89da-aac2644f42e1" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160808Z:adbc6a77-6a49-4ce8-89da-aac2644f42e1" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/ff25c3f9-b0d1-4dcb-8805-73aa9ecb0c8b" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-request-id": [ "559e99fb-cf5c-49b4-ab1b-0a6b50c20824" ], + "x-ms-correlation-request-id": [ "559e99fb-cf5c-49b4-ab1b-0a6b50c20824" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074538Z:559e99fb-cf5c-49b4-ab1b-0a6b50c20824" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:07 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: DF562EEA78984E95833462EC3412886C Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:38Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:38 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1229" ], + "Content-Length": [ "1227" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/4354e208-22e9-4185-b549-2f958633bed6\",\"name\":\"4354e208-22e9-4185-b549-2f958633bed6\",\"etag\":\"\\\"4a00ae52-0000-0100-0000-62fbc0e80000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewincidentTeamIncidentName1pg5hu\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:08:08.4803973Z\",\"createdTimeUtc\":\"2022-08-16T16:08:08.4803973Z\",\"incidentNumber\":26,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/4354e208-22e9-4185-b549-2f958633bed6\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"26\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/e4719943-91c5-45c6-a8c1-8dc6698191a6\",\"name\":\"e4719943-91c5-45c6-a8c1-8dc6698191a6\",\"etag\":\"\\\"2f009e9d-0000-0100-0000-69c392a20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewincidentTeamIncidentName7u2zch\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:45:38.820876Z\",\"createdTimeUtc\":\"2026-03-25T07:45:38.820876Z\",\"incidentNumber\":26,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/e4719943-91c5-45c6-a8c1-8dc6698191a6\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"26\"}}", "isContentBase64": false } }, - "New-AzSentinelIncidentTeam+[NoContext]+CreateExpanded+$POST+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/4354e208-22e9-4185-b549-2f958633bed6/createTeam?api-version=2021-09-01-preview+2": { + "New-AzSentinelIncidentTeam+[NoContext]+CreateExpanded+$POST+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/e4719943-91c5-45c6-a8c1-8dc6698191a6/createTeam?api-version=2021-09-01-preview+2": { "Request": { "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/4354e208-22e9-4185-b549-2f958633bed6/createTeam?api-version=2021-09-01-preview", - "Content": "{\n \"teamName\": \"NITPSTest\"\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/e4719943-91c5-45c6-a8c1-8dc6698191a6/createTeam?api-version=2021-09-01-preview", + "Content": "{\r\n \"teamName\": \"NITPSTest\"\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "29" ] + "Content-Length": [ "31" ] } }, "Response": { @@ -53,21 +55,25 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1199" ], - "x-ms-request-id": [ "ac4eebbb-1d24-44ec-9b41-a302e0e1e793" ], - "x-ms-correlation-request-id": [ "ac4eebbb-1d24-44ec-9b41-a302e0e1e793" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160814Z:ac4eebbb-1d24-44ec-9b41-a302e0e1e793" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "799" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/af46eb85-be58-445b-984c-c8ef0938b91f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-writes": [ "11999" ], + "x-ms-request-id": [ "945aa154-ba49-4af2-bc7e-a2de2a08d8b4" ], + "x-ms-correlation-request-id": [ "945aa154-ba49-4af2-bc7e-a2de2a08d8b4" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074545Z:945aa154-ba49-4af2-bc7e-a2de2a08d8b4" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:13 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 06E824979B0644D2AFCB9B210B28F7D6 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:39Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:44 GMT" ] }, "ContentHeaders": { "Content-Length": [ "353" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"teamId\":\"eb3db1ba-a3a3-4d76-90fe-606deb37edcf\",\"primaryChannelUrl\":\"https://teams.microsoft.com/l/team/19%3azDlBuh8NgSjPNVW91N7sSavKtEXjAVX69fhyWjLdBpY1%40thread.tacv2/conversations?groupId=eb3db1ba-a3a3-4d76-90fe-606deb37edcf\u0026tenantId=d6eebbdd-d77c-465e-b008-4339027b4006\",\"teamCreationTimeUtc\":\"2022-08-16T16:08:14.1063041+00:00\",\"name\":\"NITPSTest\"}", + "Content": "{\"teamId\":\"0d35a690-c59e-4cfb-ae49-a280dfe8976e\",\"primaryChannelUrl\":\"https://teams.microsoft.com/l/team/19%3arALj5nkvMcLGi5rNoPEudiXcV7REDCuIth9fIrVzXA01%40thread.tacv2/conversations?groupId=0d35a690-c59e-4cfb-ae49-a280dfe8976e\u0026tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47\",\"teamCreationTimeUtc\":\"2026-03-25T07:45:45.3213834+00:00\",\"name\":\"NITPSTest\"}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelAlertRule.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelAlertRule.Recording.json index baa204dc2b5d..7f9c611c844d 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelAlertRule.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelAlertRule.Recording.json @@ -1,17 +1,17 @@ { - "Remove-AzSentinelAlertRule+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/90872ee6-8ed3-48b8-8e93-2bcb1aa6825d?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelAlertRule+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/f731873a-1985-4ead-8b08-66136867f476?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/90872ee6-8ed3-48b8-8e93-2bcb1aa6825d?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/f731873a-1985-4ead-8b08-66136867f476?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "254" ], - "x-ms-client-request-id": [ "e7cc6364-bd07-4d6d-860d-7b5797f1def1" ], + "x-ms-unique-id": [ "97" ], + "x-ms-client-request-id": [ "67f95cf2-1e5d-4ffb-b59c-b09a88be5ee9" ], "CommandName": [ "Remove-AzSentinelAlertRule" ], "FullCommandName": [ "Remove-AzSentinelAlertRule_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,14 +22,17 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-deletes": [ "14999" ], - "x-ms-request-id": [ "0319fa21-03dd-4c15-a00c-0b1f4809629a" ], - "x-ms-correlation-request-id": [ "0319fa21-03dd-4c15-a00c-0b1f4809629a" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160815Z:0319fa21-03dd-4c15-a00c-0b1f4809629a" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/63eaad62-e08e-47c8-9e57-31ab96e5d5cb" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "799" ], + "x-ms-ratelimit-remaining-subscription-global-deletes": [ "11999" ], + "x-ms-request-id": [ "44d0bee1-fb27-46d8-92d7-cb7b4b47636a" ], + "x-ms-correlation-request-id": [ "44d0bee1-fb27-46d8-92d7-cb7b4b47636a" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074547Z:44d0bee1-fb27-46d8-92d7-cb7b4b47636a" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:15 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 716373B3924D44658CA644E3837F41AF Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:47Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:47 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], @@ -40,19 +43,19 @@ "isContentBase64": false } }, - "Remove-AzSentinelAlertRule+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/b5daebea-1da1-45a1-abb5-94ad8c8da5cb?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelAlertRule+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/cc5ff22b-1ea2-46b8-8695-791d141e393f?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/b5daebea-1da1-45a1-abb5-94ad8c8da5cb?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/cc5ff22b-1ea2-46b8-8695-791d141e393f?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "255" ], - "x-ms-client-request-id": [ "693056ba-b7b7-416f-b94f-ef04ead55a34" ], + "x-ms-unique-id": [ "98" ], + "x-ms-client-request-id": [ "7c3d5592-53fb-4b5d-86a5-b34c7b9ce677" ], "CommandName": [ "Get-AzSentinelAlertRule" ], "FullCommandName": [ "Get-AzSentinelAlertRule_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,37 +66,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11942" ], - "x-ms-request-id": [ "8e2eec14-b59c-4bb3-8658-186cd39a5e96" ], - "x-ms-correlation-request-id": [ "8e2eec14-b59c-4bb3-8658-186cd39a5e96" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160816Z:8e2eec14-b59c-4bb3-8658-186cd39a5e96" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/2db76989-38e7-4688-825b-6bc2f7402d3c" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "1d880362-e3e7-4463-8655-8a83c38bb84b" ], + "x-ms-correlation-request-id": [ "1d880362-e3e7-4463-8655-8a83c38bb84b" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074548Z:1d880362-e3e7-4463-8655-8a83c38bb84b" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:15 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 567D2BEF06CF44278BEDCC345FF5D17B Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:48Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:47 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1180" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/b5daebea-1da1-45a1-abb5-94ad8c8da5cb\",\"name\":\"b5daebea-1da1-45a1-abb5-94ad8c8da5cb\",\"etag\":\"\\\"0600ed40-0000-0100-0000-62fbba540000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveViaIdAlertRule81exqs\",\"enabled\":true,\"description\":\"RemoveViaIdAlertRule81exqs b5daebea-1da1-45a1-abb5-94ad8c8da5cb\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:40:04.5582676Z\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/cc5ff22b-1ea2-46b8-8695-791d141e393f\",\"name\":\"cc5ff22b-1ea2-46b8-8695-791d141e393f\",\"etag\":\"\\\"600026b9-0000-0100-0000-69c38da10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveViaIdAlertRule8z7jhl\",\"enabled\":true,\"description\":\"RemoveViaIdAlertRule8z7jhl cc5ff22b-1ea2-46b8-8695-791d141e393f\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:24:17.0136989Z\"}}", "isContentBase64": false } }, - "Remove-AzSentinelAlertRule+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/b5daebea-1da1-45a1-abb5-94ad8c8da5cb?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelAlertRule+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/cc5ff22b-1ea2-46b8-8695-791d141e393f?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/b5daebea-1da1-45a1-abb5-94ad8c8da5cb?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/cc5ff22b-1ea2-46b8-8695-791d141e393f?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "256" ], - "x-ms-client-request-id": [ "e4371b0a-cd89-4a1f-956c-4ca63105bf2c" ], + "x-ms-unique-id": [ "99" ], + "x-ms-client-request-id": [ "3e113720-45e0-4387-baa1-145d8d42e22a" ], "CommandName": [ "Remove-AzSentinelAlertRule" ], "FullCommandName": [ "Remove-AzSentinelAlertRule_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -104,14 +111,17 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-deletes": [ "14998" ], - "x-ms-request-id": [ "776a6a11-80d5-400e-9589-7716676f0fed" ], - "x-ms-correlation-request-id": [ "776a6a11-80d5-400e-9589-7716676f0fed" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160816Z:776a6a11-80d5-400e-9589-7716676f0fed" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/0121e9a3-b6c6-43cc-8b82-594e7918414c" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "799" ], + "x-ms-ratelimit-remaining-subscription-global-deletes": [ "11999" ], + "x-ms-request-id": [ "3d7f7674-9480-4574-b2c7-fd5b7948db3b" ], + "x-ms-correlation-request-id": [ "3d7f7674-9480-4574-b2c7-fd5b7948db3b" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074548Z:3d7f7674-9480-4574-b2c7-fd5b7948db3b" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:15 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 9F0BB90FE5CB40BDB36A496A15A3B585 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:48Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:48 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelAlertRuleAction.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelAlertRuleAction.Recording.json index ef56e9f01c9d..26e6ae84033f 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelAlertRuleAction.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelAlertRuleAction.Recording.json @@ -1,17 +1,17 @@ { - "Remove-AzSentinelAlertRuleAction+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/7ebb90bb-a57a-42f6-8a23-a0393c176560/actions/91ce8ce7-c028-4a76-8271-ae20f477ed35?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelAlertRuleAction+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/fbfa413f-423f-4546-9399-6bb4b234b07b/actions/a67122b9-ea3d-42b3-8b27-01df9ed1b094?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/7ebb90bb-a57a-42f6-8a23-a0393c176560/actions/91ce8ce7-c028-4a76-8271-ae20f477ed35?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/fbfa413f-423f-4546-9399-6bb4b234b07b/actions/a67122b9-ea3d-42b3-8b27-01df9ed1b094?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "257" ], - "x-ms-client-request-id": [ "fa2b858c-7b51-41ae-be81-1a8942a45231" ], + "x-ms-unique-id": [ "100" ], + "x-ms-client-request-id": [ "14876665-f7c6-4233-b2e9-65b8e95b7cf7" ], "CommandName": [ "Remove-AzSentinelAlertRuleAction" ], "FullCommandName": [ "Remove-AzSentinelAlertRuleAction_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,14 +22,17 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-deletes": [ "14997" ], - "x-ms-request-id": [ "7fccd190-1a4a-4a6f-9de4-32a485ddba40" ], - "x-ms-correlation-request-id": [ "7fccd190-1a4a-4a6f-9de4-32a485ddba40" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160817Z:7fccd190-1a4a-4a6f-9de4-32a485ddba40" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/d2409ff1-a7d7-4bf1-94b6-2c3a19d60ee0" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "798" ], + "x-ms-ratelimit-remaining-subscription-global-deletes": [ "11998" ], + "x-ms-request-id": [ "9e5de279-4db3-4735-b2ae-3fef62bfe58a" ], + "x-ms-correlation-request-id": [ "9e5de279-4db3-4735-b2ae-3fef62bfe58a" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074550Z:9e5de279-4db3-4735-b2ae-3fef62bfe58a" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:16 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 0C00BDBD3982489C9730845B5680137D Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:49Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:49 GMT" ] }, "ContentHeaders": { "Expires": [ "-1" ], @@ -39,19 +42,19 @@ "isContentBase64": false } }, - "Remove-AzSentinelAlertRuleAction+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/e5a90aef-2e88-486c-a745-66f415230a61/actions/5945e422-0352-4aba-9fe7-fbf7567e44c2?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelAlertRuleAction+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/bfbfe303-5fe5-41b2-a51c-ce1c8cb99b4d/actions/96edc48e-dfba-405a-b16f-f17cb7a6e8e1?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/e5a90aef-2e88-486c-a745-66f415230a61/actions/5945e422-0352-4aba-9fe7-fbf7567e44c2?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/bfbfe303-5fe5-41b2-a51c-ce1c8cb99b4d/actions/96edc48e-dfba-405a-b16f-f17cb7a6e8e1?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "258" ], - "x-ms-client-request-id": [ "739ab722-946a-45f3-a5c6-ee1edbd63d88" ], + "x-ms-unique-id": [ "101" ], + "x-ms-client-request-id": [ "242d5c1f-53e4-40a7-951c-dca0be70a105" ], "CommandName": [ "Get-AzSentinelAlertRuleAction" ], "FullCommandName": [ "Get-AzSentinelAlertRuleAction_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -62,37 +65,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11941" ], - "x-ms-request-id": [ "272ba220-690c-4666-a376-e70125ba6cf8" ], - "x-ms-correlation-request-id": [ "272ba220-690c-4666-a376-e70125ba6cf8" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160818Z:272ba220-690c-4666-a376-e70125ba6cf8" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/2b057b6e-bd59-467d-b4d8-1b8ecc78421b" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "cbf23d1c-7898-473f-ada8-c03c82d32fe7" ], + "x-ms-correlation-request-id": [ "cbf23d1c-7898-473f-ada8-c03c82d32fe7" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074550Z:cbf23d1c-7898-473f-ada8-c03c82d32fe7" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:17 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 94257417F09E48578B728840AFB689CA Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:50Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:50 GMT" ] }, "ContentHeaders": { "Content-Length": [ "660" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/e5a90aef-2e88-486c-a745-66f415230a61/actions/5945e422-0352-4aba-9fe7-fbf7567e44c2\",\"name\":\"5945e422-0352-4aba-9fe7-fbf7567e44c2\",\"etag\":\"\\\"be01481c-0000-0300-0000-62fbbb010000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"eb03b1bc818942e0a642c05aeef2614b\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/bfbfe303-5fe5-41b2-a51c-ce1c8cb99b4d/actions/96edc48e-dfba-405a-b16f-f17cb7a6e8e1\",\"name\":\"96edc48e-dfba-405a-b16f-f17cb7a6e8e1\",\"etag\":\"\\\"0802507c-0000-0300-0000-69c38dcc0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"fdce5d8d4e914b7b99bd10b290075cc2\",\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", "isContentBase64": false } }, - "Remove-AzSentinelAlertRuleAction+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/e5a90aef-2e88-486c-a745-66f415230a61/actions/5945e422-0352-4aba-9fe7-fbf7567e44c2?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelAlertRuleAction+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/bfbfe303-5fe5-41b2-a51c-ce1c8cb99b4d/actions/96edc48e-dfba-405a-b16f-f17cb7a6e8e1?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/e5a90aef-2e88-486c-a745-66f415230a61/actions/5945e422-0352-4aba-9fe7-fbf7567e44c2?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/bfbfe303-5fe5-41b2-a51c-ce1c8cb99b4d/actions/96edc48e-dfba-405a-b16f-f17cb7a6e8e1?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "259" ], - "x-ms-client-request-id": [ "a07309f1-c3d3-42fd-a660-d1ac8f40ec3a" ], + "x-ms-unique-id": [ "102" ], + "x-ms-client-request-id": [ "3eb249e6-4c97-45fd-bb3d-afd18898b5d6" ], "CommandName": [ "Remove-AzSentinelAlertRuleAction" ], "FullCommandName": [ "Remove-AzSentinelAlertRuleAction_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -103,14 +110,17 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-deletes": [ "14996" ], - "x-ms-request-id": [ "2d3a0b9d-415d-4def-a495-8fc049c379da" ], - "x-ms-correlation-request-id": [ "2d3a0b9d-415d-4def-a495-8fc049c379da" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160819Z:2d3a0b9d-415d-4def-a495-8fc049c379da" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/0ab7b327-0db6-45cb-8649-d7fb27762c45" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "799" ], + "x-ms-ratelimit-remaining-subscription-global-deletes": [ "11999" ], + "x-ms-request-id": [ "44524c4a-252a-4294-b8ab-e4329fbddecc" ], + "x-ms-correlation-request-id": [ "44524c4a-252a-4294-b8ab-e4329fbddecc" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074551Z:44524c4a-252a-4294-b8ab-e4329fbddecc" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:18 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 63076188D8D24213B46BCEA4064E3044 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:50Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:51 GMT" ] }, "ContentHeaders": { "Expires": [ "-1" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelAutomationRule.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelAutomationRule.Recording.json index 9edfaff39ef8..854ea4c23310 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelAutomationRule.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelAutomationRule.Recording.json @@ -1,17 +1,17 @@ { - "Remove-AzSentinelAutomationRule+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/6e8b42ff-dab7-481f-b764-f853700cc536?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelAutomationRule+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/automationRules/513cdba0-0f4e-4c45-80b8-9ef28a66af2d?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/6e8b42ff-dab7-481f-b764-f853700cc536?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/automationRules/513cdba0-0f4e-4c45-80b8-9ef28a66af2d?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "260" ], - "x-ms-client-request-id": [ "e5f0974b-165c-4a72-85e7-a3147c35a459" ], + "x-ms-unique-id": [ "103" ], + "x-ms-client-request-id": [ "a14eca0c-734c-4ce0-a23a-f7d22e0f1d89" ], "CommandName": [ "Remove-AzSentinelAutomationRule" ], "FullCommandName": [ "Remove-AzSentinelAutomationRule_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,14 +22,17 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-deletes": [ "14995" ], - "x-ms-request-id": [ "50114272-feab-4e00-aa98-1010c8004bdb" ], - "x-ms-correlation-request-id": [ "50114272-feab-4e00-aa98-1010c8004bdb" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160819Z:50114272-feab-4e00-aa98-1010c8004bdb" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/2725fb21-f160-4180-ba01-fcb50837ce76" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "799" ], + "x-ms-ratelimit-remaining-subscription-global-deletes": [ "11999" ], + "x-ms-request-id": [ "b7a3d261-a434-4ccb-bed1-ff5007319bd4" ], + "x-ms-correlation-request-id": [ "b7a3d261-a434-4ccb-bed1-ff5007319bd4" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074552Z:b7a3d261-a434-4ccb-bed1-ff5007319bd4" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:19 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 89D3805D901549F58CAEEBBF3639B0D7 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:52Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:52 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], @@ -40,19 +43,19 @@ "isContentBase64": false } }, - "Remove-AzSentinelAutomationRule+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/ab65a956-23b7-44a0-8a32-cb8d62d389d8?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelAutomationRule+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/automationRules/ac54957e-9b2d-40fa-89aa-ccb79edb3289?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/ab65a956-23b7-44a0-8a32-cb8d62d389d8?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/automationRules/ac54957e-9b2d-40fa-89aa-ccb79edb3289?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "261" ], - "x-ms-client-request-id": [ "17cb2288-a7e9-493e-acf4-40e6212cd88b" ], + "x-ms-unique-id": [ "104" ], + "x-ms-client-request-id": [ "ce273e93-a621-4f15-8da8-bf87a53a8795" ], "CommandName": [ "Get-AzSentinelAutomationRule" ], "FullCommandName": [ "Get-AzSentinelAutomationRule_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,37 +66,40 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "495" ], - "x-ms-request-id": [ "6f4b4a10-70a4-4e92-9776-b956e7379d20" ], - "x-ms-correlation-request-id": [ "6f4b4a10-70a4-4e92-9776-b956e7379d20" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160820Z:6f4b4a10-70a4-4e92-9776-b956e7379d20" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/593c6c37-5aa0-4c00-bc9a-7367d71f5ee9" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "48308be9-6680-41c7-85c7-be5155a508e2" ], + "x-ms-correlation-request-id": [ "48308be9-6680-41c7-85c7-be5155a508e2" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074552Z:48308be9-6680-41c7-85c7-be5155a508e2" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:19 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: ABE9AF90C3E94233B9F720C1CC765067 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:52Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:52 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1294" ], + "Content-Length": [ "1280" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AutomationRules/ab65a956-23b7-44a0-8a32-cb8d62d389d8\",\"name\":\"ab65a956-23b7-44a0-8a32-cb8d62d389d8\",\"etag\":\"\\\"250021e5-0000-0100-0000-62fbbbfe0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"RemoveViaIdAutomationRule7s6m8t\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-08-16T15:47:10Z\",\"createdTimeUtc\":\"2022-08-16T15:47:10Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AutomationRules/ac54957e-9b2d-40fa-89aa-ccb79edb3289\",\"name\":\"ac54957e-9b2d-40fa-89aa-ccb79edb3289\",\"etag\":\"\\\"1600621c-0000-0100-0000-69c38e370000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"RemoveViaIdAutomationRule4e6a0t\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"72f988bf-86f1-41af-91ab-2d7cd011db47\"}}],\"lastModifiedTimeUtc\":\"2026-03-25T07:26:47Z\",\"createdTimeUtc\":\"2026-03-25T07:26:47Z\",\"lastModifiedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"},\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"}}}", "isContentBase64": false } }, - "Remove-AzSentinelAutomationRule+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/ab65a956-23b7-44a0-8a32-cb8d62d389d8?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelAutomationRule+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/automationRules/ac54957e-9b2d-40fa-89aa-ccb79edb3289?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/ab65a956-23b7-44a0-8a32-cb8d62d389d8?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/automationRules/ac54957e-9b2d-40fa-89aa-ccb79edb3289?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "262" ], - "x-ms-client-request-id": [ "773c7cc0-b075-4ac2-bf11-4f5d31b4fb17" ], + "x-ms-unique-id": [ "105" ], + "x-ms-client-request-id": [ "779f11b6-441e-4045-b487-5cdc28005099" ], "CommandName": [ "Remove-AzSentinelAutomationRule" ], "FullCommandName": [ "Remove-AzSentinelAutomationRule_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -104,14 +110,17 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-deletes": [ "14994" ], - "x-ms-request-id": [ "ca5505ae-7d96-4ebf-ab07-86ac3e66831d" ], - "x-ms-correlation-request-id": [ "ca5505ae-7d96-4ebf-ab07-86ac3e66831d" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160820Z:ca5505ae-7d96-4ebf-ab07-86ac3e66831d" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/7a9167b6-07d9-4167-9f60-c42eff954e91" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "799" ], + "x-ms-ratelimit-remaining-subscription-global-deletes": [ "11999" ], + "x-ms-request-id": [ "05e2812a-a7e8-4eff-859e-ec2bf3ab674d" ], + "x-ms-correlation-request-id": [ "05e2812a-a7e8-4eff-859e-ec2bf3ab674d" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074553Z:05e2812a-a7e8-4eff-859e-ec2bf3ab674d" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:19 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 5144F0D4FC5C47DE8FD751587FEA3470 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:53Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:53 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelBookmark.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelBookmark.Recording.json index 89bcf03c2bbe..178cf2e911ac 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelBookmark.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelBookmark.Recording.json @@ -1,17 +1,17 @@ { - "Remove-AzSentinelBookmark+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/08b39573-4a73-4ac3-a733-8cd78a538c72?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelBookmark+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/71ea1e76-7804-472e-90e6-fee48afe4b2e?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/08b39573-4a73-4ac3-a733-8cd78a538c72?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/71ea1e76-7804-472e-90e6-fee48afe4b2e?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "263" ], - "x-ms-client-request-id": [ "b6675fae-b0a7-4535-8404-e7fc767ba948" ], + "x-ms-unique-id": [ "106" ], + "x-ms-client-request-id": [ "526c4cc1-8dd8-4b5d-950e-01cb159985e5" ], "CommandName": [ "Remove-AzSentinelBookmark" ], "FullCommandName": [ "Remove-AzSentinelBookmark_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,14 +22,17 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-deletes": [ "14993" ], - "x-ms-request-id": [ "3a1dbe1c-8b94-4f46-92cf-634dc18c6675" ], - "x-ms-correlation-request-id": [ "3a1dbe1c-8b94-4f46-92cf-634dc18c6675" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160821Z:3a1dbe1c-8b94-4f46-92cf-634dc18c6675" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/e886e705-0b79-4ca2-a60a-3d8d47865b6d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "799" ], + "x-ms-ratelimit-remaining-subscription-global-deletes": [ "11999" ], + "x-ms-request-id": [ "e62cc738-91dc-4d3d-bde5-2b3905532b94" ], + "x-ms-correlation-request-id": [ "e62cc738-91dc-4d3d-bde5-2b3905532b94" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074554Z:e62cc738-91dc-4d3d-bde5-2b3905532b94" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:20 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: F6258AEFB3E041CCBD12EFADC7E023A9 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:54Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:54 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], @@ -40,19 +43,19 @@ "isContentBase64": false } }, - "Remove-AzSentinelBookmark+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/373872c1-6eda-475c-a5ec-f0bfbd39fdf6?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelBookmark+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/095360de-bcfe-42e7-ac78-a7a259dabb97?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/373872c1-6eda-475c-a5ec-f0bfbd39fdf6?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/095360de-bcfe-42e7-ac78-a7a259dabb97?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "264" ], - "x-ms-client-request-id": [ "b768533c-72b5-49fb-959a-156e7fae2f9c" ], + "x-ms-unique-id": [ "107" ], + "x-ms-client-request-id": [ "bbeed574-4ebe-4daf-b54e-2fef79421555" ], "CommandName": [ "Get-AzSentinelBookmark" ], "FullCommandName": [ "Get-AzSentinelBookmark_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,37 +66,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11940" ], - "x-ms-request-id": [ "b9d75d8d-abd0-41eb-828c-2282f9ee2c94" ], - "x-ms-correlation-request-id": [ "b9d75d8d-abd0-41eb-828c-2282f9ee2c94" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160821Z:b9d75d8d-abd0-41eb-828c-2282f9ee2c94" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/af42a483-8b75-4cb7-81b6-9889b16a3eea" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "182c332b-c6b3-4099-ab6c-63a76f753a45" ], + "x-ms-correlation-request-id": [ "182c332b-c6b3-4099-ab6c-63a76f753a45" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074555Z:182c332b-c6b3-4099-ab6c-63a76f753a45" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:20 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 9E7F787BA1F44B629B62FB879BD7CBF8 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:55Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:54 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "5296" ], + "Content-Length": [ "5286" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/373872c1-6eda-475c-a5ec-f0bfbd39fdf6\",\"name\":\"373872c1-6eda-475c-a5ec-f0bfbd39fdf6\",\"etag\":\"\\\"3c004e8a-0000-0100-0000-62fbbca70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdbookmark1daqtg\",\"created\":\"2022-08-16T15:49:58.9862689+00:00\",\"updated\":\"2022-08-16T15:49:58.9862689+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/095360de-bcfe-42e7-ac78-a7a259dabb97\",\"name\":\"095360de-bcfe-42e7-ac78-a7a259dabb97\",\"etag\":\"\\\"3b00f5f6-0000-0100-0000-69c38e600000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdbookmarkn8d5yt\",\"created\":\"2026-03-25T07:27:28.5221427+00:00\",\"updated\":\"2026-03-25T07:27:28.5221427+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2026-03-24T07:00:00+00:00\",\"queryEndTime\":\"2026-03-25T07:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "Remove-AzSentinelBookmark+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/373872c1-6eda-475c-a5ec-f0bfbd39fdf6?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelBookmark+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/095360de-bcfe-42e7-ac78-a7a259dabb97?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/373872c1-6eda-475c-a5ec-f0bfbd39fdf6?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/095360de-bcfe-42e7-ac78-a7a259dabb97?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "265" ], - "x-ms-client-request-id": [ "438eceed-4cc8-4f2c-b9ea-9faac3a22465" ], + "x-ms-unique-id": [ "108" ], + "x-ms-client-request-id": [ "4bcd0daf-09d9-4939-b290-313d317c2b09" ], "CommandName": [ "Remove-AzSentinelBookmark" ], "FullCommandName": [ "Remove-AzSentinelBookmark_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -104,14 +111,17 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-deletes": [ "14992" ], - "x-ms-request-id": [ "30ea2a99-c20b-495e-a085-a64ddf7e3354" ], - "x-ms-correlation-request-id": [ "30ea2a99-c20b-495e-a085-a64ddf7e3354" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160821Z:30ea2a99-c20b-495e-a085-a64ddf7e3354" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/7655f3c9-e053-4c02-89c6-ad4094955187" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "798" ], + "x-ms-ratelimit-remaining-subscription-global-deletes": [ "11998" ], + "x-ms-request-id": [ "71ac7b5e-2811-4c19-a272-c511c834b9e5" ], + "x-ms-correlation-request-id": [ "71ac7b5e-2811-4c19-a272-c511c834b9e5" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074555Z:71ac7b5e-2811-4c19-a272-c511c834b9e5" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:20 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: DAEAE304916D4123B28199BDAF2683E2 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:55Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:55 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelBookmarkRelation.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelBookmarkRelation.Recording.json index f5b5264c854e..5ed8b08759cf 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelBookmarkRelation.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelBookmarkRelation.Recording.json @@ -1,17 +1,17 @@ { - "Remove-AzSentinelBookmarkRelation+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/b3693620-4305-45cb-97f3-a6894f82288e/relations/ef983c5e-fe25-44b2-ad14-f37a30558d24?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelBookmarkRelation+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/5dea8be8-4487-4714-adad-1f935ce6b752/relations/2d1c854b-c1d2-4fd0-ba28-e35aaecc924d?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/b3693620-4305-45cb-97f3-a6894f82288e/relations/ef983c5e-fe25-44b2-ad14-f37a30558d24?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/5dea8be8-4487-4714-adad-1f935ce6b752/relations/2d1c854b-c1d2-4fd0-ba28-e35aaecc924d?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "266" ], - "x-ms-client-request-id": [ "74bca262-252b-4f5f-a778-14df7c968c9c" ], + "x-ms-unique-id": [ "109" ], + "x-ms-client-request-id": [ "32457a10-014b-4274-b483-0fcb8b96404e" ], "CommandName": [ "Remove-AzSentinelBookmarkRelation" ], "FullCommandName": [ "Remove-AzSentinelBookmarkRelation_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,14 +22,17 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-deletes": [ "14991" ], - "x-ms-request-id": [ "1b310174-2bc4-45b6-b028-f86f835e7ed5" ], - "x-ms-correlation-request-id": [ "1b310174-2bc4-45b6-b028-f86f835e7ed5" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160822Z:1b310174-2bc4-45b6-b028-f86f835e7ed5" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/05632fb3-bbe5-46b0-b514-8bc7b68231e4" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "799" ], + "x-ms-ratelimit-remaining-subscription-global-deletes": [ "11999" ], + "x-ms-request-id": [ "5063c118-a41d-4517-bd85-65e4da2f7ae8" ], + "x-ms-correlation-request-id": [ "5063c118-a41d-4517-bd85-65e4da2f7ae8" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074557Z:5063c118-a41d-4517-bd85-65e4da2f7ae8" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:21 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 5917CB4815FF40FC94C452F1ED30D231 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:56Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:56 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], @@ -40,19 +43,19 @@ "isContentBase64": false } }, - "Remove-AzSentinelBookmarkRelation+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/72eeef12-d9c9-43e4-9f0c-8b117465ccb9/relations/c77c1bd8-ffc8-4467-a549-e9114f8913d8?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelBookmarkRelation+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/f91b4caf-6e2f-4ba2-bf8d-c8fbde102350/relations/e87a0449-54e0-4807-bbfd-780bfbe4e471?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/72eeef12-d9c9-43e4-9f0c-8b117465ccb9/relations/c77c1bd8-ffc8-4467-a549-e9114f8913d8?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/f91b4caf-6e2f-4ba2-bf8d-c8fbde102350/relations/e87a0449-54e0-4807-bbfd-780bfbe4e471?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "267" ], - "x-ms-client-request-id": [ "88ba86fd-ee08-47ef-b123-efa73d1629a2" ], + "x-ms-unique-id": [ "110" ], + "x-ms-client-request-id": [ "134e857b-35d5-439d-8bfe-e4ed4e98e384" ], "CommandName": [ "Get-AzSentinelBookmarkRelation" ], "FullCommandName": [ "Get-AzSentinelBookmarkRelation_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,37 +66,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11939" ], - "x-ms-request-id": [ "173cb668-ed47-41e4-9157-de6759f7e3f8" ], - "x-ms-correlation-request-id": [ "173cb668-ed47-41e4-9157-de6759f7e3f8" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160822Z:173cb668-ed47-41e4-9157-de6759f7e3f8" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/8480afa3-5ccd-42b2-aca6-45c849826e69" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "79348f1e-c1f7-4de0-acde-6247189bedd4" ], + "x-ms-correlation-request-id": [ "79348f1e-c1f7-4de0-acde-6247189bedd4" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074557Z:79348f1e-c1f7-4de0-acde-6247189bedd4" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:21 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: E36C50A386994303ACEC15AE8ACE46AB Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:57Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:57 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/72eeef12-d9c9-43e4-9f0c-8b117465ccb9/relations/c77c1bd8-ffc8-4467-a549-e9114f8913d8\",\"name\":\"c77c1bd8-ffc8-4467-a549-e9114f8913d8\",\"etag\":\"\\\"3c00f68a-0000-0100-0000-62fbbd690000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/62ce8785-21b2-4262-be4d-5208b35d255a\",\"relatedResourceName\":\"62ce8785-21b2-4262-be4d-5208b35d255a\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/f91b4caf-6e2f-4ba2-bf8d-c8fbde102350/relations/e87a0449-54e0-4807-bbfd-780bfbe4e471\",\"name\":\"e87a0449-54e0-4807-bbfd-780bfbe4e471\",\"etag\":\"\\\"3c006101-0000-0100-0000-69c38e920000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/21818327-2522-4bca-a761-889f6ae7387d\",\"relatedResourceName\":\"21818327-2522-4bca-a761-889f6ae7387d\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", "isContentBase64": false } }, - "Remove-AzSentinelBookmarkRelation+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/72eeef12-d9c9-43e4-9f0c-8b117465ccb9/relations/c77c1bd8-ffc8-4467-a549-e9114f8913d8?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelBookmarkRelation+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/f91b4caf-6e2f-4ba2-bf8d-c8fbde102350/relations/e87a0449-54e0-4807-bbfd-780bfbe4e471?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/72eeef12-d9c9-43e4-9f0c-8b117465ccb9/relations/c77c1bd8-ffc8-4467-a549-e9114f8913d8?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/f91b4caf-6e2f-4ba2-bf8d-c8fbde102350/relations/e87a0449-54e0-4807-bbfd-780bfbe4e471?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "268" ], - "x-ms-client-request-id": [ "bf077025-8203-40e9-a31c-659d4c399ce0" ], + "x-ms-unique-id": [ "111" ], + "x-ms-client-request-id": [ "2c5d00a8-0f9b-4f9e-b426-98fd0b080c17" ], "CommandName": [ "Remove-AzSentinelBookmarkRelation" ], "FullCommandName": [ "Remove-AzSentinelBookmarkRelation_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -104,14 +111,17 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-deletes": [ "14990" ], - "x-ms-request-id": [ "401ff7d9-c978-4938-88e8-4227c3c428e0" ], - "x-ms-correlation-request-id": [ "401ff7d9-c978-4938-88e8-4227c3c428e0" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160822Z:401ff7d9-c978-4938-88e8-4227c3c428e0" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/f0ba3ae5-da0b-4c2f-aaff-676ccddf5e77" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "798" ], + "x-ms-ratelimit-remaining-subscription-global-deletes": [ "11998" ], + "x-ms-request-id": [ "a40e3174-d20d-4376-92ee-cdf0b5b298e6" ], + "x-ms-correlation-request-id": [ "a40e3174-d20d-4376-92ee-cdf0b5b298e6" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074558Z:a40e3174-d20d-4376-92ee-cdf0b5b298e6" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:21 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: E875DB0BF355411CA6FDCE4273092BB2 Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:57Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:57 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelDataConnector.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelDataConnector.Recording.json index 2502e98df47c..49300a5a8e27 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelDataConnector.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelDataConnector.Recording.json @@ -1,15 +1,15 @@ { - "Remove-AzSentinelDataConnector+[NoContext]+Delete+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/fee9b467-294d-476a-a02c-93f178b75533?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelDataConnector+[NoContext]+Delete+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/dataConnectors/87ee73c4-216c-4d82-bcda-555b974a2930?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/fee9b467-294d-476a-a02c-93f178b75533?api-version=2021-09-01-preview", - "Content": "{\n \"kind\": \"MicrosoftCloudAppSecurity\",\n \"properties\": {\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\",\n \"dataTypes\": {\n \"alerts\": {\n \"state\": \"Enabled\"\n },\n \"discoveryLogs\": {\n \"state\": \"Disabled\"\n }\n }\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/dataConnectors/87ee73c4-216c-4d82-bcda-555b974a2930?api-version=2021-09-01-preview", + "Content": "{\r\n \"kind\": \"GenericUI\",\r\n \"properties\": {\r\n \"connectorUiConfig\": {\r\n \"availability\": {\r\n \"status\": 1,\r\n \"isPreview\": true\r\n },\r\n \"permissions\": {\r\n \"customs\": [\r\n {\r\n \"name\": \"TestPermission\",\r\n \"description\": \"Test permission\"\r\n }\r\n ]\r\n },\r\n \"title\": \"Test\",\r\n \"publisher\": \"Test\",\r\n \"descriptionMarkdown\": \"Test\",\r\n \"graphQueriesTableName\": \"TestTable_CL\",\r\n \"graphQueries\": [\r\n {\r\n \"metricName\": \"Events\",\r\n \"legend\": \"Events\",\r\n \"baseQuery\": \"TestTable_CL\"\r\n }\r\n ],\r\n \"sampleQueries\": [\r\n {\r\n \"description\": \"All\",\r\n \"query\": \"TestTable_CL\"\r\n }\r\n ],\r\n \"dataTypes\": [\r\n {\r\n \"name\": \"TestTable_CL\",\r\n \"lastDataReceivedQuery\": \"TestTable_CL | summarize max(TimeGenerated)\"\r\n }\r\n ],\r\n \"connectivityCriteria\": [\r\n {\r\n \"type\": \"IsConnectedQuery\",\r\n \"value\": [ \"TestTable_CL | take 1\" ]\r\n }\r\n ],\r\n \"instructionSteps\": [\r\n {\r\n \"title\": \"Connect\",\r\n \"description\": \"Test\"\r\n }\r\n ]\r\n }\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "260" ] + "Content-Length": [ "1222" ] } }, "Response": { @@ -17,37 +17,39 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "1224e725-0421-41c5-a77f-09c63e860977" ], - "x-ms-correlation-request-id": [ "1224e725-0421-41c5-a77f-09c63e860977" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160825Z:1224e725-0421-41c5-a77f-09c63e860977" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/0af50f8b-533f-474e-92a1-23e62e6be6cb" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-request-id": [ "7bc198d7-14c0-4007-b1b3-43409b864bc7" ], + "x-ms-correlation-request-id": [ "7bc198d7-14c0-4007-b1b3-43409b864bc7" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074600Z:7bc198d7-14c0-4007-b1b3-43409b864bc7" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:24 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 91B3466F59F14816822D8E702DB94CCF Ref B: AMS231020512027 Ref C: 2026-03-25T07:45:59Z" ], + "Date": [ "Wed, 25 Mar 2026 07:45:59 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "567" ], + "Content-Length": [ "1086" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/fee9b467-294d-476a-a02c-93f178b75533\",\"name\":\"fee9b467-294d-476a-a02c-93f178b75533\",\"etag\":\"1df1f1f1-841a-4908-8656-d57520725fe0\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"MicrosoftCloudAppSecurity\",\"properties\":{\"dataTypes\":{\"discoveryLogs\":{\"state\":\"disabled\"},\"alerts\":{\"state\":\"enabled\"}},\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/dataConnectors/87ee73c4-216c-4d82-bcda-555b974a2930\",\"name\":\"87ee73c4-216c-4d82-bcda-555b974a2930\",\"etag\":\"\\\"00005783-0000-0100-0000-69c392b70000\\\"\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"GenericUI\",\"properties\":{\"connectorUiConfig\":{\"availability\":{\"status\":1,\"isPreview\":true},\"permissions\":{\"customs\":[{\"name\":\"TestPermission\",\"description\":\"Test permission\"}]},\"title\":\"Test\",\"publisher\":\"Test\",\"descriptionMarkdown\":\"Test\",\"graphQueriesTableName\":\"TestTable_CL\",\"graphQueries\":[{\"metricName\":\"Events\",\"legend\":\"Events\",\"baseQuery\":\"TestTable_CL\"}],\"sampleQueries\":[{\"description\":\"All\",\"query\":\"TestTable_CL\"}],\"dataTypes\":[{\"name\":\"TestTable_CL\",\"lastDataReceivedQuery\":\"TestTable_CL | summarize max(TimeGenerated)\"}],\"connectivityCriteria\":[{\"type\":\"IsConnectedQuery\",\"value\":[\"TestTable_CL | take 1\"]}],\"instructionSteps\":[{\"title\":\"Connect\",\"description\":\"Test\"}]}}}", "isContentBase64": false } }, - "Remove-AzSentinelDataConnector+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/fee9b467-294d-476a-a02c-93f178b75533?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelDataConnector+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/dataConnectors/87ee73c4-216c-4d82-bcda-555b974a2930?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/fee9b467-294d-476a-a02c-93f178b75533?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/dataConnectors/87ee73c4-216c-4d82-bcda-555b974a2930?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "270" ], - "x-ms-client-request-id": [ "ca33115f-9e1e-4ab1-972b-29ad10bd9055" ], + "x-ms-unique-id": [ "113" ], + "x-ms-client-request-id": [ "4cab400a-5c86-4093-be2e-e0de7961fb0b" ], "CommandName": [ "Remove-AzSentinelDataConnector" ], "FullCommandName": [ "Remove-AzSentinelDataConnector_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -58,14 +60,16 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "a6704650-82a3-42a0-9a6c-da598caa2f25" ], - "x-ms-correlation-request-id": [ "a6704650-82a3-42a0-9a6c-da598caa2f25" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160826Z:a6704650-82a3-42a0-9a6c-da598caa2f25" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/bf544b19-63c3-4117-8f22-ccbc4d221d53" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-request-id": [ "829e6c9f-8d5a-4b99-9d36-edcfec8a9821" ], + "x-ms-correlation-request-id": [ "829e6c9f-8d5a-4b99-9d36-edcfec8a9821" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074600Z:829e6c9f-8d5a-4b99-9d36-edcfec8a9821" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:25 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 81B2317939224D0CAD51E34D7F4A3739 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:00Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:00 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], @@ -76,17 +80,17 @@ "isContentBase64": false } }, - "Remove-AzSentinelDataConnector+[NoContext]+DeleteViaIdentity+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/e5723525-11fc-45ee-901a-09bef4dcf3df?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelDataConnector+[NoContext]+DeleteViaIdentity+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/dataConnectors/877f061e-b79b-4424-a55d-89f4a0030794?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/e5723525-11fc-45ee-901a-09bef4dcf3df?api-version=2021-09-01-preview", - "Content": "{\n \"kind\": \"MicrosoftCloudAppSecurity\",\n \"properties\": {\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\",\n \"dataTypes\": {\n \"alerts\": {\n \"state\": \"Enabled\"\n },\n \"discoveryLogs\": {\n \"state\": \"Disabled\"\n }\n }\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/dataConnectors/877f061e-b79b-4424-a55d-89f4a0030794?api-version=2021-09-01-preview", + "Content": "{\r\n \"kind\": \"GenericUI\",\r\n \"properties\": {\r\n \"connectorUiConfig\": {\r\n \"availability\": {\r\n \"status\": 1,\r\n \"isPreview\": true\r\n },\r\n \"permissions\": {\r\n \"customs\": [\r\n {\r\n \"name\": \"TestPermission\",\r\n \"description\": \"Test permission\"\r\n }\r\n ]\r\n },\r\n \"title\": \"Test2\",\r\n \"publisher\": \"Test\",\r\n \"descriptionMarkdown\": \"Test\",\r\n \"graphQueriesTableName\": \"TestTable_CL\",\r\n \"graphQueries\": [\r\n {\r\n \"metricName\": \"Events\",\r\n \"legend\": \"Events\",\r\n \"baseQuery\": \"TestTable_CL\"\r\n }\r\n ],\r\n \"sampleQueries\": [\r\n {\r\n \"description\": \"All\",\r\n \"query\": \"TestTable_CL\"\r\n }\r\n ],\r\n \"dataTypes\": [\r\n {\r\n \"name\": \"TestTable_CL\",\r\n \"lastDataReceivedQuery\": \"TestTable_CL | summarize max(TimeGenerated)\"\r\n }\r\n ],\r\n \"connectivityCriteria\": [\r\n {\r\n \"type\": \"IsConnectedQuery\",\r\n \"value\": [ \"TestTable_CL | take 1\" ]\r\n }\r\n ],\r\n \"instructionSteps\": [\r\n {\r\n \"title\": \"Connect\",\r\n \"description\": \"Test\"\r\n }\r\n ]\r\n }\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "260" ] + "Content-Length": [ "1223" ] } }, "Response": { @@ -94,37 +98,39 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], - "x-ms-request-id": [ "b770a4f5-6ea5-4988-ad3e-54ff165ba3f3" ], - "x-ms-correlation-request-id": [ "b770a4f5-6ea5-4988-ad3e-54ff165ba3f3" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160827Z:b770a4f5-6ea5-4988-ad3e-54ff165ba3f3" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/bed4a884-4259-4d0f-989e-00d9a02baef6" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-request-id": [ "4165be9e-3da4-4d90-9024-8b35950bf7b2" ], + "x-ms-correlation-request-id": [ "4165be9e-3da4-4d90-9024-8b35950bf7b2" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074601Z:4165be9e-3da4-4d90-9024-8b35950bf7b2" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:26 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 9697BF6A5B15445B94EF3AF61DB1827F Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:01Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:01 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "567" ], + "Content-Length": [ "1087" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/e5723525-11fc-45ee-901a-09bef4dcf3df\",\"name\":\"e5723525-11fc-45ee-901a-09bef4dcf3df\",\"etag\":\"526dfb41-1d23-426e-b711-7ccc39ba1b85\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"MicrosoftCloudAppSecurity\",\"properties\":{\"dataTypes\":{\"discoveryLogs\":{\"state\":\"disabled\"},\"alerts\":{\"state\":\"enabled\"}},\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/dataConnectors/877f061e-b79b-4424-a55d-89f4a0030794\",\"name\":\"877f061e-b79b-4424-a55d-89f4a0030794\",\"etag\":\"\\\"00005883-0000-0100-0000-69c392b90000\\\"\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"GenericUI\",\"properties\":{\"connectorUiConfig\":{\"availability\":{\"status\":1,\"isPreview\":true},\"permissions\":{\"customs\":[{\"name\":\"TestPermission\",\"description\":\"Test permission\"}]},\"title\":\"Test2\",\"publisher\":\"Test\",\"descriptionMarkdown\":\"Test\",\"graphQueriesTableName\":\"TestTable_CL\",\"graphQueries\":[{\"metricName\":\"Events\",\"legend\":\"Events\",\"baseQuery\":\"TestTable_CL\"}],\"sampleQueries\":[{\"description\":\"All\",\"query\":\"TestTable_CL\"}],\"dataTypes\":[{\"name\":\"TestTable_CL\",\"lastDataReceivedQuery\":\"TestTable_CL | summarize max(TimeGenerated)\"}],\"connectivityCriteria\":[{\"type\":\"IsConnectedQuery\",\"value\":[\"TestTable_CL | take 1\"]}],\"instructionSteps\":[{\"title\":\"Connect\",\"description\":\"Test\"}]}}}", "isContentBase64": false } }, - "Remove-AzSentinelDataConnector+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/e5723525-11fc-45ee-901a-09bef4dcf3df?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelDataConnector+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/dataConnectors/877f061e-b79b-4424-a55d-89f4a0030794?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/e5723525-11fc-45ee-901a-09bef4dcf3df?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/dataConnectors/877f061e-b79b-4424-a55d-89f4a0030794?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "272" ], - "x-ms-client-request-id": [ "e69209c0-e488-4cc2-8e2b-cbb15ec8a257" ], + "x-ms-unique-id": [ "115" ], + "x-ms-client-request-id": [ "63132379-452c-42f3-90ad-b5c3f66b5769" ], "CommandName": [ "Remove-AzSentinelDataConnector" ], "FullCommandName": [ "Remove-AzSentinelDataConnector_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -135,14 +141,16 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "74e34d89-e823-451e-bee7-4514f735fe6f" ], - "x-ms-correlation-request-id": [ "74e34d89-e823-451e-bee7-4514f735fe6f" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160828Z:74e34d89-e823-451e-bee7-4514f735fe6f" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/63e6ceee-5f2d-4962-9784-b295d4034392" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-request-id": [ "2a48e5f7-9bf6-48bb-9b5a-9baedb089327" ], + "x-ms-correlation-request-id": [ "2a48e5f7-9bf6-48bb-9b5a-9baedb089327" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074602Z:2a48e5f7-9bf6-48bb-9b5a-9baedb089327" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:27 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: AF21A86EE2E2460DAC566FB160DCDDB0 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:02Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:02 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelDataConnector.Tests.ps1 b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelDataConnector.Tests.ps1 index 649445702a87..b68f94e87842 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelDataConnector.Tests.ps1 +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelDataConnector.Tests.ps1 @@ -15,15 +15,34 @@ if(($null -eq $TestName) -or ($TestName -contains 'Remove-AzSentinelDataConnecto } Describe 'Remove-AzSentinelDataConnector' { + # Changed from MicrosoftCloudAppSecurity to GenericUI — MCAS needs a service license we don't have. It 'Delete' { $dataConnector = New-AzSentinelDataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -Id $env.RemoveDataConnectorId -Kind 'MicrosoftCloudAppSecurity' -Alerts "Enabled" -DiscoveryLog "Disabled" + -Id $env.RemoveDataConnectorId -Kind 'GenericUI' ` + -UiConfigTitle "Test" -UiConfigPublisher "Test" -UiConfigDescriptionMarkdown "Test" ` + -UiConfigGraphQueriesTableName "TestTable_CL" ` + -UiConfigGraphQuery @(@{metricName="Events";legend="Events";baseQuery="TestTable_CL"}) ` + -UiConfigSampleQuery @(@{description="All";query="TestTable_CL"}) ` + -UiConfigDataType @(@{name="TestTable_CL";lastDataReceivedQuery="TestTable_CL | summarize max(TimeGenerated)"}) ` + -UiConfigConnectivityCriterion @(@{type="IsConnectedQuery";value=@("TestTable_CL | take 1")}) ` + -AvailabilityIsPreview $true -AvailabilityStatus 1 ` + -UiConfigInstructionStep @(@{title="Connect";description="Test"}) ` + -PermissionCustom @(@{name="TestPermission";description="Test permission"}) { Remove-AzSentinelDataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $dataConnector.Name } | Should -Not -Throw } It 'DeleteViaIdentity' { $dataConnector = New-AzSentinelDataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -Id $env.RemoveDataConnectorIdInputObject -Kind 'MicrosoftCloudAppSecurity' -Alerts "Enabled" -DiscoveryLog "Disabled" + -Id $env.RemoveDataConnectorIdInputObject -Kind 'GenericUI' ` + -UiConfigTitle "Test2" -UiConfigPublisher "Test" -UiConfigDescriptionMarkdown "Test" ` + -UiConfigGraphQueriesTableName "TestTable_CL" ` + -UiConfigGraphQuery @(@{metricName="Events";legend="Events";baseQuery="TestTable_CL"}) ` + -UiConfigSampleQuery @(@{description="All";query="TestTable_CL"}) ` + -UiConfigDataType @(@{name="TestTable_CL";lastDataReceivedQuery="TestTable_CL | summarize max(TimeGenerated)"}) ` + -UiConfigConnectivityCriterion @(@{type="IsConnectedQuery";value=@("TestTable_CL | take 1")}) ` + -AvailabilityIsPreview $true -AvailabilityStatus 1 ` + -UiConfigInstructionStep @(@{title="Connect";description="Test"}) ` + -PermissionCustom @(@{name="TestPermission";description="Test permission"}) { Remove-AzSentinelDataConnector -InputObject $dataConnector } | Should -Not -Throw } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelEntityQuery.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelEntityQuery.Recording.json index 20ee31576fe6..4e52b3686d3f 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelEntityQuery.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelEntityQuery.Recording.json @@ -1,17 +1,17 @@ { - "Remove-AzSentinelEntityQuery+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/803b23e8-9f87-4597-bc9c-d537930dea57?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelEntityQuery+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/651de9eb-a83c-4b2d-ab3b-27e8f8d3080e?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/803b23e8-9f87-4597-bc9c-d537930dea57?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/651de9eb-a83c-4b2d-ab3b-27e8f8d3080e?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "273" ], - "x-ms-client-request-id": [ "84538b5e-dcdc-4d11-8621-824fb6d2bb3d" ], + "x-ms-unique-id": [ "116" ], + "x-ms-client-request-id": [ "5fc47ab3-0e1e-4da9-8ef0-cfd225903755" ], "CommandName": [ "Remove-AzSentinelEntityQuery" ], "FullCommandName": [ "Remove-AzSentinelEntityQuery_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,14 +22,17 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-deletes": [ "14989" ], - "x-ms-request-id": [ "608194ce-dca2-480b-afe8-595738431e12" ], - "x-ms-correlation-request-id": [ "608194ce-dca2-480b-afe8-595738431e12" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160829Z:608194ce-dca2-480b-afe8-595738431e12" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/6d618406-eff7-471b-86b1-fed7aa60fc6d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "799" ], + "x-ms-ratelimit-remaining-subscription-global-deletes": [ "11999" ], + "x-ms-request-id": [ "3d6bbdbe-640c-4e71-bb1b-a156391ad9eb" ], + "x-ms-correlation-request-id": [ "3d6bbdbe-640c-4e71-bb1b-a156391ad9eb" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074603Z:3d6bbdbe-640c-4e71-bb1b-a156391ad9eb" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:28 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: DE04CD719F104B8FA193B6D3B25A5282 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:03Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:03 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], @@ -40,19 +43,19 @@ "isContentBase64": false } }, - "Remove-AzSentinelEntityQuery+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/a165eb76-24f9-47f4-92b2-1238aa5e4248?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelEntityQuery+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/70e5afd8-83d4-47a8-bde6-3e6eabf9b339?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/a165eb76-24f9-47f4-92b2-1238aa5e4248?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/70e5afd8-83d4-47a8-bde6-3e6eabf9b339?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "274" ], - "x-ms-client-request-id": [ "4b71d915-a123-4cac-8ea9-e69e7da161e6" ], + "x-ms-unique-id": [ "117" ], + "x-ms-client-request-id": [ "6aa080a0-1724-40d3-b29d-d9ce9dd8a788" ], "CommandName": [ "Get-AzSentinelEntityQuery" ], "FullCommandName": [ "Get-AzSentinelEntityQuery_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,37 +66,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11938" ], - "x-ms-request-id": [ "d25ccda5-863e-48ab-a949-233057279cea" ], - "x-ms-correlation-request-id": [ "d25ccda5-863e-48ab-a949-233057279cea" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160829Z:d25ccda5-863e-48ab-a949-233057279cea" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/fa6577e5-b86e-4199-a138-c355240dccac" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "6ed0f42b-c467-4a01-ab93-7995bed5558d" ], + "x-ms-correlation-request-id": [ "6ed0f42b-c467-4a01-ab93-7995bed5558d" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074604Z:6ed0f42b-c467-4a01-ab93-7995bed5558d" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:28 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 2A6C79029E3B4EE7B6F280D901321336 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:04Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:03 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2326" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/a165eb76-24f9-47f4-92b2-1238aa5e4248\",\"name\":\"a165eb76-24f9-47f4-92b2-1238aa5e4248\",\"etag\":\"\\\"0c00640f-0000-0100-0000-62fbbe270000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2022-08-16T15:56:23.6022565Z\",\"lastModifiedTimeUtc\":\"2022-08-16T15:56:23.6022565Z\",\"inputEntityType\":\"Host\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/70e5afd8-83d4-47a8-bde6-3e6eabf9b339\",\"name\":\"70e5afd8-83d4-47a8-bde6-3e6eabf9b339\",\"etag\":\"\\\"0c00238c-0000-0100-0000-69c38ec40000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2026-03-25T07:29:08.6745543Z\",\"lastModifiedTimeUtc\":\"2026-03-25T07:29:08.6745543Z\",\"inputEntityType\":\"Host\"}}", "isContentBase64": false } }, - "Remove-AzSentinelEntityQuery+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/a165eb76-24f9-47f4-92b2-1238aa5e4248?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelEntityQuery+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/70e5afd8-83d4-47a8-bde6-3e6eabf9b339?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/a165eb76-24f9-47f4-92b2-1238aa5e4248?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/entityQueries/70e5afd8-83d4-47a8-bde6-3e6eabf9b339?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "275" ], - "x-ms-client-request-id": [ "47f8178e-419a-4cfe-85bc-eac0b06e0a9e" ], + "x-ms-unique-id": [ "118" ], + "x-ms-client-request-id": [ "e56593e3-6cde-43db-9be7-086f6356c573" ], "CommandName": [ "Remove-AzSentinelEntityQuery" ], "FullCommandName": [ "Remove-AzSentinelEntityQuery_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -104,14 +111,17 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-deletes": [ "14988" ], - "x-ms-request-id": [ "eeeb884d-6ba2-47ef-abd2-19e7a81fedb5" ], - "x-ms-correlation-request-id": [ "eeeb884d-6ba2-47ef-abd2-19e7a81fedb5" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160829Z:eeeb884d-6ba2-47ef-abd2-19e7a81fedb5" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/46a2334a-6d12-4459-b66e-5fdf5b13eb08" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "799" ], + "x-ms-ratelimit-remaining-subscription-global-deletes": [ "11999" ], + "x-ms-request-id": [ "d255fbf7-d6f8-4ee3-b84c-2ad010d6cb7c" ], + "x-ms-correlation-request-id": [ "d255fbf7-d6f8-4ee3-b84c-2ad010d6cb7c" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074604Z:d255fbf7-d6f8-4ee3-b84c-2ad010d6cb7c" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:28 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 33D220213D2847BB84C165902DF31AC2 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:04Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:04 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelIncident.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelIncident.Recording.json index ccb9b6291ce2..dd67c51797be 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelIncident.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelIncident.Recording.json @@ -1,17 +1,17 @@ { - "Remove-AzSentinelIncident+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/3c0d63a6-5274-4c2c-82fa-d209415ca9bf?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelIncident+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/297ebb03-dbd5-45af-855f-ac7a514bd3d2?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/3c0d63a6-5274-4c2c-82fa-d209415ca9bf?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/297ebb03-dbd5-45af-855f-ac7a514bd3d2?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "276" ], - "x-ms-client-request-id": [ "5805b251-d51c-4a1d-8a4f-a126f0823fca" ], + "x-ms-unique-id": [ "119" ], + "x-ms-client-request-id": [ "598b3d2c-90c5-4f06-be9a-f70595439072" ], "CommandName": [ "Remove-AzSentinelIncident" ], "FullCommandName": [ "Remove-AzSentinelIncident_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,14 +22,17 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-deletes": [ "14987" ], - "x-ms-request-id": [ "0e1a72a8-4510-4de5-b74c-20b86e0185de" ], - "x-ms-correlation-request-id": [ "0e1a72a8-4510-4de5-b74c-20b86e0185de" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160830Z:0e1a72a8-4510-4de5-b74c-20b86e0185de" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/0b061d48-5a96-4056-af70-a7463ad6b6b9" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "799" ], + "x-ms-ratelimit-remaining-subscription-global-deletes": [ "11999" ], + "x-ms-request-id": [ "abc3d8ae-9eb2-4056-8b1d-1dbba6132be0" ], + "x-ms-correlation-request-id": [ "abc3d8ae-9eb2-4056-8b1d-1dbba6132be0" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074606Z:abc3d8ae-9eb2-4056-8b1d-1dbba6132be0" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:29 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 2FA19A1D5BC84DE18C24A4510DFC9794 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:05Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:05 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], @@ -40,19 +43,19 @@ "isContentBase64": false } }, - "Remove-AzSentinelIncident+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/fdc66a29-9153-4079-894f-9d92f19fb0d9?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelIncident+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/d34e2b26-c2ca-4e38-b9b2-285fc2bd09c6?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/fdc66a29-9153-4079-894f-9d92f19fb0d9?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/d34e2b26-c2ca-4e38-b9b2-285fc2bd09c6?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "277" ], - "x-ms-client-request-id": [ "cfbd7a57-7f1d-4b9d-ab11-0671b738e88b" ], + "x-ms-unique-id": [ "120" ], + "x-ms-client-request-id": [ "aa0f9ffd-47c1-44b2-86d1-afd29150245b" ], "CommandName": [ "Get-AzSentinelIncident" ], "FullCommandName": [ "Get-AzSentinelIncident_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,37 +66,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11937" ], - "x-ms-request-id": [ "ccc84795-bf95-42fb-96ff-869603c376d1" ], - "x-ms-correlation-request-id": [ "ccc84795-bf95-42fb-96ff-869603c376d1" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160830Z:ccc84795-bf95-42fb-96ff-869603c376d1" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/04a31529-2706-40b6-915e-c587242dfa12" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "633f0784-ed13-49db-8ec0-4e3289ec1304" ], + "x-ms-correlation-request-id": [ "633f0784-ed13-49db-8ec0-4e3289ec1304" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074606Z:633f0784-ed13-49db-8ec0-4e3289ec1304" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:29 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 77D6F7BFDCFE41BA988F3D6BE1D161DE Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:06Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:06 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1206" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/fdc66a29-9153-4079-894f-9d92f19fb0d9\",\"name\":\"fdc66a29-9153-4079-894f-9d92f19fb0d9\",\"etag\":\"\\\"4a004d51-0000-0100-0000-62fbbec10000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:58:57.2230955Z\",\"createdTimeUtc\":\"2022-08-16T15:58:57.2230955Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/fdc66a29-9153-4079-894f-9d92f19fb0d9\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/d34e2b26-c2ca-4e38-b9b2-285fc2bd09c6\",\"name\":\"d34e2b26-c2ca-4e38-b9b2-285fc2bd09c6\",\"etag\":\"\\\"2f00562a-0000-0100-0000-69c38f090000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:17.1560735Z\",\"createdTimeUtc\":\"2026-03-25T07:30:17.1560735Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/d34e2b26-c2ca-4e38-b9b2-285fc2bd09c6\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}}", "isContentBase64": false } }, - "Remove-AzSentinelIncident+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/fdc66a29-9153-4079-894f-9d92f19fb0d9?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelIncident+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/d34e2b26-c2ca-4e38-b9b2-285fc2bd09c6?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/fdc66a29-9153-4079-894f-9d92f19fb0d9?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/d34e2b26-c2ca-4e38-b9b2-285fc2bd09c6?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "278" ], - "x-ms-client-request-id": [ "e3d21c4c-45b9-4765-a505-2fac6bc08f63" ], + "x-ms-unique-id": [ "121" ], + "x-ms-client-request-id": [ "447c646a-f41c-40f0-a213-f97326c45570" ], "CommandName": [ "Remove-AzSentinelIncident" ], "FullCommandName": [ "Remove-AzSentinelIncident_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -104,14 +111,17 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-deletes": [ "14986" ], - "x-ms-request-id": [ "85f5f223-0383-4d4d-b6f5-16dc81f1435f" ], - "x-ms-correlation-request-id": [ "85f5f223-0383-4d4d-b6f5-16dc81f1435f" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160830Z:85f5f223-0383-4d4d-b6f5-16dc81f1435f" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/ffc066d4-6c3c-4c7c-8bbe-25d889914aa7" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "799" ], + "x-ms-ratelimit-remaining-subscription-global-deletes": [ "11999" ], + "x-ms-request-id": [ "250f52bd-75d4-4193-a2e1-77808b7f8785" ], + "x-ms-correlation-request-id": [ "250f52bd-75d4-4193-a2e1-77808b7f8785" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074607Z:250f52bd-75d4-4193-a2e1-77808b7f8785" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:29 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 87AD1B8294EC49C2A325306396BE084A Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:06Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:06 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelIncidentComment.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelIncidentComment.Recording.json index 240041c981be..67225ef4634e 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelIncidentComment.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelIncidentComment.Recording.json @@ -1,17 +1,17 @@ { - "Remove-AzSentinelIncidentComment+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/1f6bbf1d-7f2d-4435-84f7-2be61d9e090d/comments/6a5e3b8c-f0f5-4bb7-8685-87961a8a21fe?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelIncidentComment+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/c674c57d-29aa-47de-a24b-79836e85dcd4/comments/687b5f06-6785-4f7b-b676-e057c4633d74?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/1f6bbf1d-7f2d-4435-84f7-2be61d9e090d/comments/6a5e3b8c-f0f5-4bb7-8685-87961a8a21fe?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/c674c57d-29aa-47de-a24b-79836e85dcd4/comments/687b5f06-6785-4f7b-b676-e057c4633d74?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "279" ], - "x-ms-client-request-id": [ "a4ee3027-00a0-42f3-b35c-ac1bfd5b67eb" ], + "x-ms-unique-id": [ "122" ], + "x-ms-client-request-id": [ "1168eda1-fcc9-47e8-88f2-a92d03864d69" ], "CommandName": [ "Remove-AzSentinelIncidentComment" ], "FullCommandName": [ "Remove-AzSentinelIncidentComment_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,14 +22,16 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "5cab8b81-7614-491c-b17b-ace2dc26affb" ], - "x-ms-correlation-request-id": [ "5cab8b81-7614-491c-b17b-ace2dc26affb" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160831Z:5cab8b81-7614-491c-b17b-ace2dc26affb" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/d03745b1-678a-4bf5-8a54-dda50d859273" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-request-id": [ "c4e82808-71e1-481a-9c2d-4eed709b949c" ], + "x-ms-correlation-request-id": [ "c4e82808-71e1-481a-9c2d-4eed709b949c" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074608Z:c4e82808-71e1-481a-9c2d-4eed709b949c" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:30 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 0F3AB9EF8FB94647BCE505F3074F35D6 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:08Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:07 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], @@ -40,19 +42,19 @@ "isContentBase64": false } }, - "Remove-AzSentinelIncidentComment+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/ac97c565-75c1-40ab-a8e1-334c04dda7d0/comments/e0931ced-55b8-4158-b9d7-16ba88c4936b?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelIncidentComment+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/0010a620-61dc-4183-8b70-70548c9a4fa4/comments/49e3a038-5941-417d-954e-01eb28ac04b2?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/ac97c565-75c1-40ab-a8e1-334c04dda7d0/comments/e0931ced-55b8-4158-b9d7-16ba88c4936b?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/0010a620-61dc-4183-8b70-70548c9a4fa4/comments/49e3a038-5941-417d-954e-01eb28ac04b2?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "280" ], - "x-ms-client-request-id": [ "dec457bb-17df-465f-bcdb-e52d957f617a" ], + "x-ms-unique-id": [ "123" ], + "x-ms-client-request-id": [ "5c2e761d-3bd9-4720-bd39-79e522af2fd0" ], "CommandName": [ "Get-AzSentinelIncidentComment" ], "FullCommandName": [ "Get-AzSentinelIncidentComment_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,37 +65,40 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], - "x-ms-request-id": [ "9fa69391-082f-43d3-a51a-5fd85345e896" ], - "x-ms-correlation-request-id": [ "9fa69391-082f-43d3-a51a-5fd85345e896" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160831Z:9fa69391-082f-43d3-a51a-5fd85345e896" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/ed635c88-99ae-4c98-bb9d-b47458c76c36" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "f0e8fe3c-42d6-4d80-9c00-5f332424dc0d" ], + "x-ms-correlation-request-id": [ "f0e8fe3c-42d6-4d80-9c00-5f332424dc0d" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074608Z:f0e8fe3c-42d6-4d80-9c00-5f332424dc0d" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:31 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 3BD9CE1AAA324AA68ECB9616461DB45B Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:08Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:08 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "767" ], + "Content-Length": [ "760" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/ac97c565-75c1-40ab-a8e1-334c04dda7d0/Comments/e0931ced-55b8-4158-b9d7-16ba88c4936b\",\"name\":\"e0931ced-55b8-4158-b9d7-16ba88c4936b\",\"etag\":\"\\\"4a00c151-0000-0100-0000-62fbbf610000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"RemoveViaIdincidentCommentjd165a\",\"createdTimeUtc\":\"2022-08-16T16:01:37.5938694Z\",\"lastModifiedTimeUtc\":\"2022-08-16T16:01:37.5938694Z\",\"author\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/0010a620-61dc-4183-8b70-70548c9a4fa4/Comments/49e3a038-5941-417d-954e-01eb28ac04b2\",\"name\":\"49e3a038-5941-417d-954e-01eb28ac04b2\",\"etag\":\"\\\"2f00542f-0000-0100-0000-69c38f320000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"RemoveViaIdincidentComment9kqox4\",\"createdTimeUtc\":\"2026-03-25T07:30:58.9141359Z\",\"lastModifiedTimeUtc\":\"2026-03-25T07:30:58.9141359Z\",\"author\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"}}}", "isContentBase64": false } }, - "Remove-AzSentinelIncidentComment+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/ac97c565-75c1-40ab-a8e1-334c04dda7d0/comments/e0931ced-55b8-4158-b9d7-16ba88c4936b?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelIncidentComment+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/0010a620-61dc-4183-8b70-70548c9a4fa4/comments/49e3a038-5941-417d-954e-01eb28ac04b2?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/ac97c565-75c1-40ab-a8e1-334c04dda7d0/comments/e0931ced-55b8-4158-b9d7-16ba88c4936b?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/0010a620-61dc-4183-8b70-70548c9a4fa4/comments/49e3a038-5941-417d-954e-01eb28ac04b2?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "281" ], - "x-ms-client-request-id": [ "71c231bf-ee58-462d-9523-c49819397164" ], + "x-ms-unique-id": [ "124" ], + "x-ms-client-request-id": [ "6596f489-ce72-4ca9-be13-6a6c4ca1a129" ], "CommandName": [ "Remove-AzSentinelIncidentComment" ], "FullCommandName": [ "Remove-AzSentinelIncidentComment_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -104,14 +109,16 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "d1c2f870-9e3b-4fb6-9531-274e49d121d4" ], - "x-ms-correlation-request-id": [ "d1c2f870-9e3b-4fb6-9531-274e49d121d4" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160832Z:d1c2f870-9e3b-4fb6-9531-274e49d121d4" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/9e73f7f7-1a7c-4571-ae7e-fb46788c89d3" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-request-id": [ "54a16854-9e95-4762-983d-b0263e07b13f" ], + "x-ms-correlation-request-id": [ "54a16854-9e95-4762-983d-b0263e07b13f" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074609Z:54a16854-9e95-4762-983d-b0263e07b13f" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:31 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 76B1F8D5A0344D6F8EEFA683AA0458CA Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:09Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:09 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelIncidentRelation.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelIncidentRelation.Recording.json index 2da486ee5cdd..7988f162d81e 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelIncidentRelation.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelIncidentRelation.Recording.json @@ -1,17 +1,17 @@ { - "Remove-AzSentinelIncidentRelation+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/1f6bbf1d-7f2d-4435-84f7-2be61d9e090d/relations/f05d7fb2-c166-4ecb-aa6b-b97479976971?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelIncidentRelation+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/c674c57d-29aa-47de-a24b-79836e85dcd4/relations/3a03c37e-24a2-4bb8-b680-8b51b0462387?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/1f6bbf1d-7f2d-4435-84f7-2be61d9e090d/relations/f05d7fb2-c166-4ecb-aa6b-b97479976971?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/c674c57d-29aa-47de-a24b-79836e85dcd4/relations/3a03c37e-24a2-4bb8-b680-8b51b0462387?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "282" ], - "x-ms-client-request-id": [ "5e6c9ead-f7a3-421f-b737-0894faac0ef3" ], + "x-ms-unique-id": [ "125" ], + "x-ms-client-request-id": [ "f7f2dfcd-0dca-47f4-adc2-a1cbddf96f4c" ], "CommandName": [ "Remove-AzSentinelIncidentRelation" ], "FullCommandName": [ "Remove-AzSentinelIncidentRelation_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,14 +22,16 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "aee949a4-3ce0-4345-bd08-f074656c570b" ], - "x-ms-correlation-request-id": [ "aee949a4-3ce0-4345-bd08-f074656c570b" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160833Z:aee949a4-3ce0-4345-bd08-f074656c570b" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/2132f377-a1a3-41d1-a101-46f13074be95" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-request-id": [ "ada05923-c188-4310-9038-3d9ad570d6f7" ], + "x-ms-correlation-request-id": [ "ada05923-c188-4310-9038-3d9ad570d6f7" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074610Z:ada05923-c188-4310-9038-3d9ad570d6f7" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:32 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 74211E55C4C2473BB8F8E674BE0ACE61 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:10Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:10 GMT" ] }, "ContentHeaders": { "Expires": [ "-1" ] @@ -38,19 +40,19 @@ "isContentBase64": false } }, - "Remove-AzSentinelIncidentRelation+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/b2ae0920-7287-4d85-a609-bf6c7e651630/relations/95c1d6e0-5c11-4329-b715-f24c959f7b04?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelIncidentRelation+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/edfd97a6-4cb0-4eb8-aa7d-4df47259f318/relations/35c38929-6ba9-4b43-a927-697e4b15978b?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/b2ae0920-7287-4d85-a609-bf6c7e651630/relations/95c1d6e0-5c11-4329-b715-f24c959f7b04?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/edfd97a6-4cb0-4eb8-aa7d-4df47259f318/relations/35c38929-6ba9-4b43-a927-697e4b15978b?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "283" ], - "x-ms-client-request-id": [ "262ab63b-54d0-4140-b220-a8c88d25e9a9" ], + "x-ms-unique-id": [ "126" ], + "x-ms-client-request-id": [ "79bb9acd-82ef-464d-826a-c0d359b2f4af" ], "CommandName": [ "Get-AzSentinelIncidentRelation" ], "FullCommandName": [ "Get-AzSentinelIncidentRelation_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -61,37 +63,40 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "495" ], - "x-ms-request-id": [ "eafa5ac2-d831-4c17-84cb-84bf1c3e2012" ], - "x-ms-correlation-request-id": [ "eafa5ac2-d831-4c17-84cb-84bf1c3e2012" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160833Z:eafa5ac2-d831-4c17-84cb-84bf1c3e2012" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/aa4c3090-a618-420b-809c-c7cc779e20bf" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "89c1f7f2-c2bb-4fb5-903d-158c02e25c5f" ], + "x-ms-correlation-request-id": [ "89c1f7f2-c2bb-4fb5-903d-158c02e25c5f" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074611Z:89c1f7f2-c2bb-4fb5-903d-158c02e25c5f" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:32 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 747BF4344EEE44919F113362E2D77B06 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:10Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:10 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b2ae0920-7287-4d85-a609-bf6c7e651630/relations/95c1d6e0-5c11-4329-b715-f24c959f7b04\",\"name\":\"95c1d6e0-5c11-4329-b715-f24c959f7b04\",\"etag\":\"\\\"4a004252-0000-0100-0000-62fbc0060000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/8b4c7333-a754-463f-abd4-0b5b023fb24c\",\"relatedResourceName\":\"8b4c7333-a754-463f-abd4-0b5b023fb24c\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/edfd97a6-4cb0-4eb8-aa7d-4df47259f318/relations/35c38929-6ba9-4b43-a927-697e4b15978b\",\"name\":\"35c38929-6ba9-4b43-a927-697e4b15978b\",\"etag\":\"\\\"2f008734-0000-0100-0000-69c38f5d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/51635f0a-9319-4e6a-b3d9-45bcdfee1f69\",\"relatedResourceName\":\"51635f0a-9319-4e6a-b3d9-45bcdfee1f69\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", "isContentBase64": false } }, - "Remove-AzSentinelIncidentRelation+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/b2ae0920-7287-4d85-a609-bf6c7e651630/relations/95c1d6e0-5c11-4329-b715-f24c959f7b04?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelIncidentRelation+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/edfd97a6-4cb0-4eb8-aa7d-4df47259f318/relations/35c38929-6ba9-4b43-a927-697e4b15978b?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/b2ae0920-7287-4d85-a609-bf6c7e651630/relations/95c1d6e0-5c11-4329-b715-f24c959f7b04?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/edfd97a6-4cb0-4eb8-aa7d-4df47259f318/relations/35c38929-6ba9-4b43-a927-697e4b15978b?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "284" ], - "x-ms-client-request-id": [ "99439908-37bf-4bdf-9efb-2ce4d4ba7bc6" ], + "x-ms-unique-id": [ "127" ], + "x-ms-client-request-id": [ "52934b21-4e0e-409a-95f4-f37331fc01b6" ], "CommandName": [ "Remove-AzSentinelIncidentRelation" ], "FullCommandName": [ "Remove-AzSentinelIncidentRelation_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -102,14 +107,16 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "2c37bd2b-189b-4e7a-8e09-c5c07e6c9719" ], - "x-ms-correlation-request-id": [ "2c37bd2b-189b-4e7a-8e09-c5c07e6c9719" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160833Z:2c37bd2b-189b-4e7a-8e09-c5c07e6c9719" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/5e4f928e-1ef8-4818-95b8-1da1b5215b58" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-request-id": [ "9c9de74a-3864-4590-8aee-030331fbc269" ], + "x-ms-correlation-request-id": [ "9c9de74a-3864-4590-8aee-030331fbc269" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074611Z:9c9de74a-3864-4590-8aee-030331fbc269" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:32 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: C2242FA354E749D488C79A488B7CADBC Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:11Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:11 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelOnboardingState.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelOnboardingState.Recording.json index b56fd9552159..c3856512ac21 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelOnboardingState.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelOnboardingState.Recording.json @@ -1,17 +1,17 @@ { - "Remove-AzSentinelOnboardingState+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptesthqat05/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelOnboardingState+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptestu3tk19/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptesthqat05/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptestu3tk19/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "285" ], - "x-ms-client-request-id": [ "57921f9e-0e51-45b1-a4cc-459a46f2a6dc" ], + "x-ms-unique-id": [ "128" ], + "x-ms-client-request-id": [ "c42347c0-4703-4b50-83f2-3ecd0d566848" ], "CommandName": [ "Remove-AzSentinelOnboardingState" ], "FullCommandName": [ "Remove-AzSentinelOnboardingState_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,14 +22,17 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-deletes": [ "14985" ], - "x-ms-request-id": [ "1285dd3d-b5bb-4b31-8117-5405c53e981e" ], - "x-ms-correlation-request-id": [ "1285dd3d-b5bb-4b31-8117-5405c53e981e" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160839Z:1285dd3d-b5bb-4b31-8117-5405c53e981e" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/710c0aa8-0022-4122-87eb-d1ac2188f20a" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "800" ], + "x-ms-ratelimit-remaining-subscription-global-deletes": [ "12000" ], + "x-ms-request-id": [ "6c2456ce-b628-4859-b383-ea5f24893a71" ], + "x-ms-correlation-request-id": [ "6c2456ce-b628-4859-b383-ea5f24893a71" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074620Z:6c2456ce-b628-4859-b383-ea5f24893a71" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:38 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 454C0EC59EBC4EA4BA56BF7C57D0A73C Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:13Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:19 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelAlertRule.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelAlertRule.Recording.json deleted file mode 100644 index e686f6baa8be..000000000000 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelAlertRule.Recording.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "Update-AzSentinelAlertRule+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/e96e7960-a8a9-47a9-91f1-4207f5f82d88?api-version=2021-09-01-preview+1": { - "Request": { - "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/e96e7960-a8a9-47a9-91f1-4207f5f82d88?api-version=2021-09-01-preview", - "Content": "{\n \"etag\": \"\\\"0600ef40-0000-0100-0000-62fbba750000\\\"\",\n \"kind\": \"Scheduled\",\n \"properties\": {\n \"eventGroupingSettings\": {\n \"aggregationKind\": \"SingleAlert\"\n },\n \"queryFrequency\": \"P1D\",\n \"queryPeriod\": \"P1D\",\n \"triggerOperator\": \"GreaterThan\",\n \"triggerThreshold\": 0,\n \"incidentConfiguration\": {\n \"groupingConfiguration\": {\n \"enabled\": false,\n \"reopenClosedIncident\": false,\n \"lookbackDuration\": \"PT5H\",\n \"matchingMethod\": \"AllEntities\",\n \"groupByEntities\": [ ]\n },\n \"createIncident\": false\n },\n \"description\": \"UpdateAlertRulejkg1z9 e96e7960-a8a9-47a9-91f1-4207f5f82d88\",\n \"query\": \"SecurityEvent\\n| take 1\",\n \"displayName\": \"UpdateAlertRulejkg1z9\",\n \"enabled\": false,\n \"suppressionDuration\": \"PT5H\",\n \"suppressionEnabled\": false,\n \"severity\": \"Informational\",\n \"tactics\": [ \"Execution\" ]\n }\n}", - "isContentBase64": false, - "Headers": { - }, - "ContentHeaders": { - "Content-Type": [ "application/json" ], - "Content-Length": [ "901" ] - } - }, - "Response": { - "StatusCode": 200, - "Headers": { - "Cache-Control": [ "no-cache" ], - "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1192" ], - "x-ms-request-id": [ "ec8f0280-2d0f-4357-9fe0-336f7a3a71a6" ], - "x-ms-correlation-request-id": [ "ec8f0280-2d0f-4357-9fe0-336f7a3a71a6" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160841Z:ec8f0280-2d0f-4357-9fe0-336f7a3a71a6" ], - "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], - "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:40 GMT" ] - }, - "ContentHeaders": { - "Content-Length": [ "1172" ], - "Content-Type": [ "application/json; charset=utf-8" ], - "Expires": [ "-1" ] - }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/e96e7960-a8a9-47a9-91f1-4207f5f82d88\",\"name\":\"e96e7960-a8a9-47a9-91f1-4207f5f82d88\",\"etag\":\"\\\"06008441-0000-0100-0000-62fbc1090000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":false,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateAlertRulejkg1z9\",\"enabled\":false,\"description\":\"UpdateAlertRulejkg1z9 e96e7960-a8a9-47a9-91f1-4207f5f82d88\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:08:41.1863083Z\"}}", - "isContentBase64": false - } - } -} \ No newline at end of file diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelAlertRuleAction.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelAlertRuleAction.Recording.json index b72ccc1ea10a..70a8608d1d11 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelAlertRuleAction.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelAlertRuleAction.Recording.json @@ -1,15 +1,15 @@ { - "Update-AzSentinelAlertRuleAction+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/f04b319e-dc64-427b-8640-eef21b6fb5cd/actions/39fd7829-116a-4fa3-8ec5-71501bc5ae11?api-version=2021-09-01-preview+1": { + "Update-AzSentinelAlertRuleAction+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/0a7c15c8-9257-4a34-9097-b53e070bf76d/actions/a5627b08-648e-4278-a68a-86c4f2ed6418?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/f04b319e-dc64-427b-8640-eef21b6fb5cd/actions/39fd7829-116a-4fa3-8ec5-71501bc5ae11?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"logicAppResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\",\n \"triggerUri\": \"https://prod-22.centralus.logic.azure.com:443/workflows/86d6ec0418794b35bb3b014e5448e0b6/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01\\u0026sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun\\u0026sv=1.0\\u0026sig=fuFAHW0RWBesCKbfQlyAgswWDldw5fwJuUpzpVLjUQw\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/0a7c15c8-9257-4a34-9097-b53e070bf76d/actions/a5627b08-648e-4278-a68a-86c4f2ed6418?api-version=2021-09-01-preview", + "Content": "{\r\n \"properties\": {\r\n \"logicAppResourceId\": \"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\",\r\n \"triggerUri\": \"https://prod-08.centralus.logic.azure.com:443/workflows/18a59846385f49ef9c9711584ba6162c/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01\\u0026sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun\\u0026sv=1.0\\u0026sig=tBpcYwVJuUNVBAdwMq1K0kfjZJX6coxhaADovea_MMk\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "558" ] + "Content-Length": [ "563" ] } }, "Response": { @@ -17,37 +17,40 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "a3957690-155d-4d06-be70-eb2849e01b08" ], - "x-ms-correlation-request-id": [ "a3957690-155d-4d06-be70-eb2849e01b08" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160843Z:a3957690-155d-4d06-be70-eb2849e01b08" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/88da709f-d95f-482f-886d-0457d7fe0b2a" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "3e8222f1-bcfd-415d-aa0b-dc3e30a88f66" ], + "x-ms-correlation-request-id": [ "3e8222f1-bcfd-415d-aa0b-dc3e30a88f66" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074622Z:3e8222f1-bcfd-415d-aa0b-dc3e30a88f66" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:42 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: A83D0B9460B4483D9FEA614A0CD41B8E Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:22Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:22 GMT" ] }, "ContentHeaders": { "Content-Length": [ "617" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/f04b319e-dc64-427b-8640-eef21b6fb5cd/actions/39fd7829-116a-4fa3-8ec5-71501bc5ae11\",\"name\":\"39fd7829-116a-4fa3-8ec5-71501bc5ae11\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"86d6ec0418794b35bb3b014e5448e0b6\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/0a7c15c8-9257-4a34-9097-b53e070bf76d/actions/a5627b08-648e-4278-a68a-86c4f2ed6418\",\"name\":\"a5627b08-648e-4278-a68a-86c4f2ed6418\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"18a59846385f49ef9c9711584ba6162c\",\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\"}}", "isContentBase64": false } }, - "Update-AzSentinelAlertRuleAction+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/90b62f2e-9b96-4bfb-a82a-5ceed7cd487e/actions/8f59d838-afdc-4ade-be00-58abc1f3a27f?api-version=2021-09-01-preview+1": { + "Update-AzSentinelAlertRuleAction+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/c259c27b-4474-427f-8734-a99bee6d5d06/actions/e42abba3-1a7a-4b3c-b0c1-aec4c288b59c?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/90b62f2e-9b96-4bfb-a82a-5ceed7cd487e/actions/8f59d838-afdc-4ade-be00-58abc1f3a27f?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/c259c27b-4474-427f-8734-a99bee6d5d06/actions/e42abba3-1a7a-4b3c-b0c1-aec4c288b59c?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "289" ], - "x-ms-client-request-id": [ "8e9be508-977d-4ba7-818f-1112c6040278" ], + "x-ms-unique-id": [ "130" ], + "x-ms-client-request-id": [ "a93c1a51-1825-43fa-9cd4-2e1921d8f681" ], "CommandName": [ "Get-AzSentinelAlertRuleAction" ], "FullCommandName": [ "Get-AzSentinelAlertRuleAction_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -58,35 +61,39 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11935" ], - "x-ms-request-id": [ "564bf585-ebe3-4e42-b764-72e6f393be44" ], - "x-ms-correlation-request-id": [ "564bf585-ebe3-4e42-b764-72e6f393be44" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160843Z:564bf585-ebe3-4e42-b764-72e6f393be44" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/ed4ddc32-27e6-4397-b943-858dd00e89b8" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "853e7ae0-3dbe-4c43-bd4c-de2bf61f803c" ], + "x-ms-correlation-request-id": [ "853e7ae0-3dbe-4c43-bd4c-de2bf61f803c" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074623Z:853e7ae0-3dbe-4c43-bd4c-de2bf61f803c" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:42 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: DD6D4CCD51CB4CCBAB469A1A3AC84186 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:23Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:23 GMT" ] }, "ContentHeaders": { "Content-Length": [ "660" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/90b62f2e-9b96-4bfb-a82a-5ceed7cd487e/actions/8f59d838-afdc-4ade-be00-58abc1f3a27f\",\"name\":\"8f59d838-afdc-4ade-be00-58abc1f3a27f\",\"etag\":\"\\\"be017323-0000-0300-0000-62fbbb420000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"eb03b1bc818942e0a642c05aeef2614b\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/c259c27b-4474-427f-8734-a99bee6d5d06/actions/e42abba3-1a7a-4b3c-b0c1-aec4c288b59c\",\"name\":\"e42abba3-1a7a-4b3c-b0c1-aec4c288b59c\",\"etag\":\"\\\"08029d7e-0000-0300-0000-69c38ddc0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"fdce5d8d4e914b7b99bd10b290075cc2\",\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", "isContentBase64": false } }, - "Update-AzSentinelAlertRuleAction+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/90b62f2e-9b96-4bfb-a82a-5ceed7cd487e/actions/8f59d838-afdc-4ade-be00-58abc1f3a27f?api-version=2021-09-01-preview+2": { + "Update-AzSentinelAlertRuleAction+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/c259c27b-4474-427f-8734-a99bee6d5d06/actions/e42abba3-1a7a-4b3c-b0c1-aec4c288b59c?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/90b62f2e-9b96-4bfb-a82a-5ceed7cd487e/actions/8f59d838-afdc-4ade-be00-58abc1f3a27f?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"logicAppResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\",\n \"triggerUri\": \"https://prod-22.centralus.logic.azure.com:443/workflows/86d6ec0418794b35bb3b014e5448e0b6/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01\\u0026sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun\\u0026sv=1.0\\u0026sig=fuFAHW0RWBesCKbfQlyAgswWDldw5fwJuUpzpVLjUQw\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/c259c27b-4474-427f-8734-a99bee6d5d06/actions/e42abba3-1a7a-4b3c-b0c1-aec4c288b59c?api-version=2021-09-01-preview", + "Content": "{\r\n \"properties\": {\r\n \"logicAppResourceId\": \"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\",\r\n \"triggerUri\": \"https://prod-08.centralus.logic.azure.com:443/workflows/18a59846385f49ef9c9711584ba6162c/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01\\u0026sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun\\u0026sv=1.0\\u0026sig=tBpcYwVJuUNVBAdwMq1K0kfjZJX6coxhaADovea_MMk\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "558" ] + "Content-Length": [ "563" ] } }, "Response": { @@ -94,21 +101,24 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], - "x-ms-request-id": [ "3517170e-d239-467b-851c-54af87a66720" ], - "x-ms-correlation-request-id": [ "3517170e-d239-467b-851c-54af87a66720" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160844Z:3517170e-d239-467b-851c-54af87a66720" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/f454aa2e-9b2c-4c9f-be04-961c82d20ebc" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "4a2b78ab-e18a-458f-9208-5dcf80030da1" ], + "x-ms-correlation-request-id": [ "4a2b78ab-e18a-458f-9208-5dcf80030da1" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074624Z:4a2b78ab-e18a-458f-9208-5dcf80030da1" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:44 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 99122CB546644B2CBDB6A8030CE152E3 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:23Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:23 GMT" ] }, "ContentHeaders": { "Content-Length": [ "617" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/90b62f2e-9b96-4bfb-a82a-5ceed7cd487e/actions/8f59d838-afdc-4ade-be00-58abc1f3a27f\",\"name\":\"8f59d838-afdc-4ade-be00-58abc1f3a27f\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"86d6ec0418794b35bb3b014e5448e0b6\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/c259c27b-4474-427f-8734-a99bee6d5d06/actions/e42abba3-1a7a-4b3c-b0c1-aec4c288b59c\",\"name\":\"e42abba3-1a7a-4b3c-b0c1-aec4c288b59c\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"18a59846385f49ef9c9711584ba6162c\",\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelAutomationRule.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelAutomationRule.Recording.json index 55fa1c1ffbaf..83e8521327fe 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelAutomationRule.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelAutomationRule.Recording.json @@ -1,17 +1,17 @@ { - "Update-AzSentinelAutomationRule+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/904a62c7-a082-4674-a749-8dfae3498a35?api-version=2021-09-01-preview+1": { + "Update-AzSentinelAutomationRule+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/automationRules/f7430574-25fa-4e8f-81ba-eb37a11f70db?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/904a62c7-a082-4674-a749-8dfae3498a35?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/automationRules/f7430574-25fa-4e8f-81ba-eb37a11f70db?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "291" ], - "x-ms-client-request-id": [ "ce7cd84a-5210-4cce-a74e-d87d95b10679" ], + "x-ms-unique-id": [ "132" ], + "x-ms-client-request-id": [ "14ca68e7-6e7a-4901-a0ee-79dffb70833a" ], "CommandName": [ "Get-AzSentinelAutomationRule" ], "FullCommandName": [ "Get-AzSentinelAutomationRule_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,35 +22,82 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "494" ], - "x-ms-request-id": [ "cf58baf6-cefb-4b18-8055-c227e0eaed18" ], - "x-ms-correlation-request-id": [ "cf58baf6-cefb-4b18-8055-c227e0eaed18" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160845Z:cf58baf6-cefb-4b18-8055-c227e0eaed18" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/94604027-5901-45f0-84b7-ba393cf307de" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "dbdc588f-9ff5-4bd6-bed1-3381daf00454" ], + "x-ms-correlation-request-id": [ "dbdc588f-9ff5-4bd6-bed1-3381daf00454" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074625Z:dbdc588f-9ff5-4bd6-bed1-3381daf00454" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:45 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 7A65F88E3D8A495A88830348C4B282CD Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:25Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:25 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1289" ], + "Content-Length": [ "1275" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AutomationRules/904a62c7-a082-4674-a749-8dfae3498a35\",\"name\":\"904a62c7-a082-4674-a749-8dfae3498a35\",\"etag\":\"\\\"25003fe8-0000-0100-0000-62fbbc1e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRulefrz5oc\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-08-16T15:47:42Z\",\"createdTimeUtc\":\"2022-08-16T15:47:42Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AutomationRules/f7430574-25fa-4e8f-81ba-eb37a11f70db\",\"name\":\"f7430574-25fa-4e8f-81ba-eb37a11f70db\",\"etag\":\"\\\"1600811c-0000-0100-0000-69c38e400000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRulet3on5c\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"72f988bf-86f1-41af-91ab-2d7cd011db47\"}}],\"lastModifiedTimeUtc\":\"2026-03-25T07:26:56Z\",\"createdTimeUtc\":\"2026-03-25T07:26:56Z\",\"lastModifiedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"},\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"}}}", "isContentBase64": false } }, - "Update-AzSentinelAutomationRule+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/904a62c7-a082-4674-a749-8dfae3498a35?api-version=2021-09-01-preview+2": { + "Update-AzSentinelAutomationRule+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/automationRules/f7430574-25fa-4e8f-81ba-eb37a11f70db?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/automationRules/f7430574-25fa-4e8f-81ba-eb37a11f70db?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "133" ], + "x-ms-client-request-id": [ "6bfd7f1c-9c90-4898-b00d-69fabeace8d9" ], + "CommandName": [ "Update-AzSentinelAutomationRule" ], + "FullCommandName": [ "Update-AzSentinelAutomationRule_UpdateExpanded" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/02080e38-f31c-40c9-b01c-c9b39fbac390" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "68ba2be7-bd39-41b8-8a53-264da70e3d7b" ], + "x-ms-correlation-request-id": [ "68ba2be7-bd39-41b8-8a53-264da70e3d7b" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074626Z:68ba2be7-bd39-41b8-8a53-264da70e3d7b" ], + "X-Content-Type-Options": [ "nosniff" ], + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 1CF6DB7685934D52858C4BF0AA6186F6 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:25Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:25 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1275" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AutomationRules/f7430574-25fa-4e8f-81ba-eb37a11f70db\",\"name\":\"f7430574-25fa-4e8f-81ba-eb37a11f70db\",\"etag\":\"\\\"1600811c-0000-0100-0000-69c38e400000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRulet3on5c\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"72f988bf-86f1-41af-91ab-2d7cd011db47\"}}],\"lastModifiedTimeUtc\":\"2026-03-25T07:26:56Z\",\"createdTimeUtc\":\"2026-03-25T07:26:56Z\",\"lastModifiedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"},\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"}}}", + "isContentBase64": false + } + }, + "Update-AzSentinelAutomationRule+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/automationRules/f7430574-25fa-4e8f-81ba-eb37a11f70db?api-version=2021-09-01-preview+3": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/904a62c7-a082-4674-a749-8dfae3498a35?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"triggeringLogic\": {\n \"isEnabled\": true,\n \"triggersOn\": \"Incidents\",\n \"triggersWhen\": \"Created\"\n },\n \"displayName\": \"UpdateAutomationRulefrz5oc\",\n \"order\": 1,\n \"actions\": [\n {\n \"order\": 1,\n \"actionType\": \"RunPlaybook\",\n \"actionConfiguration\": {\n \"logicAppResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\"\n }\n }\n ]\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/automationRules/f7430574-25fa-4e8f-81ba-eb37a11f70db?api-version=2021-09-01-preview", + "Content": "{\r\n \"etag\": \"\\\"1600811c-0000-0100-0000-69c38e400000\\\"\",\r\n \"properties\": {\r\n \"triggeringLogic\": {\r\n \"isEnabled\": true,\r\n \"triggersOn\": \"Incidents\",\r\n \"triggersWhen\": \"Created\",\r\n \"conditions\": [ ]\r\n },\r\n \"displayName\": \"UpdateAutomationRulet3on5c\",\r\n \"order\": 1,\r\n \"actions\": [\r\n {\r\n \"order\": 1,\r\n \"actionType\": \"RunPlaybook\",\r\n \"actionConfiguration\": {\r\n \"logicAppResourceId\": \"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\r\n \"tenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n }\r\n ]\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "595" ] + "Content-Length": [ "696" ] } }, "Response": { @@ -58,37 +105,84 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "b489a9c3-da19-4687-b80f-be2068a32efe" ], - "x-ms-correlation-request-id": [ "b489a9c3-da19-4687-b80f-be2068a32efe" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160846Z:b489a9c3-da19-4687-b80f-be2068a32efe" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/d1cb6d53-249d-4276-8547-14c5c8c00dd4" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "206cdccc-1c05-4e03-9a1f-0ec0afcb5319" ], + "x-ms-correlation-request-id": [ "206cdccc-1c05-4e03-9a1f-0ec0afcb5319" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074626Z:206cdccc-1c05-4e03-9a1f-0ec0afcb5319" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:46 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 9988D9C8C37A47559DCE08EBADC9E6B8 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:26Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:26 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1296" ], + "Content-Length": [ "1282" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AutomationRules/904a62c7-a082-4674-a749-8dfae3498a35\",\"name\":\"904a62c7-a082-4674-a749-8dfae3498a35\",\"etag\":\"\\\"26003f5e-0000-0100-0000-62fbc10e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRulefrz5oc\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-08-16T16:08:46Z\",\"createdTimeUtc\":\"2022-08-16T15:47:42Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AutomationRules/f7430574-25fa-4e8f-81ba-eb37a11f70db\",\"name\":\"f7430574-25fa-4e8f-81ba-eb37a11f70db\",\"etag\":\"\\\"1600513f-0000-0100-0000-69c392d20000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRulet3on5c\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\"tenantId\":\"72f988bf-86f1-41af-91ab-2d7cd011db47\"}}],\"lastModifiedTimeUtc\":\"2026-03-25T07:46:26Z\",\"createdTimeUtc\":\"2026-03-25T07:26:56Z\",\"lastModifiedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"},\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"}}}", "isContentBase64": false } }, - "Update-AzSentinelAutomationRule+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/904a62c7-a082-4674-a749-8dfae3498a35?api-version=2021-09-01-preview+1": { + "Update-AzSentinelAutomationRule+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/automationRules/f7430574-25fa-4e8f-81ba-eb37a11f70db?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/904a62c7-a082-4674-a749-8dfae3498a35?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/automationRules/f7430574-25fa-4e8f-81ba-eb37a11f70db?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "293" ], - "x-ms-client-request-id": [ "95483300-317e-4655-9ac8-4951d21e2ee3" ], + "x-ms-unique-id": [ "135" ], + "x-ms-client-request-id": [ "9f6cecbb-285e-4c8a-b749-c570fc747b4a" ], "CommandName": [ "Get-AzSentinelAutomationRule" ], "FullCommandName": [ "Get-AzSentinelAutomationRule_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/70f494c5-fcb7-4e88-9698-19943207a6d8" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "20082464-3616-470f-82a1-85526ad15cd4" ], + "x-ms-correlation-request-id": [ "20082464-3616-470f-82a1-85526ad15cd4" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074627Z:20082464-3616-470f-82a1-85526ad15cd4" ], + "X-Content-Type-Options": [ "nosniff" ], + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 01A75C318DE44CDDBED5784E650B3519 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:27Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:26 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1282" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AutomationRules/f7430574-25fa-4e8f-81ba-eb37a11f70db\",\"name\":\"f7430574-25fa-4e8f-81ba-eb37a11f70db\",\"etag\":\"\\\"1600513f-0000-0100-0000-69c392d20000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRulet3on5c\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\"tenantId\":\"72f988bf-86f1-41af-91ab-2d7cd011db47\"}}],\"lastModifiedTimeUtc\":\"2026-03-25T07:46:26Z\",\"createdTimeUtc\":\"2026-03-25T07:26:56Z\",\"lastModifiedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"},\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"}}}", + "isContentBase64": false + } + }, + "Update-AzSentinelAutomationRule+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/automationRules/f7430574-25fa-4e8f-81ba-eb37a11f70db?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/automationRules/f7430574-25fa-4e8f-81ba-eb37a11f70db?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "136" ], + "x-ms-client-request-id": [ "834791fe-3c34-4f4d-a3a1-9c890d31b8ea" ], + "CommandName": [ "Update-AzSentinelAutomationRule" ], + "FullCommandName": [ "Update-AzSentinelAutomationRule_UpdateViaIdentityExpanded" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -99,35 +193,38 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "493" ], - "x-ms-request-id": [ "5a5d858b-0f57-4873-a80a-987672dfb04e" ], - "x-ms-correlation-request-id": [ "5a5d858b-0f57-4873-a80a-987672dfb04e" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160846Z:5a5d858b-0f57-4873-a80a-987672dfb04e" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/4d20e3ac-d3c4-4a18-a1db-3f2e6110ac07" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "0f2f2021-b329-4b92-8761-0cf825cbb099" ], + "x-ms-correlation-request-id": [ "0f2f2021-b329-4b92-8761-0cf825cbb099" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074627Z:0f2f2021-b329-4b92-8761-0cf825cbb099" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:46 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 8DD30C1D68634C0CA6DDB5EF96722B46 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:27Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:27 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1296" ], + "Content-Length": [ "1282" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AutomationRules/904a62c7-a082-4674-a749-8dfae3498a35\",\"name\":\"904a62c7-a082-4674-a749-8dfae3498a35\",\"etag\":\"\\\"26003f5e-0000-0100-0000-62fbc10e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRulefrz5oc\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-08-16T16:08:46Z\",\"createdTimeUtc\":\"2022-08-16T15:47:42Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AutomationRules/f7430574-25fa-4e8f-81ba-eb37a11f70db\",\"name\":\"f7430574-25fa-4e8f-81ba-eb37a11f70db\",\"etag\":\"\\\"1600513f-0000-0100-0000-69c392d20000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRulet3on5c\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\"tenantId\":\"72f988bf-86f1-41af-91ab-2d7cd011db47\"}}],\"lastModifiedTimeUtc\":\"2026-03-25T07:46:26Z\",\"createdTimeUtc\":\"2026-03-25T07:26:56Z\",\"lastModifiedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"},\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"}}}", "isContentBase64": false } }, - "Update-AzSentinelAutomationRule+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/904a62c7-a082-4674-a749-8dfae3498a35?api-version=2021-09-01-preview+2": { + "Update-AzSentinelAutomationRule+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/automationRules/f7430574-25fa-4e8f-81ba-eb37a11f70db?api-version=2021-09-01-preview+3": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/904a62c7-a082-4674-a749-8dfae3498a35?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"triggeringLogic\": {\n \"isEnabled\": true,\n \"triggersOn\": \"Incidents\",\n \"triggersWhen\": \"Created\"\n },\n \"displayName\": \"UpdateAutomationRulefrz5oc\",\n \"order\": 1,\n \"actions\": [\n {\n \"order\": 1,\n \"actionType\": \"RunPlaybook\",\n \"actionConfiguration\": {\n \"logicAppResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\"\n }\n }\n ]\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/automationRules/f7430574-25fa-4e8f-81ba-eb37a11f70db?api-version=2021-09-01-preview", + "Content": "{\r\n \"etag\": \"\\\"1600513f-0000-0100-0000-69c392d20000\\\"\",\r\n \"properties\": {\r\n \"triggeringLogic\": {\r\n \"isEnabled\": true,\r\n \"triggersOn\": \"Incidents\",\r\n \"triggersWhen\": \"Created\",\r\n \"conditions\": [ ]\r\n },\r\n \"displayName\": \"UpdateAutomationRulet3on5c\",\r\n \"order\": 1,\r\n \"actions\": [\r\n {\r\n \"order\": 1,\r\n \"actionType\": \"RunPlaybook\",\r\n \"actionConfiguration\": {\r\n \"logicAppResourceId\": \"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\r\n \"tenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\r\n }\r\n }\r\n ]\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "595" ] + "Content-Length": [ "696" ] } }, "Response": { @@ -135,21 +232,24 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], - "x-ms-request-id": [ "b16a3850-ef39-4bce-894a-aa8db051cf20" ], - "x-ms-correlation-request-id": [ "b16a3850-ef39-4bce-894a-aa8db051cf20" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160846Z:b16a3850-ef39-4bce-894a-aa8db051cf20" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/8e6a8398-6857-4d81-9eb9-865106cbfffd" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "b4158de8-edf6-42d9-9297-267d70584553" ], + "x-ms-correlation-request-id": [ "b4158de8-edf6-42d9-9297-267d70584553" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074628Z:b4158de8-edf6-42d9-9297-267d70584553" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:46 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 9CF22E3387EF4CAA825ABDB300F486A1 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:27Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:27 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1296" ], + "Content-Length": [ "1282" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AutomationRules/904a62c7-a082-4674-a749-8dfae3498a35\",\"name\":\"904a62c7-a082-4674-a749-8dfae3498a35\",\"etag\":\"\\\"2600465e-0000-0100-0000-62fbc10e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRulefrz5oc\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-08-16T16:08:46Z\",\"createdTimeUtc\":\"2022-08-16T15:47:42Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AutomationRules/f7430574-25fa-4e8f-81ba-eb37a11f70db\",\"name\":\"f7430574-25fa-4e8f-81ba-eb37a11f70db\",\"etag\":\"\\\"16005a3f-0000-0100-0000-69c392d40000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRulet3on5c\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\"tenantId\":\"72f988bf-86f1-41af-91ab-2d7cd011db47\"}}],\"lastModifiedTimeUtc\":\"2026-03-25T07:46:28Z\",\"createdTimeUtc\":\"2026-03-25T07:26:56Z\",\"lastModifiedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"},\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelBookmark.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelBookmark.Recording.json index fb36ffb542a3..1f6c6457d009 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelBookmark.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelBookmark.Recording.json @@ -1,17 +1,17 @@ { - "Update-AzSentinelBookmark+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/4a1c3550-81e9-42ae-8302-a2234a8d3168?api-version=2021-09-01-preview+1": { + "Update-AzSentinelBookmark+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/2b6690b9-7f3b-4239-b675-41640f710da0?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/4a1c3550-81e9-42ae-8302-a2234a8d3168?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/2b6690b9-7f3b-4239-b675-41640f710da0?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "295" ], - "x-ms-client-request-id": [ "165b612f-242b-49ea-827b-b12b2dfeda1a" ], + "x-ms-unique-id": [ "138" ], + "x-ms-client-request-id": [ "48b327e9-f138-4bb6-bfb4-c3effabb0767" ], "CommandName": [ "Get-AzSentinelBookmark" ], "FullCommandName": [ "Get-AzSentinelBookmark_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,35 +22,84 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11934" ], - "x-ms-request-id": [ "29d8829b-da75-405d-8b42-d6cf036d8e3f" ], - "x-ms-correlation-request-id": [ "29d8829b-da75-405d-8b42-d6cf036d8e3f" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160847Z:29d8829b-da75-405d-8b42-d6cf036d8e3f" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/9e99782e-d828-40e9-9045-32304806a8d0" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "ff3ee478-38c0-4525-914f-e18c1c6828d6" ], + "x-ms-correlation-request-id": [ "ff3ee478-38c0-4525-914f-e18c1c6828d6" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074629Z:ff3ee478-38c0-4525-914f-e18c1c6828d6" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:47 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 802E780400B14B34B88F4AB5F6D29DC9 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:29Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:28 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "5291" ], + "Content-Length": [ "5281" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/4a1c3550-81e9-42ae-8302-a2234a8d3168\",\"name\":\"4a1c3550-81e9-42ae-8302-a2234a8d3168\",\"etag\":\"\\\"3c005b8a-0000-0100-0000-62fbbcc60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Updatebookmarkd4t6g3\",\"created\":\"2022-08-16T15:50:30.6003748+00:00\",\"updated\":\"2022-08-16T15:50:30.6003748+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/2b6690b9-7f3b-4239-b675-41640f710da0\",\"name\":\"2b6690b9-7f3b-4239-b675-41640f710da0\",\"etag\":\"\\\"3b0058f8-0000-0100-0000-69c38e680000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Updatebookmarkcmzxnh\",\"created\":\"2026-03-25T07:27:36.5332527+00:00\",\"updated\":\"2026-03-25T07:27:36.5332527+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2026-03-24T07:00:00+00:00\",\"queryEndTime\":\"2026-03-25T07:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "Update-AzSentinelBookmark+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/4a1c3550-81e9-42ae-8302-a2234a8d3168?api-version=2021-09-01-preview+2": { + "Update-AzSentinelBookmark+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/2b6690b9-7f3b-4239-b675-41640f710da0?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/2b6690b9-7f3b-4239-b675-41640f710da0?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "139" ], + "x-ms-client-request-id": [ "530f5c58-0e55-4755-ad7f-6391ff918b91" ], + "CommandName": [ "Update-AzSentinelBookmark" ], + "FullCommandName": [ "Update-AzSentinelBookmark_UpdateExpanded" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/d2584004-86ef-4fad-bad1-46ab28fb004b" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "d86c3caa-e437-44ca-9c68-1557320ede2c" ], + "x-ms-correlation-request-id": [ "d86c3caa-e437-44ca-9c68-1557320ede2c" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074629Z:d86c3caa-e437-44ca-9c68-1557320ede2c" ], + "X-Content-Type-Options": [ "nosniff" ], + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 63FA309E3D764125AD0C6D15AA3098AE Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:29Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:29 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "5281" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/2b6690b9-7f3b-4239-b675-41640f710da0\",\"name\":\"2b6690b9-7f3b-4239-b675-41640f710da0\",\"etag\":\"\\\"3b0058f8-0000-0100-0000-69c38e680000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Updatebookmarkcmzxnh\",\"created\":\"2026-03-25T07:27:36.5332527+00:00\",\"updated\":\"2026-03-25T07:27:36.5332527+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2026-03-24T07:00:00+00:00\",\"queryEndTime\":\"2026-03-25T07:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "isContentBase64": false + } + }, + "Update-AzSentinelBookmark+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/2b6690b9-7f3b-4239-b675-41640f710da0?api-version=2021-09-01-preview+3": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/4a1c3550-81e9-42ae-8302-a2234a8d3168?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"displayName\": \"UpdateBookmarkPSTest\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/2b6690b9-7f3b-4239-b675-41640f710da0?api-version=2021-09-01-preview", + "Content": "{\r\n \"etag\": \"\\\"3b0058f8-0000-0100-0000-69c38e680000\\\"\",\r\n \"properties\": {\r\n \"createdBy\": {\r\n \"email\": \"t-helezra@microsoft.com\",\r\n \"name\": \"Hadas Elezra\",\r\n \"objectId\": \"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\"\r\n },\r\n \"updatedBy\": {\r\n \"email\": \"t-helezra@microsoft.com\",\r\n \"name\": \"Hadas Elezra\",\r\n \"objectId\": \"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\"\r\n },\r\n \"created\": \"2026-03-25T07:27:36.5332527Z\",\r\n \"displayName\": \"UpdateBookmarkPSTest\",\r\n \"labels\": [ \"asptest\" ],\r\n \"notes\": \"Notes go here\",\r\n \"query\": \"SigninLogs_CL\",\r\n \"queryResult\": \"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\r\n \"updated\": \"2026-03-25T07:27:36.5332527Z\",\r\n \"eventTime\": \"2026-03-25T07:00:00.0000000Z\",\r\n \"queryStartTime\": \"2026-03-24T07:00:00.0000000Z\",\r\n \"queryEndTime\": \"2026-03-25T07:00:00.0000000Z\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "67" ] + "Content-Length": [ "5034" ] } }, "Response": { @@ -58,37 +107,86 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1191" ], - "x-ms-request-id": [ "2183b76b-1d63-47c8-9403-02c677093447" ], - "x-ms-correlation-request-id": [ "2183b76b-1d63-47c8-9403-02c677093447" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160847Z:2183b76b-1d63-47c8-9403-02c677093447" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "799" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/b32ddd73-b6ce-48bc-a6ad-aa92303966d2" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-writes": [ "11999" ], + "x-ms-request-id": [ "375802ca-fcd2-4f90-af50-495f68f991c6" ], + "x-ms-correlation-request-id": [ "375802ca-fcd2-4f90-af50-495f68f991c6" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074630Z:375802ca-fcd2-4f90-af50-495f68f991c6" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:47 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 20E8AD1679884249A2FCA4706667CE5A Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:30Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:29 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "911" ], + "Content-Length": [ "5273" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/4a1c3550-81e9-42ae-8302-a2234a8d3168\",\"name\":\"4a1c3550-81e9-42ae-8302-a2234a8d3168\",\"etag\":\"\\\"3c00bf8c-0000-0100-0000-62fbc10f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateBookmarkPSTest\",\"created\":\"2022-08-16T15:50:30.6003748+00:00\",\"updated\":\"2022-08-16T16:08:47+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T16:08:47.6051639+00:00\",\"labels\":[],\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/2b6690b9-7f3b-4239-b675-41640f710da0\",\"name\":\"2b6690b9-7f3b-4239-b675-41640f710da0\",\"etag\":\"\\\"3c007cbb-0000-0100-0000-69c392d60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateBookmarkPSTest\",\"created\":\"2026-03-25T07:27:36.5332527+00:00\",\"updated\":\"2026-03-25T07:46:30+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2026-03-24T07:00:00+00:00\",\"queryEndTime\":\"2026-03-25T07:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "Update-AzSentinelBookmark+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/4a1c3550-81e9-42ae-8302-a2234a8d3168?api-version=2021-09-01-preview+1": { + "Update-AzSentinelBookmark+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/2b6690b9-7f3b-4239-b675-41640f710da0?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/4a1c3550-81e9-42ae-8302-a2234a8d3168?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/2b6690b9-7f3b-4239-b675-41640f710da0?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "297" ], - "x-ms-client-request-id": [ "8eb31be2-b64e-4c46-a569-8f0038a4a6ad" ], + "x-ms-unique-id": [ "141" ], + "x-ms-client-request-id": [ "e820d595-f2b6-4204-8a1e-f34a33ada080" ], "CommandName": [ "Get-AzSentinelBookmark" ], "FullCommandName": [ "Get-AzSentinelBookmark_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/f6328278-1767-41bb-9552-207ef8396096" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "4614ce3e-73db-431a-a95c-1904ee6c1675" ], + "x-ms-correlation-request-id": [ "4614ce3e-73db-431a-a95c-1904ee6c1675" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074631Z:4614ce3e-73db-431a-a95c-1904ee6c1675" ], + "X-Content-Type-Options": [ "nosniff" ], + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 16E11E1B05FA401B975278B5551B7880 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:31Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:30 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "5281" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/2b6690b9-7f3b-4239-b675-41640f710da0\",\"name\":\"2b6690b9-7f3b-4239-b675-41640f710da0\",\"etag\":\"\\\"3c007cbb-0000-0100-0000-69c392d60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateBookmarkPSTest\",\"created\":\"2026-03-25T07:27:36.5332527+00:00\",\"updated\":\"2026-03-25T07:46:30.4147955+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2026-03-24T07:00:00+00:00\",\"queryEndTime\":\"2026-03-25T07:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "isContentBase64": false + } + }, + "Update-AzSentinelBookmark+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/2b6690b9-7f3b-4239-b675-41640f710da0?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/2b6690b9-7f3b-4239-b675-41640f710da0?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "142" ], + "x-ms-client-request-id": [ "3b7dc8f4-78d9-4579-9823-ad00e795462e" ], + "CommandName": [ "Update-AzSentinelBookmark" ], + "FullCommandName": [ "Update-AzSentinelBookmark_UpdateViaIdentityExpanded" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -99,35 +197,39 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11933" ], - "x-ms-request-id": [ "276c7dc4-1a62-49cc-b155-f0ab065800c9" ], - "x-ms-correlation-request-id": [ "276c7dc4-1a62-49cc-b155-f0ab065800c9" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160847Z:276c7dc4-1a62-49cc-b155-f0ab065800c9" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/a5c10fbe-da9a-4a00-9f37-98deaec5580e" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "26c34f2a-4b56-40fe-90b7-3949ae2b35d7" ], + "x-ms-correlation-request-id": [ "26c34f2a-4b56-40fe-90b7-3949ae2b35d7" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074631Z:26c34f2a-4b56-40fe-90b7-3949ae2b35d7" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:47 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 4DD72E979F504DA08BA62DEAEBBA6A97 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:31Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:31 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "919" ], + "Content-Length": [ "5281" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/4a1c3550-81e9-42ae-8302-a2234a8d3168\",\"name\":\"4a1c3550-81e9-42ae-8302-a2234a8d3168\",\"etag\":\"\\\"3c00bf8c-0000-0100-0000-62fbc10f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateBookmarkPSTest\",\"created\":\"2022-08-16T15:50:30.6003748+00:00\",\"updated\":\"2022-08-16T16:08:47.6053435+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T16:08:47.6051639+00:00\",\"labels\":[],\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/2b6690b9-7f3b-4239-b675-41640f710da0\",\"name\":\"2b6690b9-7f3b-4239-b675-41640f710da0\",\"etag\":\"\\\"3c007cbb-0000-0100-0000-69c392d60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateBookmarkPSTest\",\"created\":\"2026-03-25T07:27:36.5332527+00:00\",\"updated\":\"2026-03-25T07:46:30.4147955+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2026-03-24T07:00:00+00:00\",\"queryEndTime\":\"2026-03-25T07:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "Update-AzSentinelBookmark+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/4a1c3550-81e9-42ae-8302-a2234a8d3168?api-version=2021-09-01-preview+2": { + "Update-AzSentinelBookmark+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/2b6690b9-7f3b-4239-b675-41640f710da0?api-version=2021-09-01-preview+3": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/4a1c3550-81e9-42ae-8302-a2234a8d3168?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"displayName\": \"UpdateBookmarkPSTest\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/2b6690b9-7f3b-4239-b675-41640f710da0?api-version=2021-09-01-preview", + "Content": "{\r\n \"etag\": \"\\\"3c007cbb-0000-0100-0000-69c392d60000\\\"\",\r\n \"properties\": {\r\n \"createdBy\": {\r\n \"email\": \"t-helezra@microsoft.com\",\r\n \"name\": \"Hadas Elezra\",\r\n \"objectId\": \"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\"\r\n },\r\n \"updatedBy\": {\r\n \"email\": \"t-helezra@microsoft.com\",\r\n \"name\": \"Hadas Elezra\",\r\n \"objectId\": \"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\"\r\n },\r\n \"created\": \"2026-03-25T07:27:36.5332527Z\",\r\n \"displayName\": \"UpdateBookmarkPSTest\",\r\n \"labels\": [ \"asptest\" ],\r\n \"notes\": \"Notes go here\",\r\n \"query\": \"SigninLogs_CL\",\r\n \"queryResult\": \"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\r\n \"updated\": \"2026-03-25T07:46:30.4147955Z\",\r\n \"eventTime\": \"2026-03-25T07:00:00.0000000Z\",\r\n \"queryStartTime\": \"2026-03-24T07:00:00.0000000Z\",\r\n \"queryEndTime\": \"2026-03-25T07:00:00.0000000Z\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "67" ] + "Content-Length": [ "5034" ] } }, "Response": { @@ -135,21 +237,25 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1190" ], - "x-ms-request-id": [ "09b10842-f1a5-4598-aef7-4fa3a54d0c6c" ], - "x-ms-correlation-request-id": [ "09b10842-f1a5-4598-aef7-4fa3a54d0c6c" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160848Z:09b10842-f1a5-4598-aef7-4fa3a54d0c6c" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "799" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/df977f82-8b6b-49e4-8aed-aaf038b46bf4" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-writes": [ "11999" ], + "x-ms-request-id": [ "99cd1ca3-b48f-4793-bf30-368e14f2a9c1" ], + "x-ms-correlation-request-id": [ "99cd1ca3-b48f-4793-bf30-368e14f2a9c1" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074632Z:99cd1ca3-b48f-4793-bf30-368e14f2a9c1" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:48 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 3455D5465A664724BA1D52FE70DE305D Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:31Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:31 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "911" ], + "Content-Length": [ "5273" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/4a1c3550-81e9-42ae-8302-a2234a8d3168\",\"name\":\"4a1c3550-81e9-42ae-8302-a2234a8d3168\",\"etag\":\"\\\"3c00c08c-0000-0100-0000-62fbc1100000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateBookmarkPSTest\",\"created\":\"2022-08-16T15:50:30.6003748+00:00\",\"updated\":\"2022-08-16T16:08:48+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T16:08:48.0260156+00:00\",\"labels\":[],\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/2b6690b9-7f3b-4239-b675-41640f710da0\",\"name\":\"2b6690b9-7f3b-4239-b675-41640f710da0\",\"etag\":\"\\\"3c00c3bb-0000-0100-0000-69c392d70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateBookmarkPSTest\",\"created\":\"2026-03-25T07:27:36.5332527+00:00\",\"updated\":\"2026-03-25T07:46:31+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2026-03-24T07:00:00+00:00\",\"queryEndTime\":\"2026-03-25T07:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelBookmarkRelation.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelBookmarkRelation.Recording.json index ef36518f4ef4..8541a3412915 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelBookmarkRelation.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelBookmarkRelation.Recording.json @@ -1,15 +1,15 @@ { - "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/260305a7-5d75-4eb9-bd1d-56d5bc54f96e?api-version=2021-09-01-preview+1": { + "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/0546e063-8fec-46ee-a761-a39d41677120?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/260305a7-5d75-4eb9-bd1d-56d5bc54f96e?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NewbookmarkRelationIncidentNamekefcy9\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/0546e063-8fec-46ee-a761-a39d41677120?api-version=2021-09-01-preview", + "Content": "{\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"status\": \"New\",\r\n \"title\": \"NewbookmarkRelationIncidentNamemf3e9o\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "132" ] + "Content-Length": [ "138" ] } }, "Response": { @@ -17,35 +17,82 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "494" ], - "x-ms-request-id": [ "d5f8b3f5-97a3-4e9f-bbde-33533f7b7257" ], - "x-ms-correlation-request-id": [ "d5f8b3f5-97a3-4e9f-bbde-33533f7b7257" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160848Z:d5f8b3f5-97a3-4e9f-bbde-33533f7b7257" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/7af46c69-6e59-464d-aa81-cc9e46477aa3" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-request-id": [ "28c228b0-5447-460c-a8fd-123bb0057261" ], + "x-ms-correlation-request-id": [ "28c228b0-5447-460c-a8fd-123bb0057261" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074633Z:28c228b0-5447-460c-a8fd-123bb0057261" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:48 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 3655491E1DD6449E967E4AE8371953B0 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:32Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:32 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1233" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/260305a7-5d75-4eb9-bd1d-56d5bc54f96e\",\"name\":\"260305a7-5d75-4eb9-bd1d-56d5bc54f96e\",\"etag\":\"\\\"4a00c452-0000-0100-0000-62fbc1100000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewbookmarkRelationIncidentNamekefcy9\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:08:48.6722673Z\",\"createdTimeUtc\":\"2022-08-16T16:08:48.6722673Z\",\"incidentNumber\":27,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/260305a7-5d75-4eb9-bd1d-56d5bc54f96e\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"27\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/0546e063-8fec-46ee-a761-a39d41677120\",\"name\":\"0546e063-8fec-46ee-a761-a39d41677120\",\"etag\":\"\\\"2f0089a4-0000-0100-0000-69c392d90000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewbookmarkRelationIncidentNamemf3e9o\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:46:33.0495341Z\",\"createdTimeUtc\":\"2026-03-25T07:46:33.0495341Z\",\"incidentNumber\":27,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/0546e063-8fec-46ee-a761-a39d41677120\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"27\"}}", "isContentBase64": false } }, - "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/a6be05a8-9ad5-44c4-89c5-a9df845dca7e/relations/17cbbab8-7829-4e80-8775-f71ebcd2ceea?api-version=2021-09-01-preview+2": { + "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/ccaf8264-c8d6-4f67-bba1-b9a29a592313/relations/d16e37b8-a295-4b5e-833c-77e25e6b20d5?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/ccaf8264-c8d6-4f67-bba1-b9a29a592313/relations/d16e37b8-a295-4b5e-833c-77e25e6b20d5?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "145" ], + "x-ms-client-request-id": [ "b8dbfa8a-94bd-4387-96a9-5e37f2a00dd3" ], + "CommandName": [ "Update-AzSentinelBookmarkRelation" ], + "FullCommandName": [ "Update-AzSentinelBookmarkRelation_UpdateExpanded" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/6f35e2f7-25ea-48d1-a7ca-bc5caff05f5f" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "ee053891-2245-495e-bf44-b34f8a1ff69e" ], + "x-ms-correlation-request-id": [ "ee053891-2245-495e-bf44-b34f8a1ff69e" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074633Z:ee053891-2245-495e-bf44-b34f8a1ff69e" ], + "X-Content-Type-Options": [ "nosniff" ], + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 077E91B789D04296B7DFB97D8CA98FE4 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:33Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:33 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/ccaf8264-c8d6-4f67-bba1-b9a29a592313/relations/d16e37b8-a295-4b5e-833c-77e25e6b20d5\",\"name\":\"d16e37b8-a295-4b5e-833c-77e25e6b20d5\",\"etag\":\"\\\"3c00f602-0000-0100-0000-69c38e9b0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/53f5c7e4-34eb-4e33-9c57-9445ffc4cd6a\",\"relatedResourceName\":\"53f5c7e4-34eb-4e33-9c57-9445ffc4cd6a\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/ccaf8264-c8d6-4f67-bba1-b9a29a592313/relations/d16e37b8-a295-4b5e-833c-77e25e6b20d5?api-version=2021-09-01-preview+3": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/a6be05a8-9ad5-44c4-89c5-a9df845dca7e/relations/17cbbab8-7829-4e80-8775-f71ebcd2ceea?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/260305a7-5d75-4eb9-bd1d-56d5bc54f96e\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/ccaf8264-c8d6-4f67-bba1-b9a29a592313/relations/d16e37b8-a295-4b5e-833c-77e25e6b20d5?api-version=2021-09-01-preview", + "Content": "{\r\n \"etag\": \"\\\"3c00f602-0000-0100-0000-69c38e9b0000\\\"\",\r\n \"properties\": {\r\n \"relatedResourceId\": \"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/0546e063-8fec-46ee-a761-a39d41677120\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "283" ] + "Content-Length": [ "342" ] } }, "Response": { @@ -53,35 +100,39 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1189" ], - "x-ms-request-id": [ "0cb984aa-ec08-4525-a665-cda64087a2e9" ], - "x-ms-correlation-request-id": [ "0cb984aa-ec08-4525-a665-cda64087a2e9" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160848Z:0cb984aa-ec08-4525-a665-cda64087a2e9" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "799" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/71635ddb-1d5d-4eaa-bde3-a22b396d0fe8" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-writes": [ "11999" ], + "x-ms-request-id": [ "f5193e15-ea4d-4078-8e69-351bef051e18" ], + "x-ms-correlation-request-id": [ "f5193e15-ea4d-4078-8e69-351bef051e18" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074634Z:f5193e15-ea4d-4078-8e69-351bef051e18" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:48 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 5A325092103F4827AC3C5C412EC183D0 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:33Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:33 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/a6be05a8-9ad5-44c4-89c5-a9df845dca7e/relations/17cbbab8-7829-4e80-8775-f71ebcd2ceea\",\"name\":\"17cbbab8-7829-4e80-8775-f71ebcd2ceea\",\"etag\":\"\\\"3c00c38c-0000-0100-0000-62fbc1100000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/260305a7-5d75-4eb9-bd1d-56d5bc54f96e\",\"relatedResourceName\":\"260305a7-5d75-4eb9-bd1d-56d5bc54f96e\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/ccaf8264-c8d6-4f67-bba1-b9a29a592313/relations/d16e37b8-a295-4b5e-833c-77e25e6b20d5\",\"name\":\"d16e37b8-a295-4b5e-833c-77e25e6b20d5\",\"etag\":\"\\\"3c0009bc-0000-0100-0000-69c392da0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/0546e063-8fec-46ee-a761-a39d41677120\",\"relatedResourceName\":\"0546e063-8fec-46ee-a761-a39d41677120\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", "isContentBase64": false } }, - "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/219862bd-299b-4e98-8dd1-149a26b76dfe?api-version=2021-09-01-preview+1": { + "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/b910c776-2b42-453f-8180-fc7494264127?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/219862bd-299b-4e98-8dd1-149a26b76dfe?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NewbookmarkRelationIncidentName7zq8cv\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/b910c776-2b42-453f-8180-fc7494264127?api-version=2021-09-01-preview", + "Content": "{\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"status\": \"New\",\r\n \"title\": \"NewbookmarkRelationIncidentNameaweqpf\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "132" ] + "Content-Length": [ "138" ] } }, "Response": { @@ -89,37 +140,84 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "493" ], - "x-ms-request-id": [ "c5fc1be9-1bf5-495d-bf9b-10831cc1ddfa" ], - "x-ms-correlation-request-id": [ "c5fc1be9-1bf5-495d-bf9b-10831cc1ddfa" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160849Z:c5fc1be9-1bf5-495d-bf9b-10831cc1ddfa" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/1011280a-922d-4d3e-bfc5-369a6b2afc5f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-request-id": [ "e69e4502-3761-494a-86d3-6bb79b2a6df7" ], + "x-ms-correlation-request-id": [ "e69e4502-3761-494a-86d3-6bb79b2a6df7" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074634Z:e69e4502-3761-494a-86d3-6bb79b2a6df7" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:49 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 9BDF3CFF7029407E965856E0DB8E649B Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:34Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:34 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1231" ], + "Content-Length": [ "1233" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/219862bd-299b-4e98-8dd1-149a26b76dfe\",\"name\":\"219862bd-299b-4e98-8dd1-149a26b76dfe\",\"etag\":\"\\\"4a00c752-0000-0100-0000-62fbc1110000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewbookmarkRelationIncidentName7zq8cv\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:08:49.214241Z\",\"createdTimeUtc\":\"2022-08-16T16:08:49.214241Z\",\"incidentNumber\":28,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/219862bd-299b-4e98-8dd1-149a26b76dfe\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"28\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/b910c776-2b42-453f-8180-fc7494264127\",\"name\":\"b910c776-2b42-453f-8180-fc7494264127\",\"etag\":\"\\\"2f00bfa4-0000-0100-0000-69c392da0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewbookmarkRelationIncidentNameaweqpf\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:46:34.8193653Z\",\"createdTimeUtc\":\"2026-03-25T07:46:34.8193653Z\",\"incidentNumber\":28,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/b910c776-2b42-453f-8180-fc7494264127\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"28\"}}", "isContentBase64": false } }, - "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/327d3f42-a5d6-4bc8-99bc-93cf7b2942c7/relations/5c7863c4-3fba-4c60-87f0-88e5c33a5df8?api-version=2021-09-01-preview+2": { + "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/dc4bf602-cf6f-46e9-b4b6-c43af689a81f/relations/b24e558b-b0fc-4f9f-9583-1d4853b0600e?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/327d3f42-a5d6-4bc8-99bc-93cf7b2942c7/relations/5c7863c4-3fba-4c60-87f0-88e5c33a5df8?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/dc4bf602-cf6f-46e9-b4b6-c43af689a81f/relations/b24e558b-b0fc-4f9f-9583-1d4853b0600e?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "302" ], - "x-ms-client-request-id": [ "2f54d4b1-d64d-4d23-a9ca-76d5bfc28058" ], + "x-ms-unique-id": [ "148" ], + "x-ms-client-request-id": [ "9fa0b041-d1ca-41c8-a526-ade164438cb1" ], "CommandName": [ "Get-AzSentinelBookmarkRelation" ], "FullCommandName": [ "Get-AzSentinelBookmarkRelation_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/d39d0255-51b5-42c1-8db7-76b49193674c" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "736c9101-5e04-4572-b657-0544bce0c2e9" ], + "x-ms-correlation-request-id": [ "736c9101-5e04-4572-b657-0544bce0c2e9" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074635Z:736c9101-5e04-4572-b657-0544bce0c2e9" ], + "X-Content-Type-Options": [ "nosniff" ], + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 9422657278194FBBA70AFE402356B121 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:35Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:34 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/dc4bf602-cf6f-46e9-b4b6-c43af689a81f/relations/b24e558b-b0fc-4f9f-9583-1d4853b0600e\",\"name\":\"b24e558b-b0fc-4f9f-9583-1d4853b0600e\",\"etag\":\"\\\"3c009b05-0000-0100-0000-69c38ea40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/e0a2f9cf-074f-41f7-9cf7-ee2f76903f3e\",\"relatedResourceName\":\"e0a2f9cf-074f-41f7-9cf7-ee2f76903f3e\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/dc4bf602-cf6f-46e9-b4b6-c43af689a81f/relations/b24e558b-b0fc-4f9f-9583-1d4853b0600e?api-version=2021-09-01-preview+3": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/dc4bf602-cf6f-46e9-b4b6-c43af689a81f/relations/b24e558b-b0fc-4f9f-9583-1d4853b0600e?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "149" ], + "x-ms-client-request-id": [ "0438071c-b9da-4067-b6c8-8010b9571e36" ], + "CommandName": [ "Update-AzSentinelBookmarkRelation" ], + "FullCommandName": [ "Update-AzSentinelBookmarkRelation_UpdateViaIdentityExpanded" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -130,35 +228,39 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11932" ], - "x-ms-request-id": [ "297c4d6c-3705-4c95-a46d-9d5e6cccc9da" ], - "x-ms-correlation-request-id": [ "297c4d6c-3705-4c95-a46d-9d5e6cccc9da" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160849Z:297c4d6c-3705-4c95-a46d-9d5e6cccc9da" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/279038a1-18c1-4edd-a66b-b0219aa7c7ad" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "a4bb84c7-5a35-4fcb-9977-a115cbcb3295" ], + "x-ms-correlation-request-id": [ "a4bb84c7-5a35-4fcb-9977-a115cbcb3295" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074635Z:a4bb84c7-5a35-4fcb-9977-a115cbcb3295" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:49 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 8594F3C2AED9498C9B8B3C6F8408208A Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:35Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:35 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/327d3f42-a5d6-4bc8-99bc-93cf7b2942c7/relations/5c7863c4-3fba-4c60-87f0-88e5c33a5df8\",\"name\":\"5c7863c4-3fba-4c60-87f0-88e5c33a5df8\",\"etag\":\"\\\"3c003a8b-0000-0100-0000-62fbbda80000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/68e94645-a3b4-4595-9bfe-0d5370f5c8dd\",\"relatedResourceName\":\"68e94645-a3b4-4595-9bfe-0d5370f5c8dd\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/dc4bf602-cf6f-46e9-b4b6-c43af689a81f/relations/b24e558b-b0fc-4f9f-9583-1d4853b0600e\",\"name\":\"b24e558b-b0fc-4f9f-9583-1d4853b0600e\",\"etag\":\"\\\"3c009b05-0000-0100-0000-69c38ea40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/e0a2f9cf-074f-41f7-9cf7-ee2f76903f3e\",\"relatedResourceName\":\"e0a2f9cf-074f-41f7-9cf7-ee2f76903f3e\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", "isContentBase64": false } }, - "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/327d3f42-a5d6-4bc8-99bc-93cf7b2942c7/relations/5c7863c4-3fba-4c60-87f0-88e5c33a5df8?api-version=2021-09-01-preview+3": { + "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/dc4bf602-cf6f-46e9-b4b6-c43af689a81f/relations/b24e558b-b0fc-4f9f-9583-1d4853b0600e?api-version=2021-09-01-preview+4": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/327d3f42-a5d6-4bc8-99bc-93cf7b2942c7/relations/5c7863c4-3fba-4c60-87f0-88e5c33a5df8?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/219862bd-299b-4e98-8dd1-149a26b76dfe\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/dc4bf602-cf6f-46e9-b4b6-c43af689a81f/relations/b24e558b-b0fc-4f9f-9583-1d4853b0600e?api-version=2021-09-01-preview", + "Content": "{\r\n \"etag\": \"\\\"3c009b05-0000-0100-0000-69c38ea40000\\\"\",\r\n \"properties\": {\r\n \"relatedResourceId\": \"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/b910c776-2b42-453f-8180-fc7494264127\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "283" ] + "Content-Length": [ "342" ] } }, "Response": { @@ -166,21 +268,25 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1188" ], - "x-ms-request-id": [ "5c411a39-95b1-4779-ba2b-148f02b85434" ], - "x-ms-correlation-request-id": [ "5c411a39-95b1-4779-ba2b-148f02b85434" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160849Z:5c411a39-95b1-4779-ba2b-148f02b85434" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "799" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/c6f7ec54-486f-4e87-bc58-981328a857a8" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-writes": [ "11999" ], + "x-ms-request-id": [ "41c99c01-08d6-4c26-acee-720bce818d9a" ], + "x-ms-correlation-request-id": [ "41c99c01-08d6-4c26-acee-720bce818d9a" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074636Z:41c99c01-08d6-4c26-acee-720bce818d9a" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:49 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: C938DFF4947048EB886357D8C16DA8CC Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:36Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:36 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/327d3f42-a5d6-4bc8-99bc-93cf7b2942c7/relations/5c7863c4-3fba-4c60-87f0-88e5c33a5df8\",\"name\":\"5c7863c4-3fba-4c60-87f0-88e5c33a5df8\",\"etag\":\"\\\"3c00c68c-0000-0100-0000-62fbc1110000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/219862bd-299b-4e98-8dd1-149a26b76dfe\",\"relatedResourceName\":\"219862bd-299b-4e98-8dd1-149a26b76dfe\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/dc4bf602-cf6f-46e9-b4b6-c43af689a81f/relations/b24e558b-b0fc-4f9f-9583-1d4853b0600e\",\"name\":\"b24e558b-b0fc-4f9f-9583-1d4853b0600e\",\"etag\":\"\\\"3c0072bc-0000-0100-0000-69c392dc0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/b910c776-2b42-453f-8180-fc7494264127\",\"relatedResourceName\":\"b910c776-2b42-453f-8180-fc7494264127\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelDataConnector.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelDataConnector.Recording.json deleted file mode 100644 index 25d69e966897..000000000000 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelDataConnector.Recording.json +++ /dev/null @@ -1,115 +0,0 @@ -{ - "Update-AzSentinelDataConnector+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/6d021fce-8f39-437c-9fb4-fc0a3794402d?api-version=2021-09-01-preview+1": { - "Request": { - "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/6d021fce-8f39-437c-9fb4-fc0a3794402d?api-version=2021-09-01-preview", - "Content": "{\n \"etag\": \"7e7b29f8-4921-4f6a-ac9f-288d54eb8cd9\",\n \"kind\": \"Office365\",\n \"properties\": {\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\",\n \"dataTypes\": {\n \"exchange\": {\n \"state\": \"enabled\"\n },\n \"sharePoint\": {\n \"state\": \"Enabled\"\n },\n \"teams\": {\n \"state\": \"disabled\"\n }\n }\n }\n}", - "isContentBase64": false, - "Headers": { - }, - "ContentHeaders": { - "Content-Type": [ "application/json" ], - "Content-Length": [ "346" ] - } - }, - "Response": { - "StatusCode": 200, - "Headers": { - "Cache-Control": [ "no-cache" ], - "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "496" ], - "x-ms-request-id": [ "73ec966a-6d50-49a3-a84a-628a212109eb" ], - "x-ms-correlation-request-id": [ "73ec966a-6d50-49a3-a84a-628a212109eb" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160853Z:73ec966a-6d50-49a3-a84a-628a212109eb" ], - "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], - "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:53 GMT" ] - }, - "ContentHeaders": { - "Content-Length": [ "578" ], - "Content-Type": [ "application/json; charset=utf-8" ], - "Expires": [ "-1" ] - }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/6d021fce-8f39-437c-9fb4-fc0a3794402d\",\"name\":\"6d021fce-8f39-437c-9fb4-fc0a3794402d\",\"etag\":\"1d40953b-36aa-4fcb-8258-e3a0d8ea6268\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"Office365\",\"properties\":{\"dataTypes\":{\"sharePoint\":{\"state\":\"enabled\"},\"exchange\":{\"state\":\"enabled\"},\"teams\":{\"state\":\"disabled\"}},\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}", - "isContentBase64": false - } - }, - "Update-AzSentinelDataConnector+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/6d021fce-8f39-437c-9fb4-fc0a3794402d?api-version=2021-09-01-preview+1": { - "Request": { - "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/6d021fce-8f39-437c-9fb4-fc0a3794402d?api-version=2021-09-01-preview", - "Content": null, - "isContentBase64": false, - "Headers": { - "x-ms-unique-id": [ "306" ], - "x-ms-client-request-id": [ "6368faf2-761f-4833-8eb3-4410ed2583da" ], - "CommandName": [ "Get-AzSentinelDataConnector" ], - "FullCommandName": [ "Get-AzSentinelDataConnector_Get" ], - "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], - "Authorization": [ "[Filtered]" ] - }, - "ContentHeaders": { - } - }, - "Response": { - "StatusCode": 200, - "Headers": { - "Cache-Control": [ "no-cache" ], - "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "494" ], - "x-ms-request-id": [ "00d47fec-80f2-40a3-a54f-149cf314433d" ], - "x-ms-correlation-request-id": [ "00d47fec-80f2-40a3-a54f-149cf314433d" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160853Z:00d47fec-80f2-40a3-a54f-149cf314433d" ], - "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], - "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:53 GMT" ] - }, - "ContentHeaders": { - "Content-Length": [ "578" ], - "Content-Type": [ "application/json; charset=utf-8" ], - "Expires": [ "-1" ] - }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/6d021fce-8f39-437c-9fb4-fc0a3794402d\",\"name\":\"6d021fce-8f39-437c-9fb4-fc0a3794402d\",\"etag\":\"1d40953b-36aa-4fcb-8258-e3a0d8ea6268\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"Office365\",\"properties\":{\"dataTypes\":{\"sharePoint\":{\"state\":\"enabled\"},\"exchange\":{\"state\":\"enabled\"},\"teams\":{\"state\":\"disabled\"}},\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}", - "isContentBase64": false - } - }, - "Update-AzSentinelDataConnector+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/6d021fce-8f39-437c-9fb4-fc0a3794402d?api-version=2021-09-01-preview+2": { - "Request": { - "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/6d021fce-8f39-437c-9fb4-fc0a3794402d?api-version=2021-09-01-preview", - "Content": "{\n \"etag\": \"1d40953b-36aa-4fcb-8258-e3a0d8ea6268\",\n \"kind\": \"Office365\",\n \"properties\": {\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\",\n \"dataTypes\": {\n \"exchange\": {\n \"state\": \"enabled\"\n },\n \"sharePoint\": {\n \"state\": \"enabled\"\n },\n \"teams\": {\n \"state\": \"Enabled\"\n }\n }\n }\n}", - "isContentBase64": false, - "Headers": { - }, - "ContentHeaders": { - "Content-Type": [ "application/json" ], - "Content-Length": [ "345" ] - } - }, - "Response": { - "StatusCode": 200, - "Headers": { - "Cache-Control": [ "no-cache" ], - "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "495" ], - "x-ms-request-id": [ "bc7709c7-50eb-45be-a607-9c1dc492943e" ], - "x-ms-correlation-request-id": [ "bc7709c7-50eb-45be-a607-9c1dc492943e" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160856Z:bc7709c7-50eb-45be-a607-9c1dc492943e" ], - "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], - "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:08:56 GMT" ] - }, - "ContentHeaders": { - "Content-Length": [ "577" ], - "Content-Type": [ "application/json; charset=utf-8" ], - "Expires": [ "-1" ] - }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/6d021fce-8f39-437c-9fb4-fc0a3794402d\",\"name\":\"6d021fce-8f39-437c-9fb4-fc0a3794402d\",\"etag\":\"cecb2be5-2866-4148-950d-3a35265b195f\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"Office365\",\"properties\":{\"dataTypes\":{\"sharePoint\":{\"state\":\"enabled\"},\"exchange\":{\"state\":\"enabled\"},\"teams\":{\"state\":\"enabled\"}},\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}", - "isContentBase64": false - } - } -} \ No newline at end of file diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelEntityQuery.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelEntityQuery.Recording.json deleted file mode 100644 index bb994da53c1b..000000000000 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelEntityQuery.Recording.json +++ /dev/null @@ -1,115 +0,0 @@ -{ - "Update-AzSentinelEntityQuery+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/105c6ccb-e733-4602-ad28-20c44e2cf4ae?api-version=2021-09-01-preview+1": { - "Request": { - "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/105c6ccb-e733-4602-ad28-20c44e2cf4ae?api-version=2021-09-01-preview", - "Content": "{\n \"etag\": \"\\\"0c006a0f-0000-0100-0000-62fbbe440000\\\"\",\n \"kind\": \"Activity\",\n \"properties\": {\n \"queryDefinitions\": {\n \"query\": \"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \\u0027@\\u0027, tostring(split(Computer, \\u0027@\\u0027)[0]),\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[1]),\\nComputer has \\u0027.\\u0027, tostring(split(Computer, \\u0027.\\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[0]), \\nComputer has \\u0027.\\u0027, tostring(split(Computer, \\u0027.\\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[0]), \\nComputer has \\u0027.\\u0027, strcat_array(array_slice(split(Computer,\\u0027.\\u0027),-2,-1),\\u0027.\\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\\u0027{{Host_HostName}}\\u0027, \\u0027{{Host_NTDomain}}\\u0027, \\u0027{{Host_DnsDomain}}\\u0027, \\u0027{{Host_AzureID}}\\u0027, \\u0027{{Host_OMSAgentID}}\\u0027)\\n \\n| where EventID == 4726 \"\n },\n \"title\": \"UpdateEntityQueryPSTest\",\n \"content\": \"On \\u0027{{Computer}}\\u0027 the account \\u0027{{TargetAccount}}\\u0027 was deleted by \",\n \"description\": \"Account deleted on host\",\n \"inputEntityType\": \"Host\",\n \"requiredInputFieldsSets\": [\n [ \"Host_HostName\", \"Host_NTDomain\" ],\n [ \"Host_HostName\", \"Host_DnsDomain\" ],\n [ \"Host_AzureID\" ],\n [ \"Host_OMSAgentID\" ]\n ],\n \"enabled\": true\n }\n}", - "isContentBase64": false, - "Headers": { - }, - "ContentHeaders": { - "Content-Type": [ "application/json" ], - "Content-Length": [ "2162" ] - } - }, - "Response": { - "StatusCode": 200, - "Headers": { - "Cache-Control": [ "no-cache" ], - "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1187" ], - "x-ms-request-id": [ "30d8182a-90f6-4622-8f9a-665e3825b8b9" ], - "x-ms-correlation-request-id": [ "30d8182a-90f6-4622-8f9a-665e3825b8b9" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160900Z:30d8182a-90f6-4622-8f9a-665e3825b8b9" ], - "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], - "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:09:00 GMT" ] - }, - "ContentHeaders": { - "Content-Length": [ "2287" ], - "Content-Type": [ "application/json; charset=utf-8" ], - "Expires": [ "-1" ] - }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/105c6ccb-e733-4602-ad28-20c44e2cf4ae\",\"name\":\"105c6ccb-e733-4602-ad28-20c44e2cf4ae\",\"etag\":\"\\\"0c00d913-0000-0100-0000-62fbc11c0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"UpdateEntityQueryPSTest\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{},\"enabled\":true,\"createdTimeUtc\":\"2022-08-16T15:56:52.6157717Z\",\"lastModifiedTimeUtc\":\"2022-08-16T16:09:00.3224499Z\",\"inputEntityType\":\"Host\"}}", - "isContentBase64": false - } - }, - "Update-AzSentinelEntityQuery+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/023cc70e-538f-416e-af6e-ec0833b69894?api-version=2021-09-01-preview+1": { - "Request": { - "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/023cc70e-538f-416e-af6e-ec0833b69894?api-version=2021-09-01-preview", - "Content": null, - "isContentBase64": false, - "Headers": { - "x-ms-unique-id": [ "311" ], - "x-ms-client-request-id": [ "93fd97ca-6b9b-4e41-9898-f234be1f46e9" ], - "CommandName": [ "Get-AzSentinelEntityQuery" ], - "FullCommandName": [ "Get-AzSentinelEntityQuery_Get" ], - "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], - "Authorization": [ "[Filtered]" ] - }, - "ContentHeaders": { - } - }, - "Response": { - "StatusCode": 200, - "Headers": { - "Cache-Control": [ "no-cache" ], - "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11930" ], - "x-ms-request-id": [ "6fc14431-ca00-406a-853a-d24777fd1429" ], - "x-ms-correlation-request-id": [ "6fc14431-ca00-406a-853a-d24777fd1429" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160900Z:6fc14431-ca00-406a-853a-d24777fd1429" ], - "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], - "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:09:00 GMT" ] - }, - "ContentHeaders": { - "Content-Length": [ "2326" ], - "Content-Type": [ "application/json; charset=utf-8" ], - "Expires": [ "-1" ] - }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/023cc70e-538f-416e-af6e-ec0833b69894\",\"name\":\"023cc70e-538f-416e-af6e-ec0833b69894\",\"etag\":\"\\\"0c008f0f-0000-0100-0000-62fbbe630000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2022-08-16T15:57:23.7657228Z\",\"lastModifiedTimeUtc\":\"2022-08-16T15:57:23.7657228Z\",\"inputEntityType\":\"Host\"}}", - "isContentBase64": false - } - }, - "Update-AzSentinelEntityQuery+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/023cc70e-538f-416e-af6e-ec0833b69894?api-version=2021-09-01-preview+2": { - "Request": { - "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/023cc70e-538f-416e-af6e-ec0833b69894?api-version=2021-09-01-preview", - "Content": "{\n \"etag\": \"\\\"0c008f0f-0000-0100-0000-62fbbe630000\\\"\",\n \"kind\": \"Activity\",\n \"properties\": {\n \"queryDefinitions\": {\n \"query\": \"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \\u0027@\\u0027, tostring(split(Computer, \\u0027@\\u0027)[0]),\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[1]),\\nComputer has \\u0027.\\u0027, tostring(split(Computer, \\u0027.\\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[0]), \\nComputer has \\u0027.\\u0027, tostring(split(Computer, \\u0027.\\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[0]), \\nComputer has \\u0027.\\u0027, strcat_array(array_slice(split(Computer,\\u0027.\\u0027),-2,-1),\\u0027.\\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\\u0027{{Host_HostName}}\\u0027, \\u0027{{Host_NTDomain}}\\u0027, \\u0027{{Host_DnsDomain}}\\u0027, \\u0027{{Host_AzureID}}\\u0027, \\u0027{{Host_OMSAgentID}}\\u0027)\\n \\n| where EventID == 4726 \"\n },\n \"title\": \"UpdateEntityQueryPSTest\",\n \"content\": \"On \\u0027{{Computer}}\\u0027 the account \\u0027{{TargetAccount}}\\u0027 was deleted by \",\n \"description\": \"Account deleted on host\",\n \"inputEntityType\": \"Host\",\n \"requiredInputFieldsSets\": [\n [ \"Host_HostName\", \"Host_NTDomain\" ],\n [ \"Host_HostName\", \"Host_DnsDomain\" ],\n [ \"Host_AzureID\" ],\n [ \"Host_OMSAgentID\" ]\n ],\n \"enabled\": true\n }\n}", - "isContentBase64": false, - "Headers": { - }, - "ContentHeaders": { - "Content-Type": [ "application/json" ], - "Content-Length": [ "2162" ] - } - }, - "Response": { - "StatusCode": 200, - "Headers": { - "Cache-Control": [ "no-cache" ], - "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1186" ], - "x-ms-request-id": [ "012499d2-6a05-4f48-ad75-54b6a68dd803" ], - "x-ms-correlation-request-id": [ "012499d2-6a05-4f48-ad75-54b6a68dd803" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160902Z:012499d2-6a05-4f48-ad75-54b6a68dd803" ], - "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], - "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:09:01 GMT" ] - }, - "ContentHeaders": { - "Content-Length": [ "2286" ], - "Content-Type": [ "application/json; charset=utf-8" ], - "Expires": [ "-1" ] - }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/023cc70e-538f-416e-af6e-ec0833b69894\",\"name\":\"023cc70e-538f-416e-af6e-ec0833b69894\",\"etag\":\"\\\"0c00db13-0000-0100-0000-62fbc11e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"UpdateEntityQueryPSTest\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{},\"enabled\":true,\"createdTimeUtc\":\"2022-08-16T15:57:23.7657228Z\",\"lastModifiedTimeUtc\":\"2022-08-16T16:09:02.033204Z\",\"inputEntityType\":\"Host\"}}", - "isContentBase64": false - } - } -} \ No newline at end of file diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelIncident.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelIncident.Recording.json index 9a8177b2f55f..d906fd7b4224 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelIncident.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelIncident.Recording.json @@ -1,17 +1,17 @@ { - "Update-AzSentinelIncident+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/905e7dec-fd14-42df-9ed5-c4df09445158?api-version=2021-09-01-preview+1": { + "Update-AzSentinelIncident+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/0bb93d60-a942-42f4-a8de-41d4b42cfd18?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/905e7dec-fd14-42df-9ed5-c4df09445158?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/0bb93d60-a942-42f4-a8de-41d4b42cfd18?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "314" ], - "x-ms-client-request-id": [ "f0c5dc37-8cb6-4f5e-bc0b-30b90442f3dd" ], + "x-ms-unique-id": [ "151" ], + "x-ms-client-request-id": [ "5d9fbcf0-7065-4fab-bc0b-b365662b36ae" ], "CommandName": [ "Get-AzSentinelIncident" ], "FullCommandName": [ "Get-AzSentinelIncident_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,35 +22,84 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11928" ], - "x-ms-request-id": [ "edad1ccd-5052-46e5-933d-1831da0c9b6e" ], - "x-ms-correlation-request-id": [ "edad1ccd-5052-46e5-933d-1831da0c9b6e" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160902Z:edad1ccd-5052-46e5-933d-1831da0c9b6e" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/cbd4ef1c-acf2-49f7-8683-01a23103fb58" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "95212cc5-5a7c-429f-8460-00995597bd4e" ], + "x-ms-correlation-request-id": [ "95212cc5-5a7c-429f-8460-00995597bd4e" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074638Z:95212cc5-5a7c-429f-8460-00995597bd4e" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:09:02 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 22F2E06F2F7B4B118CE8D8D9DA0C9892 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:38Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:37 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1206" ], + "Content-Length": [ "1208" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/0bb93d60-a942-42f4-a8de-41d4b42cfd18\",\"name\":\"0bb93d60-a942-42f4-a8de-41d4b42cfd18\",\"etag\":\"\\\"2f00422b-0000-0100-0000-69c38f110000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:25.6894808Z\",\"createdTimeUtc\":\"2026-03-25T07:30:25.6894808Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/0bb93d60-a942-42f4-a8de-41d4b42cfd18\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelIncident+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/0bb93d60-a942-42f4-a8de-41d4b42cfd18?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/0bb93d60-a942-42f4-a8de-41d4b42cfd18?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "152" ], + "x-ms-client-request-id": [ "0324cfc5-f977-4d82-b5fa-f5a396bbaee3" ], + "CommandName": [ "Update-AzSentinelIncident" ], + "FullCommandName": [ "Update-AzSentinelIncident_UpdateExpanded" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/7710dd80-68fd-4215-b411-5e55f75f2111" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "ef2b05a6-0e3c-4e6a-b38c-2ac277d28460" ], + "x-ms-correlation-request-id": [ "ef2b05a6-0e3c-4e6a-b38c-2ac277d28460" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074638Z:ef2b05a6-0e3c-4e6a-b38c-2ac277d28460" ], + "X-Content-Type-Options": [ "nosniff" ], + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 95F5AE6C6BA64DD6BD4554B89BA01091 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:38Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:38 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1208" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/905e7dec-fd14-42df-9ed5-c4df09445158\",\"name\":\"905e7dec-fd14-42df-9ed5-c4df09445158\",\"etag\":\"\\\"4a005e51-0000-0100-0000-62fbbee00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:59:28.733771Z\",\"createdTimeUtc\":\"2022-08-16T15:59:28.733771Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/905e7dec-fd14-42df-9ed5-c4df09445158\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/0bb93d60-a942-42f4-a8de-41d4b42cfd18\",\"name\":\"0bb93d60-a942-42f4-a8de-41d4b42cfd18\",\"etag\":\"\\\"2f00422b-0000-0100-0000-69c38f110000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:25.6894808Z\",\"createdTimeUtc\":\"2026-03-25T07:30:25.6894808Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/0bb93d60-a942-42f4-a8de-41d4b42cfd18\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}}", "isContentBase64": false } }, - "Update-AzSentinelIncident+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/905e7dec-fd14-42df-9ed5-c4df09445158?api-version=2021-09-01-preview+2": { + "Update-AzSentinelIncident+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/0bb93d60-a942-42f4-a8de-41d4b42cfd18?api-version=2021-09-01-preview+3": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/905e7dec-fd14-42df-9ed5-c4df09445158?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"Active\",\n \"title\": \"IncidentTest\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/0bb93d60-a942-42f4-a8de-41d4b42cfd18?api-version=2021-09-01-preview", + "Content": "{\r\n \"etag\": \"\\\"2f00422b-0000-0100-0000-69c38f110000\\\"\",\r\n \"properties\": {\r\n \"labels\": [ ],\r\n \"providerName\": \"Azure Sentinel\",\r\n \"providerIncidentId\": \"10\",\r\n \"severity\": \"Informational\",\r\n \"status\": \"Active\",\r\n \"title\": \"IncidentTest\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "110" ] + "Content-Length": [ "263" ] } }, "Response": { @@ -58,37 +107,85 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "492" ], - "x-ms-request-id": [ "4aad4a00-f361-49e5-b5e9-e0d2766f246b" ], - "x-ms-correlation-request-id": [ "4aad4a00-f361-49e5-b5e9-e0d2766f246b" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160902Z:4aad4a00-f361-49e5-b5e9-e0d2766f246b" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/f9e748a7-fc7e-430f-83f0-fef361507f8a" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "8659be7f-2629-4a08-866c-861c47cd842c" ], + "x-ms-correlation-request-id": [ "8659be7f-2629-4a08-866c-861c47cd842c" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074639Z:8659be7f-2629-4a08-866c-861c47cd842c" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:09:02 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 09B1A70C10944040B3F96290F913A784 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:39Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:38 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1210" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/905e7dec-fd14-42df-9ed5-c4df09445158\",\"name\":\"905e7dec-fd14-42df-9ed5-c4df09445158\",\"etag\":\"\\\"4a00cb52-0000-0100-0000-62fbc11e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"Active\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:09:02.9008773Z\",\"createdTimeUtc\":\"2022-08-16T15:59:28.733771Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/905e7dec-fd14-42df-9ed5-c4df09445158\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/0bb93d60-a942-42f4-a8de-41d4b42cfd18\",\"name\":\"0bb93d60-a942-42f4-a8de-41d4b42cfd18\",\"etag\":\"\\\"2f004fa5-0000-0100-0000-69c392df0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"Active\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:46:39.439621Z\",\"createdTimeUtc\":\"2026-03-25T07:30:25.6894808Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/0bb93d60-a942-42f4-a8de-41d4b42cfd18\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}}", "isContentBase64": false } }, - "Update-AzSentinelIncident+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/c259dc23-cd2e-4b7f-bd9d-286e7cae6366?api-version=2021-09-01-preview+1": { + "Update-AzSentinelIncident+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/2846cf2f-82ea-43f6-84bd-efb4d3a9d16c?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/c259dc23-cd2e-4b7f-bd9d-286e7cae6366?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/2846cf2f-82ea-43f6-84bd-efb4d3a9d16c?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "316" ], - "x-ms-client-request-id": [ "3d11769c-3ade-488b-8584-a64fbaea1912" ], + "x-ms-unique-id": [ "154" ], + "x-ms-client-request-id": [ "91ba6e9d-024e-4a5a-adc2-3fa17545814b" ], "CommandName": [ "Get-AzSentinelIncident" ], "FullCommandName": [ "Get-AzSentinelIncident_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1098" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/a3001109-5568-4e92-ba51-08d61ec39b32" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16498" ], + "x-ms-request-id": [ "82fd37c2-93f3-43ea-8347-10a1d60bad5f" ], + "x-ms-correlation-request-id": [ "82fd37c2-93f3-43ea-8347-10a1d60bad5f" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074640Z:82fd37c2-93f3-43ea-8347-10a1d60bad5f" ], + "X-Content-Type-Options": [ "nosniff" ], + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: D24EC1E2715843E48D1C3C47410411EA Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:39Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:39 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1208" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/2846cf2f-82ea-43f6-84bd-efb4d3a9d16c\",\"name\":\"2846cf2f-82ea-43f6-84bd-efb4d3a9d16c\",\"etag\":\"\\\"2f00682c-0000-0100-0000-69c38f1a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:34.4799593Z\",\"createdTimeUtc\":\"2026-03-25T07:30:34.4799593Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/2846cf2f-82ea-43f6-84bd-efb4d3a9d16c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelIncident+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/2846cf2f-82ea-43f6-84bd-efb4d3a9d16c?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/2846cf2f-82ea-43f6-84bd-efb4d3a9d16c?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "155" ], + "x-ms-client-request-id": [ "9349390f-6f80-4640-81bc-f9b6a3179701" ], + "CommandName": [ "Update-AzSentinelIncident" ], + "FullCommandName": [ "Update-AzSentinelIncident_UpdateViaIdentityExpanded" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -99,35 +196,39 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11927" ], - "x-ms-request-id": [ "b9e86a33-7c0b-464e-9d5c-c07aacdf7a27" ], - "x-ms-correlation-request-id": [ "b9e86a33-7c0b-464e-9d5c-c07aacdf7a27" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160903Z:b9e86a33-7c0b-464e-9d5c-c07aacdf7a27" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/71b36890-5d20-4707-b2aa-d1f0cf9f6027" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "682b49f9-cb3e-49ac-a359-7f005d0c77c2" ], + "x-ms-correlation-request-id": [ "682b49f9-cb3e-49ac-a359-7f005d0c77c2" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074640Z:682b49f9-cb3e-49ac-a359-7f005d0c77c2" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:09:02 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 6CCC40F7B842491DA179DE72EADFADC2 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:40Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:39 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1208" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"name\":\"c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"etag\":\"\\\"4a007051-0000-0100-0000-62fbbf000000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:00:00.5994057Z\",\"createdTimeUtc\":\"2022-08-16T16:00:00.5994057Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/2846cf2f-82ea-43f6-84bd-efb4d3a9d16c\",\"name\":\"2846cf2f-82ea-43f6-84bd-efb4d3a9d16c\",\"etag\":\"\\\"2f00682c-0000-0100-0000-69c38f1a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:30:34.4799593Z\",\"createdTimeUtc\":\"2026-03-25T07:30:34.4799593Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/2846cf2f-82ea-43f6-84bd-efb4d3a9d16c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}}", "isContentBase64": false } }, - "Update-AzSentinelIncident+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/c259dc23-cd2e-4b7f-bd9d-286e7cae6366?api-version=2021-09-01-preview+2": { + "Update-AzSentinelIncident+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/2846cf2f-82ea-43f6-84bd-efb4d3a9d16c?api-version=2021-09-01-preview+3": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/c259dc23-cd2e-4b7f-bd9d-286e7cae6366?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"Active\",\n \"title\": \"IncidentTest\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/2846cf2f-82ea-43f6-84bd-efb4d3a9d16c?api-version=2021-09-01-preview", + "Content": "{\r\n \"etag\": \"\\\"2f00682c-0000-0100-0000-69c38f1a0000\\\"\",\r\n \"properties\": {\r\n \"labels\": [ ],\r\n \"providerName\": \"Azure Sentinel\",\r\n \"providerIncidentId\": \"11\",\r\n \"severity\": \"Informational\",\r\n \"status\": \"Active\",\r\n \"title\": \"IncidentTest\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "110" ] + "Content-Length": [ "263" ] } }, "Response": { @@ -135,21 +236,24 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "491" ], - "x-ms-request-id": [ "b9b1ff32-ee81-4645-ac03-25f058841ab9" ], - "x-ms-correlation-request-id": [ "b9b1ff32-ee81-4645-ac03-25f058841ab9" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160903Z:b9b1ff32-ee81-4645-ac03-25f058841ab9" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/0a7fa5a3-5503-409f-8470-3d67c550a78a" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "86f4d817-5670-433b-85ec-fd78fad1acff" ], + "x-ms-correlation-request-id": [ "86f4d817-5670-433b-85ec-fd78fad1acff" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074640Z:86f4d817-5670-433b-85ec-fd78fad1acff" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:09:03 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 5BA25D048D8B4EA1B9224E6EBD6CBC7F Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:40Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:40 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1211" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"name\":\"c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"etag\":\"\\\"4a00ce52-0000-0100-0000-62fbc11f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"Active\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:09:03.3227334Z\",\"createdTimeUtc\":\"2022-08-16T16:00:00.5994057Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/2846cf2f-82ea-43f6-84bd-efb4d3a9d16c\",\"name\":\"2846cf2f-82ea-43f6-84bd-efb4d3a9d16c\",\"etag\":\"\\\"2f0084a5-0000-0100-0000-69c392e00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"Active\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2026-03-25T07:46:40.8474216Z\",\"createdTimeUtc\":\"2026-03-25T07:30:34.4799593Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/2846cf2f-82ea-43f6-84bd-efb4d3a9d16c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelIncidentComment.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelIncidentComment.Recording.json index 4c3916bbba17..de88dc40dc77 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelIncidentComment.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelIncidentComment.Recording.json @@ -1,15 +1,59 @@ { - "Update-AzSentinelIncidentComment+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/71e8df01-919c-45c1-b526-bc145e411eee/comments/7d4f4a64-ca42-4ab7-8385-f9c2b4d63434?api-version=2021-09-01-preview+1": { + "Update-AzSentinelIncidentComment+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/9d4e3d1a-e085-4ffc-a5b0-3609e308432d/comments/913a14cc-cdea-47c1-b706-550befa5853d?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/9d4e3d1a-e085-4ffc-a5b0-3609e308432d/comments/913a14cc-cdea-47c1-b706-550befa5853d?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "157" ], + "x-ms-client-request-id": [ "81c08397-89e1-4af0-98cb-bd5345a47889" ], + "CommandName": [ "Update-AzSentinelIncidentComment" ], + "FullCommandName": [ "Update-AzSentinelIncidentComment_UpdateExpanded" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/d37aab1e-ae2d-43e3-a005-cdf9250f2084" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "258bcd92-1fb2-4f54-b195-48f634d11868" ], + "x-ms-correlation-request-id": [ "258bcd92-1fb2-4f54-b195-48f634d11868" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074642Z:258bcd92-1fb2-4f54-b195-48f634d11868" ], + "X-Content-Type-Options": [ "nosniff" ], + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: B7CF09346F70403F9864ED05C4850E3A Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:41Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:41 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "755" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/9d4e3d1a-e085-4ffc-a5b0-3609e308432d/Comments/913a14cc-cdea-47c1-b706-550befa5853d\",\"name\":\"913a14cc-cdea-47c1-b706-550befa5853d\",\"etag\":\"\\\"2f006930-0000-0100-0000-69c38f3a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"UpdateincidentCommentnxou8t\",\"createdTimeUtc\":\"2026-03-25T07:31:06.6505824Z\",\"lastModifiedTimeUtc\":\"2026-03-25T07:31:06.6505824Z\",\"author\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"}}}", + "isContentBase64": false + } + }, + "Update-AzSentinelIncidentComment+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/9d4e3d1a-e085-4ffc-a5b0-3609e308432d/comments/913a14cc-cdea-47c1-b706-550befa5853d?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/71e8df01-919c-45c1-b526-bc145e411eee/comments/7d4f4a64-ca42-4ab7-8385-f9c2b4d63434?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"message\": \"UpdateIncidentCommentPSTest\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/9d4e3d1a-e085-4ffc-a5b0-3609e308432d/comments/913a14cc-cdea-47c1-b706-550befa5853d?api-version=2021-09-01-preview", + "Content": "{\r\n \"etag\": \"\\\"2f006930-0000-0100-0000-69c38f3a0000\\\"\",\r\n \"properties\": {\r\n \"message\": \"UpdateIncidentCommentPSTest\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "70" ] + "Content-Length": [ "129" ] } }, "Response": { @@ -17,37 +61,84 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "5a3e2c46-83b4-4873-9c41-2adf1bd8200b" ], - "x-ms-correlation-request-id": [ "5a3e2c46-83b4-4873-9c41-2adf1bd8200b" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160904Z:5a3e2c46-83b4-4873-9c41-2adf1bd8200b" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/ac0676be-9f3d-4755-b550-3abbca25147d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "2f5292bf-7931-4e80-8e87-aa6cc9c91f48" ], + "x-ms-correlation-request-id": [ "2f5292bf-7931-4e80-8e87-aa6cc9c91f48" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074642Z:2f5292bf-7931-4e80-8e87-aa6cc9c91f48" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:09:04 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 04686CBA04FD491EB45222D2FBE7FCAF Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:42Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:42 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "762" ], + "Content-Length": [ "755" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/71e8df01-919c-45c1-b526-bc145e411eee/Comments/7d4f4a64-ca42-4ab7-8385-f9c2b4d63434\",\"name\":\"7d4f4a64-ca42-4ab7-8385-f9c2b4d63434\",\"etag\":\"\\\"4a00cf52-0000-0100-0000-62fbc1200000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"UpdateIncidentCommentPSTest\",\"createdTimeUtc\":\"2022-08-16T16:02:15.7412299Z\",\"lastModifiedTimeUtc\":\"2022-08-16T16:09:04.6584476Z\",\"author\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/9d4e3d1a-e085-4ffc-a5b0-3609e308432d/Comments/913a14cc-cdea-47c1-b706-550befa5853d\",\"name\":\"913a14cc-cdea-47c1-b706-550befa5853d\",\"etag\":\"\\\"2f00afa5-0000-0100-0000-69c392e20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"UpdateIncidentCommentPSTest\",\"createdTimeUtc\":\"2026-03-25T07:31:06.6505824Z\",\"lastModifiedTimeUtc\":\"2026-03-25T07:46:42.5117606Z\",\"author\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"}}}", "isContentBase64": false } }, - "Update-AzSentinelIncidentComment+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/71e8df01-919c-45c1-b526-bc145e411eee/comments/7d4f4a64-ca42-4ab7-8385-f9c2b4d63434?api-version=2021-09-01-preview+1": { + "Update-AzSentinelIncidentComment+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/9d4e3d1a-e085-4ffc-a5b0-3609e308432d/comments/913a14cc-cdea-47c1-b706-550befa5853d?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/71e8df01-919c-45c1-b526-bc145e411eee/comments/7d4f4a64-ca42-4ab7-8385-f9c2b4d63434?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/9d4e3d1a-e085-4ffc-a5b0-3609e308432d/comments/913a14cc-cdea-47c1-b706-550befa5853d?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "319" ], - "x-ms-client-request-id": [ "03c94171-f512-4113-bc5d-0e7963c3ef42" ], + "x-ms-unique-id": [ "159" ], + "x-ms-client-request-id": [ "050a3b28-0541-449d-8600-81e6e0d21d14" ], "CommandName": [ "Get-AzSentinelIncidentComment" ], "FullCommandName": [ "Get-AzSentinelIncidentComment_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/bf36c8fa-e75d-4540-bdf7-3848b4351c38" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "818b6903-c010-4b28-8abb-205dc5242efe" ], + "x-ms-correlation-request-id": [ "818b6903-c010-4b28-8abb-205dc5242efe" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074643Z:818b6903-c010-4b28-8abb-205dc5242efe" ], + "X-Content-Type-Options": [ "nosniff" ], + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: E7ED03F2DD8A466C8F2FBD6BC8B6343A Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:42Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:42 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "755" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/9d4e3d1a-e085-4ffc-a5b0-3609e308432d/Comments/913a14cc-cdea-47c1-b706-550befa5853d\",\"name\":\"913a14cc-cdea-47c1-b706-550befa5853d\",\"etag\":\"\\\"2f00afa5-0000-0100-0000-69c392e20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"UpdateIncidentCommentPSTest\",\"createdTimeUtc\":\"2026-03-25T07:31:06.6505824Z\",\"lastModifiedTimeUtc\":\"2026-03-25T07:46:42.5117606Z\",\"author\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"}}}", + "isContentBase64": false + } + }, + "Update-AzSentinelIncidentComment+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/9d4e3d1a-e085-4ffc-a5b0-3609e308432d/comments/913a14cc-cdea-47c1-b706-550befa5853d?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/9d4e3d1a-e085-4ffc-a5b0-3609e308432d/comments/913a14cc-cdea-47c1-b706-550befa5853d?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "160" ], + "x-ms-client-request-id": [ "50babb24-d8d6-44d6-b4f0-5d9a05c42eae" ], + "CommandName": [ "Update-AzSentinelIncidentComment" ], + "FullCommandName": [ "Update-AzSentinelIncidentComment_UpdateViaIdentityExpanded" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -58,35 +149,38 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "496" ], - "x-ms-request-id": [ "12b64c63-a857-4546-9af5-97cb7a33acfc" ], - "x-ms-correlation-request-id": [ "12b64c63-a857-4546-9af5-97cb7a33acfc" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160904Z:12b64c63-a857-4546-9af5-97cb7a33acfc" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/66b86700-2f34-4d16-8c86-f646e48f5d15" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "b15c3ea5-0622-4732-91ca-fcc3903ecf2a" ], + "x-ms-correlation-request-id": [ "b15c3ea5-0622-4732-91ca-fcc3903ecf2a" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074643Z:b15c3ea5-0622-4732-91ca-fcc3903ecf2a" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:09:04 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: D3180EE36CE14C48828602A2A9ACD74B Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:43Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:42 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "762" ], + "Content-Length": [ "755" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/71e8df01-919c-45c1-b526-bc145e411eee/Comments/7d4f4a64-ca42-4ab7-8385-f9c2b4d63434\",\"name\":\"7d4f4a64-ca42-4ab7-8385-f9c2b4d63434\",\"etag\":\"\\\"4a00cf52-0000-0100-0000-62fbc1200000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"UpdateIncidentCommentPSTest\",\"createdTimeUtc\":\"2022-08-16T16:02:15.7412299Z\",\"lastModifiedTimeUtc\":\"2022-08-16T16:09:04.6584476Z\",\"author\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/9d4e3d1a-e085-4ffc-a5b0-3609e308432d/Comments/913a14cc-cdea-47c1-b706-550befa5853d\",\"name\":\"913a14cc-cdea-47c1-b706-550befa5853d\",\"etag\":\"\\\"2f00afa5-0000-0100-0000-69c392e20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"UpdateIncidentCommentPSTest\",\"createdTimeUtc\":\"2026-03-25T07:31:06.6505824Z\",\"lastModifiedTimeUtc\":\"2026-03-25T07:46:42.5117606Z\",\"author\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"}}}", "isContentBase64": false } }, - "Update-AzSentinelIncidentComment+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/71e8df01-919c-45c1-b526-bc145e411eee/comments/7d4f4a64-ca42-4ab7-8385-f9c2b4d63434?api-version=2021-09-01-preview+2": { + "Update-AzSentinelIncidentComment+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/9d4e3d1a-e085-4ffc-a5b0-3609e308432d/comments/913a14cc-cdea-47c1-b706-550befa5853d?api-version=2021-09-01-preview+3": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/71e8df01-919c-45c1-b526-bc145e411eee/comments/7d4f4a64-ca42-4ab7-8385-f9c2b4d63434?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"message\": \"UpdateIncidentCommentPSTest\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/9d4e3d1a-e085-4ffc-a5b0-3609e308432d/comments/913a14cc-cdea-47c1-b706-550befa5853d?api-version=2021-09-01-preview", + "Content": "{\r\n \"etag\": \"\\\"2f00afa5-0000-0100-0000-69c392e20000\\\"\",\r\n \"properties\": {\r\n \"message\": \"UpdateIncidentCommentPSTest\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "70" ] + "Content-Length": [ "129" ] } }, "Response": { @@ -94,21 +188,24 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], - "x-ms-request-id": [ "51a1fb01-a5e9-4b54-8d06-5f13b90570e1" ], - "x-ms-correlation-request-id": [ "51a1fb01-a5e9-4b54-8d06-5f13b90570e1" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160905Z:51a1fb01-a5e9-4b54-8d06-5f13b90570e1" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/321db7ef-5482-4dab-b5e6-435daff5ac69" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "c8c9029f-b782-44e3-8430-9ffc970b5a99" ], + "x-ms-correlation-request-id": [ "c8c9029f-b782-44e3-8430-9ffc970b5a99" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074643Z:c8c9029f-b782-44e3-8430-9ffc970b5a99" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:09:04 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 067DA172A862487D9D51731C1D9A55F1 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:43Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:43 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "762" ], + "Content-Length": [ "755" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/71e8df01-919c-45c1-b526-bc145e411eee/Comments/7d4f4a64-ca42-4ab7-8385-f9c2b4d63434\",\"name\":\"7d4f4a64-ca42-4ab7-8385-f9c2b4d63434\",\"etag\":\"\\\"4a00d152-0000-0100-0000-62fbc1210000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"UpdateIncidentCommentPSTest\",\"createdTimeUtc\":\"2022-08-16T16:02:15.7412299Z\",\"lastModifiedTimeUtc\":\"2022-08-16T16:09:05.0898616Z\",\"author\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/9d4e3d1a-e085-4ffc-a5b0-3609e308432d/Comments/913a14cc-cdea-47c1-b706-550befa5853d\",\"name\":\"913a14cc-cdea-47c1-b706-550befa5853d\",\"etag\":\"\\\"2f00dca5-0000-0100-0000-69c392e30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"UpdateIncidentCommentPSTest\",\"createdTimeUtc\":\"2026-03-25T07:31:06.6505824Z\",\"lastModifiedTimeUtc\":\"2026-03-25T07:46:43.9213691Z\",\"author\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\",\"userPrincipalName\":\"t-helezra@microsoft.com\"}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelIncidentRelation.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelIncidentRelation.Recording.json index 649bc3f4d93c..4edda727c211 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelIncidentRelation.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelIncidentRelation.Recording.json @@ -1,15 +1,15 @@ { - "Update-AzSentinelIncidentRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/7b6ab18b-3ae4-406a-ade2-d9b2b9cfb774?api-version=2021-09-01-preview+1": { + "Update-AzSentinelIncidentRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/c2c47dc0-3085-46d4-a419-6ff95a01c603?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/7b6ab18b-3ae4-406a-ade2-d9b2b9cfb774?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"displayName\": \"NewincidentRelationBookmarkNames06o1l\",\n \"query\": \"SecurityEvent\\\\n| take 1\",\n \"eventTime\": \"2022-08-16T16:09:05.6524552Z\",\n \"queryStartTime\": \"2022-08-16T16:09:05.6522030Z\",\n \"queryEndTime\": \"2022-08-15T16:09:05.6523413Z\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/c2c47dc0-3085-46d4-a419-6ff95a01c603?api-version=2021-09-01-preview", + "Content": "{\r\n \"properties\": {\r\n \"displayName\": \"NewincidentRelationBookmarkNamei6d4wr\",\r\n \"query\": \"SecurityEvent\\\\n| take 1\",\r\n \"eventTime\": \"2026-03-25T07:46:43.7221027Z\",\r\n \"queryStartTime\": \"2026-03-25T07:46:43.7220207Z\",\r\n \"queryEndTime\": \"2026-03-24T07:46:43.7220781Z\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "280" ] + "Content-Length": [ "288" ] } }, "Response": { @@ -17,35 +17,44 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1185" ], - "x-ms-request-id": [ "054f7859-c0f1-4b37-85b1-db0fb165afc6" ], - "x-ms-correlation-request-id": [ "054f7859-c0f1-4b37-85b1-db0fb165afc6" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160905Z:054f7859-c0f1-4b37-85b1-db0fb165afc6" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "799" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/33664864-ced3-409a-9f2c-71338790fb6b" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-writes": [ "11999" ], + "x-ms-request-id": [ "27be737f-4725-498b-a5df-b0f0cb914a84" ], + "x-ms-correlation-request-id": [ "27be737f-4725-498b-a5df-b0f0cb914a84" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074645Z:27be737f-4725-498b-a5df-b0f0cb914a84" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:09:05 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 85EEA148092645C58101BFE082A0A24C Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:44Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:44 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1066" ], + "Content-Length": [ "1057" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/7b6ab18b-3ae4-406a-ade2-d9b2b9cfb774\",\"name\":\"7b6ab18b-3ae4-406a-ade2-d9b2b9cfb774\",\"etag\":\"\\\"3c00cc8c-0000-0100-0000-62fbc1210000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"NewincidentRelationBookmarkNames06o1l\",\"created\":\"2022-08-16T16:09:05.8209288+00:00\",\"updated\":\"2022-08-16T16:09:05+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T16:09:05.6524552+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2022-08-16T16:09:05.652203+00:00\",\"queryEndTime\":\"2022-08-15T16:09:05.6523413+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/c2c47dc0-3085-46d4-a419-6ff95a01c603\",\"name\":\"c2c47dc0-3085-46d4-a419-6ff95a01c603\",\"etag\":\"\\\"3c00e4bd-0000-0100-0000-69c392e50000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"NewincidentRelationBookmarkNamei6d4wr\",\"created\":\"2026-03-25T07:46:45.0624019+00:00\",\"updated\":\"2026-03-25T07:46:45+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:46:43.7221027+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2026-03-25T07:46:43.7220207+00:00\",\"queryEndTime\":\"2026-03-24T07:46:43.7220781+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "Update-AzSentinelIncidentRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/20c587be-2ccb-4fd4-aea6-cce3754722dd/relations/f56dcb87-d5c9-4996-9916-6502828a3ae2?api-version=2021-09-01-preview+2": { + "Update-AzSentinelIncidentRelation+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/9e73b493-03a2-4837-9f25-61a39c8841b8/relations/6695e672-3f17-446a-a3ea-f7625b45f1bd?api-version=2021-09-01-preview+2": { "Request": { - "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/20c587be-2ccb-4fd4-aea6-cce3754722dd/relations/f56dcb87-d5c9-4996-9916-6502828a3ae2?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/7b6ab18b-3ae4-406a-ade2-d9b2b9cfb774\"\n }\n}", + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/9e73b493-03a2-4837-9f25-61a39c8841b8/relations/6695e672-3f17-446a-a3ea-f7625b45f1bd?api-version=2021-09-01-preview", + "Content": null, "isContentBase64": false, "Headers": { + "x-ms-unique-id": [ "163" ], + "x-ms-client-request-id": [ "df1cfb72-1a35-4094-a818-c8b295cb8bc5" ], + "CommandName": [ "Update-AzSentinelIncidentRelation" ], + "FullCommandName": [ "Update-AzSentinelIncidentRelation_UpdateExpanded" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], + "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { - "Content-Type": [ "application/json" ], - "Content-Length": [ "283" ] } }, "Response": { @@ -53,35 +62,76 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "10075444-109a-460b-b89d-7c5eb6c75174" ], - "x-ms-correlation-request-id": [ "10075444-109a-460b-b89d-7c5eb6c75174" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160906Z:10075444-109a-460b-b89d-7c5eb6c75174" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/dd04337b-edff-41cc-bacf-71cd0c0f635c" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "dba2d760-afb7-4caa-a824-ccfcf65e3799" ], + "x-ms-correlation-request-id": [ "dba2d760-afb7-4caa-a824-ccfcf65e3799" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074645Z:dba2d760-afb7-4caa-a824-ccfcf65e3799" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:09:05 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: D8E8F3FD80E841FC8441B6C798A6B35E Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:45Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:45 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/20c587be-2ccb-4fd4-aea6-cce3754722dd/relations/f56dcb87-d5c9-4996-9916-6502828a3ae2\",\"name\":\"f56dcb87-d5c9-4996-9916-6502828a3ae2\",\"etag\":\"\\\"4a00d352-0000-0100-0000-62fbc1220000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/7b6ab18b-3ae4-406a-ade2-d9b2b9cfb774\",\"relatedResourceName\":\"7b6ab18b-3ae4-406a-ade2-d9b2b9cfb774\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/9e73b493-03a2-4837-9f25-61a39c8841b8/relations/6695e672-3f17-446a-a3ea-f7625b45f1bd\",\"name\":\"6695e672-3f17-446a-a3ea-f7625b45f1bd\",\"etag\":\"\\\"2f006a35-0000-0100-0000-69c38f650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/192e1c76-76b2-4c5b-b177-ae3989058ff5\",\"relatedResourceName\":\"192e1c76-76b2-4c5b-b177-ae3989058ff5\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelIncidentRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/9e73b493-03a2-4837-9f25-61a39c8841b8/relations/6695e672-3f17-446a-a3ea-f7625b45f1bd?api-version=2021-09-01-preview+3": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/9e73b493-03a2-4837-9f25-61a39c8841b8/relations/6695e672-3f17-446a-a3ea-f7625b45f1bd?api-version=2021-09-01-preview", + "Content": "{\r\n \"etag\": \"\\\"2f006a35-0000-0100-0000-69c38f650000\\\"\",\r\n \"properties\": {\r\n \"relatedResourceId\": \"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/c2c47dc0-3085-46d4-a419-6ff95a01c603\"\r\n }\r\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "342" ] + } + }, + "Response": { + "StatusCode": 409, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/e3d3fbc9-fc28-4456-a988-c10c3df11bd8" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-request-id": [ "f604cad1-1599-4466-ad8d-d6c44676f445" ], + "x-ms-correlation-request-id": [ "f604cad1-1599-4466-ad8d-d6c44676f445" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074646Z:f604cad1-1599-4466-ad8d-d6c44676f445" ], + "X-Content-Type-Options": [ "nosniff" ], + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 331A2238981C4A129CCD091F5769F08A Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:45Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:45 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "188" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"error\":{\"code\":\"Conflict\",\"message\":\"Failed to create relation. Relation with name 6695e672-3f17-446a-a3ea-f7625b45f1bd already exists on incident 9e73b493-03a2-4837-9f25-61a39c8841b8\"}}", "isContentBase64": false } }, - "Update-AzSentinelIncidentRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/71b34ee4-7c1a-4508-82a4-1d59250f7821?api-version=2021-09-01-preview+1": { + "Update-AzSentinelIncidentRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/4097ffee-c680-4d8a-b769-e32e0c6f6580?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/71b34ee4-7c1a-4508-82a4-1d59250f7821?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"displayName\": \"NewincidentRelationBookmarkNameszf359\",\n \"query\": \"SecurityEvent\\\\n| take 1\",\n \"eventTime\": \"2022-08-16T16:09:06.1743564Z\",\n \"queryStartTime\": \"2022-08-16T16:09:06.1737787Z\",\n \"queryEndTime\": \"2022-08-15T16:09:06.1741808Z\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/bookmarks/4097ffee-c680-4d8a-b769-e32e0c6f6580?api-version=2021-09-01-preview", + "Content": "{\r\n \"properties\": {\r\n \"displayName\": \"NewincidentRelationBookmarkNamewqdjeb\",\r\n \"query\": \"SecurityEvent\\\\n| take 1\",\r\n \"eventTime\": \"2026-03-25T07:46:45.2486916Z\",\r\n \"queryStartTime\": \"2026-03-25T07:46:45.2485634Z\",\r\n \"queryEndTime\": \"2026-03-24T07:46:45.2486522Z\"\r\n }\r\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "280" ] + "Content-Length": [ "288" ] } }, "Response": { @@ -89,37 +139,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1184" ], - "x-ms-request-id": [ "79033b04-a0b5-4039-8ac5-35516ccd31ee" ], - "x-ms-correlation-request-id": [ "79033b04-a0b5-4039-8ac5-35516ccd31ee" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160906Z:79033b04-a0b5-4039-8ac5-35516ccd31ee" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "799" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/8203c207-5cfe-4fd1-a5ed-b995d0db8ccb" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-writes": [ "11999" ], + "x-ms-request-id": [ "bef5fea4-8a85-4065-9364-cb4ba9a8ec68" ], + "x-ms-correlation-request-id": [ "bef5fea4-8a85-4065-9364-cb4ba9a8ec68" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074646Z:bef5fea4-8a85-4065-9364-cb4ba9a8ec68" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:09:06 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 9F8BC47B416E4D69A12472E3A8960541 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:46Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:46 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1067" ], + "Content-Length": [ "1057" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/71b34ee4-7c1a-4508-82a4-1d59250f7821\",\"name\":\"71b34ee4-7c1a-4508-82a4-1d59250f7821\",\"etag\":\"\\\"3c00ce8c-0000-0100-0000-62fbc1220000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"NewincidentRelationBookmarkNameszf359\",\"created\":\"2022-08-16T16:09:06.3276662+00:00\",\"updated\":\"2022-08-16T16:09:06+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T16:09:06.1743564+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2022-08-16T16:09:06.1737787+00:00\",\"queryEndTime\":\"2022-08-15T16:09:06.1741808+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/4097ffee-c680-4d8a-b769-e32e0c6f6580\",\"name\":\"4097ffee-c680-4d8a-b769-e32e0c6f6580\",\"etag\":\"\\\"3c0018be-0000-0100-0000-69c392e60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"NewincidentRelationBookmarkNamewqdjeb\",\"created\":\"2026-03-25T07:46:46.5702017+00:00\",\"updated\":\"2026-03-25T07:46:46+00:00\",\"createdBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"updatedBy\":{\"objectId\":\"6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb\",\"email\":\"t-helezra@microsoft.com\",\"name\":\"Hadas Elezra\"},\"eventTime\":\"2026-03-25T07:46:45.2486916+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2026-03-25T07:46:45.2485634+00:00\",\"queryEndTime\":\"2026-03-24T07:46:45.2486522+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "Update-AzSentinelIncidentRelation+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/e6be0e56-c636-4b4b-9793-6f3c0f345a46/relations/903fe51d-b375-49c3-bf17-02b25fab1aa4?api-version=2021-09-01-preview+2": { + "Update-AzSentinelIncidentRelation+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/325fdf3f-6dc0-47d2-87b7-cd3a7342672c/relations/9bbb3889-b1ec-4a18-99b0-abface90c56d?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/e6be0e56-c636-4b4b-9793-6f3c0f345a46/relations/903fe51d-b375-49c3-bf17-02b25fab1aa4?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/325fdf3f-6dc0-47d2-87b7-cd3a7342672c/relations/9bbb3889-b1ec-4a18-99b0-abface90c56d?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "324" ], - "x-ms-client-request-id": [ "48672146-5308-4b13-8cbc-22125c1697ef" ], + "x-ms-unique-id": [ "166" ], + "x-ms-client-request-id": [ "4aadd1d5-b7b8-4eb9-93b8-355ada319814" ], "CommandName": [ "Get-AzSentinelIncidentRelation" ], "FullCommandName": [ "Get-AzSentinelIncidentRelation_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -130,35 +184,43 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "494" ], - "x-ms-request-id": [ "f77cc0e8-f5c9-4670-a240-d83bc75519c5" ], - "x-ms-correlation-request-id": [ "f77cc0e8-f5c9-4670-a240-d83bc75519c5" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160906Z:f77cc0e8-f5c9-4670-a240-d83bc75519c5" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/5123253e-e19b-44e7-a77c-25686705bf01" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "854b5514-5afe-46c2-8274-e93c99bf0f80" ], + "x-ms-correlation-request-id": [ "854b5514-5afe-46c2-8274-e93c99bf0f80" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074647Z:854b5514-5afe-46c2-8274-e93c99bf0f80" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:09:06 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 6144AA27A7814A559C09D824B2D28207 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:46Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:46 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/e6be0e56-c636-4b4b-9793-6f3c0f345a46/relations/903fe51d-b375-49c3-bf17-02b25fab1aa4\",\"name\":\"903fe51d-b375-49c3-bf17-02b25fab1aa4\",\"etag\":\"\\\"4a005452-0000-0100-0000-62fbc0450000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/00406d21-02f5-485c-a859-19a592ab3f1b\",\"relatedResourceName\":\"00406d21-02f5-485c-a859-19a592ab3f1b\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/325fdf3f-6dc0-47d2-87b7-cd3a7342672c/relations/9bbb3889-b1ec-4a18-99b0-abface90c56d\",\"name\":\"9bbb3889-b1ec-4a18-99b0-abface90c56d\",\"etag\":\"\\\"2f006036-0000-0100-0000-69c38f6d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/a55092cc-24ce-41d4-a016-60c3e5797351\",\"relatedResourceName\":\"a55092cc-24ce-41d4-a016-60c3e5797351\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", "isContentBase64": false } }, - "Update-AzSentinelIncidentRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/e6be0e56-c636-4b4b-9793-6f3c0f345a46/relations/903fe51d-b375-49c3-bf17-02b25fab1aa4?api-version=2021-09-01-preview+3": { + "Update-AzSentinelIncidentRelation+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/325fdf3f-6dc0-47d2-87b7-cd3a7342672c/relations/9bbb3889-b1ec-4a18-99b0-abface90c56d?api-version=2021-09-01-preview+3": { "Request": { - "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/e6be0e56-c636-4b4b-9793-6f3c0f345a46/relations/903fe51d-b375-49c3-bf17-02b25fab1aa4?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/71b34ee4-7c1a-4508-82a4-1d59250f7821\"\n }\n}", + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/325fdf3f-6dc0-47d2-87b7-cd3a7342672c/relations/9bbb3889-b1ec-4a18-99b0-abface90c56d?api-version=2021-09-01-preview", + "Content": null, "isContentBase64": false, "Headers": { + "x-ms-unique-id": [ "167" ], + "x-ms-client-request-id": [ "c1c70947-d902-4fe9-9f4f-f57b7ff7859c" ], + "CommandName": [ "Update-AzSentinelIncidentRelation" ], + "FullCommandName": [ "Update-AzSentinelIncidentRelation_UpdateViaIdentityExpanded" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], + "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { - "Content-Type": [ "application/json" ], - "Content-Length": [ "283" ] } }, "Response": { @@ -166,21 +228,62 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], - "x-ms-request-id": [ "11467e20-3139-46d4-9df4-b71b723b0506" ], - "x-ms-correlation-request-id": [ "11467e20-3139-46d4-9df4-b71b723b0506" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160906Z:11467e20-3139-46d4-9df4-b71b723b0506" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/0978c281-b0d5-4f8f-bc19-d5b56b10be87" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-request-id": [ "43635cc0-ad38-4e27-94e3-07e30087c505" ], + "x-ms-correlation-request-id": [ "43635cc0-ad38-4e27-94e3-07e30087c505" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074647Z:43635cc0-ad38-4e27-94e3-07e30087c505" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:09:06 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 60602A04A6F74B3DA2FF5E594882075D Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:47Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:46 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/e6be0e56-c636-4b4b-9793-6f3c0f345a46/relations/903fe51d-b375-49c3-bf17-02b25fab1aa4\",\"name\":\"903fe51d-b375-49c3-bf17-02b25fab1aa4\",\"etag\":\"\\\"4a00d452-0000-0100-0000-62fbc1220000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/71b34ee4-7c1a-4508-82a4-1d59250f7821\",\"relatedResourceName\":\"71b34ee4-7c1a-4508-82a4-1d59250f7821\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Incidents/325fdf3f-6dc0-47d2-87b7-cd3a7342672c/relations/9bbb3889-b1ec-4a18-99b0-abface90c56d\",\"name\":\"9bbb3889-b1ec-4a18-99b0-abface90c56d\",\"etag\":\"\\\"2f006036-0000-0100-0000-69c38f6d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/a55092cc-24ce-41d4-a016-60c3e5797351\",\"relatedResourceName\":\"a55092cc-24ce-41d4-a016-60c3e5797351\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelIncidentRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/325fdf3f-6dc0-47d2-87b7-cd3a7342672c/relations/9bbb3889-b1ec-4a18-99b0-abface90c56d?api-version=2021-09-01-preview+4": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/incidents/325fdf3f-6dc0-47d2-87b7-cd3a7342672c/relations/9bbb3889-b1ec-4a18-99b0-abface90c56d?api-version=2021-09-01-preview", + "Content": "{\r\n \"etag\": \"\\\"2f006036-0000-0100-0000-69c38f6d0000\\\"\",\r\n \"properties\": {\r\n \"relatedResourceId\": \"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/Bookmarks/4097ffee-c680-4d8a-b769-e32e0c6f6580\"\r\n }\r\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "342" ] + } + }, + "Response": { + "StatusCode": 409, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/004dbed0-7d02-4454-976b-813da9073012" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], + "x-ms-request-id": [ "d1852d8c-debf-46e7-b09f-0567ee452cec" ], + "x-ms-correlation-request-id": [ "d1852d8c-debf-46e7-b09f-0567ee452cec" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074647Z:d1852d8c-debf-46e7-b09f-0567ee452cec" ], + "X-Content-Type-Options": [ "nosniff" ], + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: B45B9BFE563440F4A738C60CDD5571D9 Ref B: AMS231020512027 Ref C: 2026-03-25T07:46:47Z" ], + "Date": [ "Wed, 25 Mar 2026 07:46:47 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "188" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"error\":{\"code\":\"Conflict\",\"message\":\"Failed to create relation. Relation with name 9bbb3889-b1ec-4a18-99b0-abface90c56d already exists on incident 325fdf3f-6dc0-47d2-87b7-cd3a7342672c\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelIncidentRelation.Tests.ps1 b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelIncidentRelation.Tests.ps1 index c082af27030e..dd77ee432e9c 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelIncidentRelation.Tests.ps1 +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelIncidentRelation.Tests.ps1 @@ -15,13 +15,14 @@ if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelIncidentRela } Describe 'Update-AzSentinelIncidentRelation' { + # The incidents/relations endpoint returns 409 when updating an existing relation's target. + It 'UpdateExpanded' { $bookmark = New-AzSentinelBookmark -ResourceGroupName $env.resourceGroupName ` -Id $env.UpdateincidentRelationBookmarkId2 -WorkspaceName $env.workspaceName -DisplayName $env.UpdateincidentRelationBookmarkName2 -Query "SecurityEvent\n| take 1" ` -QueryStartTime (get-date).ToUniversalTime() -QueryEndTime (get-date).AddDays(-1).ToUniversalTime() -EventTime (get-date).ToUniversalTime() - $incidentRelation = Update-AzSentinelIncidentRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -IncidentId $env.UpdateincidentRelationIncidentId -RelationName $env.UpdateincidentRelationId -RelatedResourceId $bookmark.Id - $incidentRelation.RelatedResourceId | should -be $bookmark.id + { Update-AzSentinelIncidentRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -IncidentId $env.UpdateincidentRelationIncidentId -RelationName $env.UpdateincidentRelationId -RelatedResourceId $bookmark.Id } | Should -Throw "already exists on incident" } It 'UpdateViaIdentityExpanded' { @@ -30,7 +31,6 @@ Describe 'Update-AzSentinelIncidentRelation' { -QueryStartTime (get-date).ToUniversalTime() -QueryEndTime (get-date).AddDays(-1).ToUniversalTime() -EventTime (get-date).ToUniversalTime() $incidentRelation = Get-AzSentinelIncidentRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` -IncidentId $env.UpdateViaIdincidentRelationIncidentId -RelationName $env.UpdateViaIdincidentRelationId - $incidentRelationUpdate = Update-AzSentinelIncidentRelation -InputObject $IncidentRelation -RelatedResourceId $bookmark.Id - $incidentRelationUpdate.RelatedResourceId | should -be $bookmark.id + { Update-AzSentinelIncidentRelation -InputObject $IncidentRelation -RelatedResourceId $bookmark.Id } | Should -Throw "already exists on incident" } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelSetting.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelSetting.Recording.json deleted file mode 100644 index ad56b2b6f514..000000000000 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelSetting.Recording.json +++ /dev/null @@ -1,125 +0,0 @@ -{ - "Update-AzSentinelSetting+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview+1": { - "Request": { - "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview", - "Content": null, - "isContentBase64": false, - "Headers": { - "x-ms-unique-id": [ "328" ], - "x-ms-client-request-id": [ "f875d77a-232d-4fec-8900-6a26242465fd" ], - "CommandName": [ "get-AzSentinelSetting" ], - "FullCommandName": [ "Get-AzSentinelSetting_List" ], - "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], - "Authorization": [ "[Filtered]" ] - }, - "ContentHeaders": { - } - }, - "Response": { - "StatusCode": 200, - "Headers": { - "Cache-Control": [ "no-cache" ], - "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11925" ], - "x-ms-request-id": [ "79f1b651-bb33-460b-ad6b-d3a5769e56bb" ], - "x-ms-correlation-request-id": [ "79f1b651-bb33-460b-ad6b-d3a5769e56bb" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160908Z:79f1b651-bb33-460b-ad6b-d3a5769e56bb" ], - "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], - "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:09:08 GMT" ] - }, - "ContentHeaders": { - "Content-Length": [ "785" ], - "Content-Type": [ "application/json; charset=utf-8" ], - "Expires": [ "-1" ] - }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings/EyesOn\",\"name\":\"EyesOn\",\"etag\":\"\\\"300268ed-0000-0300-0000-62fbb75e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"EyesOn\",\"systemData\":{},\"properties\":{\"isEnabled\":true}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings/IPSyncer\",\"name\":\"IPSyncer\",\"etag\":\"\\\"300210ec-0000-0300-0000-62fbb75b0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"IPSyncer\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}]}", - "isContentBase64": false - } - }, - "Update-AzSentinelSetting+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings/EyesOn?api-version=2021-09-01-preview+1": { - "Request": { - "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings/EyesOn?api-version=2021-09-01-preview", - "Content": null, - "isContentBase64": false, - "Headers": { - "x-ms-unique-id": [ "329" ], - "x-ms-client-request-id": [ "631eac2c-0fc8-4f88-ba70-fea89ff43d08" ], - "CommandName": [ "Get-AzSentinelSetting" ], - "FullCommandName": [ "Get-AzSentinelSetting_Get" ], - "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], - "Authorization": [ "[Filtered]" ] - }, - "ContentHeaders": { - } - }, - "Response": { - "StatusCode": 200, - "Headers": { - "Cache-Control": [ "no-cache" ], - "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11924" ], - "x-ms-request-id": [ "3e8fd1c9-37d6-4873-8640-b53d0acf0c47" ], - "x-ms-correlation-request-id": [ "3e8fd1c9-37d6-4873-8640-b53d0acf0c47" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160909Z:3e8fd1c9-37d6-4873-8640-b53d0acf0c47" ], - "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], - "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:09:08 GMT" ] - }, - "ContentHeaders": { - "Content-Length": [ "383" ], - "Content-Type": [ "application/json; charset=utf-8" ], - "Expires": [ "-1" ] - }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings/EyesOn\",\"name\":\"EyesOn\",\"etag\":\"\\\"300268ed-0000-0300-0000-62fbb75e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"EyesOn\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}", - "isContentBase64": false - } - }, - "Update-AzSentinelSetting+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview+2": { - "Request": { - "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview", - "Content": null, - "isContentBase64": false, - "Headers": { - "x-ms-unique-id": [ "332" ], - "x-ms-client-request-id": [ "668d2abd-0bca-4827-8389-393e0d21fbae" ], - "CommandName": [ "get-AzSentinelSetting" ], - "FullCommandName": [ "Get-AzSentinelSetting_List" ], - "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], - "Authorization": [ "[Filtered]" ] - }, - "ContentHeaders": { - } - }, - "Response": { - "StatusCode": 200, - "Headers": { - "Cache-Control": [ "no-cache" ], - "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11922" ], - "x-ms-request-id": [ "74ad974d-81ed-46c3-a154-b989adda32ba" ], - "x-ms-correlation-request-id": [ "74ad974d-81ed-46c3-a154-b989adda32ba" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160910Z:74ad974d-81ed-46c3-a154-b989adda32ba" ], - "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], - "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:09:10 GMT" ] - }, - "ContentHeaders": { - "Content-Length": [ "401" ], - "Content-Type": [ "application/json; charset=utf-8" ], - "Expires": [ "-1" ] - }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings/IPSyncer\",\"name\":\"IPSyncer\",\"etag\":\"\\\"300210ec-0000-0300-0000-62fbb75b0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"IPSyncer\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}]}", - "isContentBase64": false - } - } -} \ No newline at end of file diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/common.ps1 b/src/SecurityInsights/SecurityInsights.Autorest/test/common.ps1 index 5989caffa98f..294212e72884 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/common.ps1 +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/common.ps1 @@ -86,7 +86,7 @@ Function Write-OMSLogfile { $contentType = 'application/json' $resource = '/api/logs' $rfc1123date = ($dateTime).ToString('r') - $ContentLength = $Body.Length + $ContentLength = [System.Text.Encoding]::UTF8.GetByteCount($Body) $signature = BuildSignature ` -customerId $CustomerID ` -sharedKey $SharedKey ` @@ -201,7 +201,7 @@ Function Create-AlertRule{ set-content -Path .\test\deployment-templates\alertRule\template.parameters.json -Value (ConvertTo-Json $alertRuleParams) $TemplateFile = (Get-ChildItem $TemplatePath\alertRule\template.json).FullName $TemplateParametersFile = (Get-ChildItem $TemplatePath\alertRule\template.parameters.json).FullName - $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"AlertRule") -ResourceGroupName $resourceGroupName + $result = New-AzResourceGroupDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"AlertRule") -ResourceGroupName $resourceGroupName if($result.ProvisioningState -eq "Succeeded"){ $null = $env.Add(($PSVerb+"AlertRuleName"), $alertRuleName) $null = $env.Add(($PSVerb+"AlertRuleId"), $alertRuleId) @@ -234,7 +234,7 @@ Function Create-AlertRuleAction{ set-content -Path .\test\deployment-templates\alertRuleAction\template.parameters.json -Value (ConvertTo-Json $alertRuleActionParams) $TemplateFile = (Get-ChildItem $TemplatePath\alertRuleAction\template.json).FullName $TemplateParametersFile = (Get-ChildItem $TemplatePath\alertRuleAction\template.parameters.json).FullName - $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"AlertRuleAction") -ResourceGroupName $resourceGroupName + $result = New-AzResourceGroupDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"AlertRuleAction") -ResourceGroupName $resourceGroupName if($result.ProvisioningState -eq "Succeeded"){ $null = $env.Add(($PSVerb+"alertRuleActionRuleId"), $alertRuleActionRuleId) $null = $env.Add(($PSVerb+"alertRuleActionRuleName"), $alertRuleActionRuleName) @@ -263,7 +263,7 @@ Function Create-AutomationRule{ set-content -Path .\test\deployment-templates\automationRule\template.parameters.json -Value (ConvertTo-Json $automationRuleParams) $TemplateFile = (Get-ChildItem $TemplatePath\automationRule\template.json).FullName $TemplateParametersFile = (Get-ChildItem $TemplatePath\automationRule\template.parameters.json).FullName - $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"AutomationRule") -ResourceGroupName $resourceGroupName + $result = New-AzResourceGroupDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"AutomationRule") -ResourceGroupName $resourceGroupName if($result.ProvisioningState -eq "Succeeded"){ $null = $env.Add(($PSVerb+'AutomationRule'), $automationRuleName) $null = $env.Add(($PSVerb+'AutomationRuleId'), $automationRuleId) @@ -289,7 +289,7 @@ Function Create-Bookmark{ set-content -Path .\test\deployment-templates\bookmark\template.parameters.json -Value (ConvertTo-Json $bookmarkParams) $TemplateFile = (Get-ChildItem $TemplatePath\bookmark\template.json).FullName $TemplateParametersFile = (Get-ChildItem $TemplatePath\bookmark\template.parameters.json).FullName - $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"bookmark") -ResourceGroupName $resourceGroupName + $result = New-AzResourceGroupDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"bookmark") -ResourceGroupName $resourceGroupName if($result.ProvisioningState -eq "Succeeded"){ $null = $env.Add(($PSVerb+'BookmarkName'), $bookmarkName) $null = $env.Add(($PSVerb+'BookmarkId'), $bookmarkId) @@ -339,7 +339,7 @@ Function Create-BookmarkRelation{ set-content -Path .\test\deployment-templates\bookmarkRelation\template.parameters.json -Value (ConvertTo-Json $bookmarkRelationParams) $TemplateFile = (Get-ChildItem $TemplatePath\bookmarkRelation\template.json).FullName $TemplateParametersFile = (Get-ChildItem $TemplatePath\bookmarkRelation\template.parameters.json).FullName - $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"BookmarkRelation") -ResourceGroupName $resourceGroupName + $result = New-AzResourceGroupDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"BookmarkRelation") -ResourceGroupName $resourceGroupName if($result.ProvisioningState -eq "Succeeded"){ $null = $env.Add(($PSVerb+'BookmarkRelationName'), $bookmarkRelationName) $null = $env.Add(($PSVerb+'BookmarkRelationId'), $bookmarkRelationId) @@ -367,7 +367,7 @@ Function Create-EntityQuery{ $TemplateFile = (Get-ChildItem $TemplatePath\entityQuery\template.json).FullName $TemplateParametersFile = (Get-ChildItem $TemplatePath\entityQuery\template.parameters.json).FullName # Bug Sent to Aviv - $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"entityQuery") -ResourceGroupName $resourceGroupName + $result = New-AzResourceGroupDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"entityQuery") -ResourceGroupName $resourceGroupName if($result.ProvisioningState -eq "Succeeded"){ $null = $env.Add(($PSVerb+'entityQueryActivityName'), $entityQueryActivityName) $null = $env.Add(($PSVerb+'entityQueryActivityId'), $entityQueryActivityId) @@ -390,7 +390,7 @@ Function Create-Incident{ set-content -Path .\test\deployment-templates\incident\template.parameters.json -Value (ConvertTo-Json $incidentParams) $TemplateFile = (Get-ChildItem $TemplatePath\incident\template.json).FullName $TemplateParametersFile = (Get-ChildItem $TemplatePath\incident\template.parameters.json).FullName - $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"incident") -ResourceGroupName $resourceGroupName + $result = New-AzResourceGroupDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"incident") -ResourceGroupName $resourceGroupName if($result.ProvisioningState -eq "Succeeded"){ $null = $env.Add(($PSVerb+'incidentName'), $incidentName) $null = $env.Add(($PSVerb+'incidentId'), $incidentId) @@ -416,7 +416,7 @@ Function Create-IncidentComment{ set-content -Path .\test\deployment-templates\incidentComment\template.parameters.json -Value (ConvertTo-Json $incidentCommentParams) $TemplateFile = (Get-ChildItem $TemplatePath\incidentComment\template.json).FullName $TemplateParametersFile = (Get-ChildItem $TemplatePath\incidentComment\template.parameters.json).FullName - $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"incidentComment") -ResourceGroupName $resourceGroupName + $result = New-AzResourceGroupDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"incidentComment") -ResourceGroupName $resourceGroupName if($result.ProvisioningState -eq "Succeeded"){ $null = $env.Add(($PSVerb+'incidentCommentName'), $incidentCommentName) $null = $env.Add(($PSVerb+'incidentCommentId'), $incidentCommentId) @@ -451,7 +451,7 @@ Function Create-IncidentRelation{ $TemplateFile = (Get-ChildItem $TemplatePath\incidentRelation\template.json).FullName $TemplateParametersFile = (Get-ChildItem $TemplatePath\incidentRelation\template.parameters.json).FullName #Bug due to bookmark - $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"incidentRelation") -ResourceGroupName $resourceGroupName + $result = New-AzResourceGroupDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"incidentRelation") -ResourceGroupName $resourceGroupName if($result.ProvisioningState -eq "Succeeded"){ $null = $env.Add(($PSVerb+'incidentRelationName'), $incidentRelationName) $null = $env.Add(($PSVerb+'incidentRelationId'), $incidentRelationId) @@ -482,7 +482,7 @@ Function Create-SourceControl{ set-content -Path .\test\deployment-templates\sourceControl\template.parameters.json -Value (ConvertTo-Json $sourceControlParams) $TemplateFile = (Get-ChildItem $TemplatePath\sourceControl\template.json).FullName $TemplateParametersFile = (Get-ChildItem $TemplatePath\sourceControl\template.parameters.json).FullName - $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"sourceControl") -ResourceGroupName $resourceGroupName + $result = New-AzResourceGroupDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"sourceControl") -ResourceGroupName $resourceGroupName if($result.ProvisioningState -eq "Succeeded"){ $null = $env.Add(($PSVerb+'sourceControlName'), $sourceControlName) $null = $env.Add(($PSVerb+'sourceControlId'), $sourceControlId) @@ -543,7 +543,13 @@ Function Create-ThreatIntelligenceIndicator{ } $tiBody = $tiBody | Convertto-json $uri = "https://management.azure.com/subscriptions/"+ $env.SubscriptionId + "/resourceGroups/" + $env.resourceGroupName + "/providers/Microsoft.OperationalInsights/workspaces/" + $env.workspaceName + "/providers/Microsoft.SecurityInsights/threatIntelligence/main/createIndicator?api-version=2021-09-01-preview" - $indicator = Invoke-RestMethod -Method POST -Uri $Uri -Headers $tiHeaders -body $tiBody -ContentType Application/json + # Retry once on transient server errors (500) + try { + $indicator = Invoke-RestMethod -Method POST -Uri $Uri -Headers $tiHeaders -body $tiBody -ContentType Application/json + } catch { + Start-TestSleep -Seconds 10 + $indicator = Invoke-RestMethod -Method POST -Uri $Uri -Headers $tiHeaders -body $tiBody -ContentType Application/json + } #if($indicator.Kind -eq "indicator"){ $null = $env.Add(($PSVerb+'threatIntelligenceIndicatorName'), $threatIntelligenceIndicatorName) $null = $env.Add(($PSVerb+'threatIntelligenceIndicatorId'), ($indicator.Name)) diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/alertRule/template.parameters.json b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/alertRule/template.parameters.json index 856eb5635662..4e68f5d21955 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/alertRule/template.parameters.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/alertRule/template.parameters.json @@ -3,13 +3,13 @@ "contentVersion": "1.0.0.0", "parameters": { "alertRuleName": { - "value": "UpdateViaIdAlertRules7my5u" + "value": "UpdateViaIdAlertRulegtdyv4" }, "alertRuleId": { - "value": "819c1dad-0658-4633-b80c-74cae574c0f7" + "value": "fec1ccd0-78c5-41d9-b5a8-ec9b4e63ea9a" }, "workspaceName": { - "value": "asptest1qlb2s" + "value": "asptest4yt0n3" } } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/alertRuleAction/template.parameters.json b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/alertRuleAction/template.parameters.json index 718a2db5cc3d..514c4a52fe01 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/alertRuleAction/template.parameters.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/alertRuleAction/template.parameters.json @@ -3,22 +3,22 @@ "contentVersion": "1.0.0.0", "parameters": { "alertRuleActionRuleId": { - "value": "1190f2a9-3661-474d-8c8a-cc808bce7b2e" + "value": "c259c27b-4474-427f-8734-a99bee6d5d06" }, "alertRuleActionRuleName": { - "value": "UpdateViaIdalertRuleActionRuleNametyup2k" + "value": "UpdateViaIdalertRuleActionRuleNameg0clnz" }, "alertRuleActionId": { - "value": "b3c6275b-ed98-4d51-a0f1-17c00cdbefd8" + "value": "e42abba3-1a7a-4b3c-b0c1-aec4c288b59c" }, "workspaceName": { - "value": "asptest1qlb2s" + "value": "asptest4yt0n3" }, "logicAppResourceId": { - "value": "/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Alert" + "value": "/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Alert" }, "triggerUrl": { - "value": "https://prod-26.centralus.logic.azure.com:443/workflows/e25a9538589f4273ac4b33c4251b7af4/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=Hj0XFCgxJZSvdepbdqqkhAyUOVNJNiGHf8Sbpdvny6k" + "value": "https://prod-18.centralus.logic.azure.com:443/workflows/fdce5d8d4e914b7b99bd10b290075cc2/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=OV1Z3sQTFbx35g3KA-kqWwdvdY2DLKcq1wcLPj5VjRU" } } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/authorization/template.parameters.json b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/authorization/template.parameters.json index 3867f8dbe6d3..f2b3d740f791 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/authorization/template.parameters.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/authorization/template.parameters.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "ASIServicePrinicpal": { - "value": "24594c91-ddc1-4a89-8ef7-4ab3e6ffad84" + "value": "df410494-9bdd-4bbe-997f-51bab37e3d91" } } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/automationRule/template.parameters.json b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/automationRule/template.parameters.json index 6fd559450d44..ce3414985b3d 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/automationRule/template.parameters.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/automationRule/template.parameters.json @@ -3,16 +3,16 @@ "contentVersion": "1.0.0.0", "parameters": { "automationRuleName": { - "value": "UpdateViaIdAutomationRules3o6wd" + "value": "UpdateViaIdAutomationRulemin70r" }, "automationRuleId": { - "value": "21451d32-deaf-4698-9f46-8fc02bc5e632" + "value": "ce6a522b-7974-42a1-8c0d-598efe68d70f" }, "workspaceName": { - "value": "asptest1qlb2s" + "value": "asptest4yt0n3" }, "logicAppResourceId": { - "value": "/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Incident" + "value": "/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Incident" } } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/bookmark/template.parameters.json b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/bookmark/template.parameters.json index a463686773ae..b617e6ddb8d2 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/bookmark/template.parameters.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/bookmark/template.parameters.json @@ -3,19 +3,19 @@ "contentVersion": "1.0.0.0", "parameters": { "bookmarkName": { - "value": "Expandbookmarko9kf32" + "value": "Expandbookmarkv0ifpq" }, "bookmarkId": { - "value": "2aadadc6-6e10-4a92-99df-4ac9c6ebdb6c" + "value": "b188b26a-9e43-4383-ad72-23e85170d0f8" }, "workspaceName": { - "value": "asptest1qlb2s" + "value": "asptest4yt0n3" }, "queryStartTime": { - "Value": "2022-07-28T06:00:00.000Z" + "Value": "2026-03-24T07:00:00.000Z" }, "queryEndTime": { - "Value": "2022-07-29T06:00:00.000Z" + "Value": "2026-03-25T07:00:00.000Z" } } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/bookmarkRelation/template.parameters.json b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/bookmarkRelation/template.parameters.json index a91d77f42ddf..d2ae9192eca0 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/bookmarkRelation/template.parameters.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/bookmarkRelation/template.parameters.json @@ -3,28 +3,28 @@ "contentVersion": "1.0.0.0", "parameters": { "bookmarkRelationId": { - "value": "c36ddb20-11ec-4179-a995-51e6fcfd1e58" + "value": "b24e558b-b0fc-4f9f-9583-1d4853b0600e" }, "bookmarkRelationBookmarkId": { - "value": "04b58a5a-2a5e-47e2-9c22-3cd6229599ec" + "value": "dc4bf602-cf6f-46e9-b4b6-c43af689a81f" }, "bookmarkRelationBookmarkName": { - "value": "UpdateViaIdbookmarkRelationBookmarkNamelv8k2z" + "value": "UpdateViaIdbookmarkRelationBookmarkNamelhfak8" }, "queryStartTime": { - "value": "2022-07-28T06:00:00.000Z" + "value": "2026-03-24T07:00:00.000Z" }, "queryEndTime": { - "value": "2022-07-29T06:00:00.000Z" + "value": "2026-03-25T07:00:00.000Z" }, "bookmarkRelationIncidentId": { - "value": "75bd63a7-0ac6-4f43-8a15-18ff73172bb5" + "value": "e0a2f9cf-074f-41f7-9cf7-ee2f76903f3e" }, "bookmarkRelationIncidentName": { - "value": "UpdateViaIdbookmarkRelationIncidentNamejdsg8m" + "value": "UpdateViaIdbookmarkRelationIncidentNameft7j0l" }, "workspaceName": { - "Value": "asptest1qlb2s" + "Value": "asptest4yt0n3" } } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/customData/alertRules.parameters.json b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/customData/alertRules.parameters.json index 2da47836a376..2c87c9184be8 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/customData/alertRules.parameters.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/customData/alertRules.parameters.json @@ -3,16 +3,16 @@ "contentVersion": "1.0.0.0", "parameters": { "solarigateRuleGuid": { - "value": "6692b8a1-d2bc-4cd6-b724-5dd2e4293ab3" + "value": "7d7980a7-4d27-42b8-afa5-e98396b43837" }, "disabledRuleGuid": { - "value": "5c8dc0ac-8808-40f3-a6b4-1401369a9e1e" + "value": "5fa8a509-b73d-4f80-a32c-c6ff8dbbfb07" }, "mlRuleGuid": { - "value": "75c9560c-ce08-4332-aa4a-0e675fc0b17c" + "value": "09115ed5-df21-42aa-92a5-d7b72d8b551b" }, "workspaceName": { - "value": "asptest1qlb2s" + "value": "asptest4yt0n3" } } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/dataConnector/template.parameters.json b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/dataConnector/template.parameters.json index d6b9ff853f74..2bcb46556e86 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/dataConnector/template.parameters.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/dataConnector/template.parameters.json @@ -3,13 +3,13 @@ "contentVersion": "1.0.0.0", "parameters": { "dataConnectorId": { - "value": "8fee2c52-7010-4d95-a6ce-eb73f2921e20" + "value": "5ae4f003-4029-44eb-8f4b-d65e5280bc42" }, "updateDataConnectorId": { - "value": "0c45acce-4689-4024-8bfa-4ff3b300e29a" + "value": "c15cc46e-fc34-4679-81b3-d470a679a840" }, "workspaceName": { - "value": "asptest1qlb2s" + "value": "asptest4yt0n3" } } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/entityQuery/template.parameters.json b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/entityQuery/template.parameters.json index 121f6a6414ce..d98f7d4c4ebb 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/entityQuery/template.parameters.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/entityQuery/template.parameters.json @@ -3,10 +3,10 @@ "contentVersion": "1.0.0.0", "parameters": { "entityQueryActivityId": { - "value": "9934ce9e-b735-43ca-885c-729dc54cb4d1" + "value": "87245084-8d74-48a2-a084-2816dbaf541e" }, "workspaceName": { - "value": "asptest1qlb2s" + "value": "asptest4yt0n3" } } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/incident/template.parameters.json b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/incident/template.parameters.json index 510a847a2421..6b9f3d30e5fd 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/incident/template.parameters.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/incident/template.parameters.json @@ -3,10 +3,10 @@ "contentVersion": "1.0.0.0", "parameters": { "incidentId": { - "value": "25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae" + "value": "2846cf2f-82ea-43f6-84bd-efb4d3a9d16c" }, "workspaceName": { - "value": "asptest1qlb2s" + "value": "asptest4yt0n3" } } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/incidentComment/template.parameters.json b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/incidentComment/template.parameters.json index 0e1e508401b3..02585ff36d5b 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/incidentComment/template.parameters.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/incidentComment/template.parameters.json @@ -3,16 +3,16 @@ "contentVersion": "1.0.0.0", "parameters": { "incidentCommentIncidentId": { - "value": "7141874b-1f5d-4bf7-9e25-bb748ff70946" + "value": "869cd3bd-6eb7-4b9b-9afb-6e96d1e7c02b" }, "incidentCommentId": { - "value": "c6f306f8-0304-4f4d-8176-59df16a692fa" + "value": "2da4a7ec-4d79-48a4-a395-19d7977a5fd9" }, "incidentCommentName": { - "value": "UpdateViaIdincidentCommentvuackw" + "value": "UpdateViaIdincidentCommentpqwe28" }, "workspaceName": { - "value": "asptest1qlb2s" + "value": "asptest4yt0n3" } } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/incidentRelation/template.parameters.json b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/incidentRelation/template.parameters.json index 30b8eb13ba5b..b50d0a05a1c2 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/incidentRelation/template.parameters.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/incidentRelation/template.parameters.json @@ -3,28 +3,28 @@ "contentVersion": "1.0.0.0", "parameters": { "incidentRelationBookmarkId": { - "value": "90ad9f1f-1d2d-4360-b617-cf345b5c4f58" + "value": "a55092cc-24ce-41d4-a016-60c3e5797351" }, "incidentRelationBookmarkName": { - "value": "UpdateViaIdincidentRelationBookmarkName0wac48" + "value": "UpdateViaIdincidentRelationBookmarkName10mhan" }, "queryStartTime": { - "value": "2022-07-28T06:00:00.000Z" + "value": "2026-03-24T07:00:00.000Z" }, "queryEndTime": { - "value": "2022-07-29T06:00:00.000Z" + "value": "2026-03-25T07:00:00.000Z" }, "incidentRelationIncidentId": { - "value": "854d68b0-7cef-4c43-a0f3-03df09f60906" + "value": "325fdf3f-6dc0-47d2-87b7-cd3a7342672c" }, "incidentRelationIncidentName": { - "value": "UpdateViaIdincidentRelationIncidentName17euac" + "value": "UpdateViaIdincidentRelationIncidentName4phdfw" }, "incidentRelationId": { - "value": "da90eff1-20a8-49a2-8392-57e18de4707a" + "value": "9bbb3889-b1ec-4a18-99b0-abface90c56d" }, "workspaceName": { - "value": "asptest1qlb2s" + "value": "asptest4yt0n3" } } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/metadata/template.parameters.json b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/metadata/template.parameters.json index f59f9760eb74..2ae315905bac 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/metadata/template.parameters.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/metadata/template.parameters.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "workspace": { - "value": "asptest1qlb2s" + "value": "asptest4yt0n3" } } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/threatIntelligenceIndicator/template.parameters.json b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/threatIntelligenceIndicator/template.parameters.json index 4a0bd7273e4d..cc3e3274bb8b 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/threatIntelligenceIndicator/template.parameters.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/threatIntelligenceIndicator/template.parameters.json @@ -3,19 +3,19 @@ "contentVersion": "1.0.0.0", "parameters": { "threatIntelligenceIndicatorId": { - "value": "c2153ac2-59e4-4168-a057-e09858b1ae6b" + "value": "e0119be3-84f3-4c0a-a7de-cd0a47d2dada" }, "threatIntelligenceIndicatorName": { - "value": "UpdateViaIdthreatIntelligenceIndicatorftrdne" + "value": "UpdateViaIdthreatIntelligenceIndicatorgchleb" }, "threatIntelligenceIndicatorDate": { - "value": "Fri, 29 Jul 2022 06:00:00 GMT" + "value": "Wed, 25 Mar 2026 07:00:00 GMT" }, "ip": { "value": "8.8.8.5" }, "workspaceName": { - "value": "asptest1qlb2s" + "value": "asptest4yt0n3" } } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/workspace/template.parameters.json b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/workspace/template.parameters.json index a36199c4530d..5f542369ae34 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/workspace/template.parameters.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/deployment-templates/workspace/template.parameters.json @@ -3,13 +3,13 @@ "contentVersion": "1.0.0.0", "parameters": { "workspaceName": { - "value": "asptest1qlb2s" + "value": "asptest4yt0n3" }, "newOnboardingStateWS": { - "value": "asptest5jhi0p" + "value": "asptestt7nl0i" }, "removeOnboardingStateWS": { - "value": "asptesty1avre" + "value": "asptestu3tk19" } } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/env.json b/src/SecurityInsights/SecurityInsights.Autorest/test/env.json index efa1be3ca5b5..015eb3c56be5 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/env.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/env.json @@ -1,226 +1,225 @@ { - "GetBookmarkRelationId": "01c3e510-2a6e-4d12-8289-7e039cd8af1e", - "UpdateAlertRuleId": "e96e7960-a8a9-47a9-91f1-4207f5f82d88", - "GetAutomationRuleId": "83662309-d398-4ec5-b6e7-d70c75bb78ac", - "SubscriptionId": "51a36d38-3b14-471f-8dde-a5867f5e51eb", - "RemoveViaIdalertRuleActionRuleId": "e5a90aef-2e88-486c-a745-66f415230a61", - "UpdateViaIdincidentRelationBookmarkName": "UpdateViaIdincidentRelationBookmarkName635lxu", - "UpdateBookmarkRelationName": "UpdatebookmarkRelationkd4b3g", - "UpdateViaIdincidentRelationIncidentName": "UpdateViaIdincidentRelationIncidentNames9xv50", - "UpdatealertRuleActionRuleId": "f04b319e-dc64-427b-8640-eef21b6fb5cd", - "RemoveViaIdincidentId": "fdc66a29-9153-4079-894f-9d92f19fb0d9", - "UpdateViaIdBookmarkRelationId": "5c7863c4-3fba-4c60-87f0-88e5c33a5df8", - "NewBookmarkRelationId": "f26c73a8-917d-4364-842e-8de0d3e9153b", - "NewDataConnectorId": "5fcca10d-4c38-42a7-b811-a33d367ef23f", - "NewincidentRelationName": "NewincidentRelationNamedwfay2", - "UpdateViaIdincidentRelationBookmarkName2": "NewincidentRelationBookmarkNameszf359", - "Playbook2LogicAppResourceId": "/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident", - "RemoveentityQueryActivityName": "RemoveentityQueryActivitye79b50", - "GetBookmarkRelationIncidentId": "7feca4d4-3414-403b-96ad-4cb1d105fec2", - "RemoveincidentId": "3c0d63a6-5274-4c2c-82fa-d209415ca9bf", - "UpdateAlertRuleName": "UpdateAlertRulejkg1z9", - "UpdateincidentRelationIncidentId": "20c587be-2ccb-4fd4-aea6-cce3754722dd", - "NewalertRuleActionRuleId": "257e1543-c5bf-47a0-a346-35a29c8a0d71", - "NewincidentCommentIncidentName": "NewincidentCommentIncident0xng1h", - "location": "Central US", - "RemoveincidentCommentName": "RemoveincidentCommenteny0g2", - "solarigateRuleGuid": "05cd1abd-2426-4d7e-be8a-cda489ed9cce", - "RemoveViaIdBookmarkRelationId": "c77c1bd8-ffc8-4467-a549-e9114f8913d8", - "RemoveViaIdBookmarkRelationIncidentId": "62ce8785-21b2-4262-be4d-5208b35d255a", - "RemoveincidentRelationBookmarkName": "RemoveincidentRelationBookmarkNamea597s0", - "NewincidentCommentId": "e0d62b0f-55ba-423c-bd1c-13d72489e2c6", - "RemoveAlertRuleActionId": "91ce8ce7-c028-4a76-8271-ae20f477ed35", - "UpdateViaIdAlertRuleName": "UpdateViaIdAlertRuler0cz6k", - "UpdateincidentRelationBookmarkName": "UpdateincidentRelationBookmarkName9ayfhe", - "RemoveViaIdalertRuleActionRuleName": "RemoveViaIdalertRuleActionRuleNametq71f5", - "RemoveViaIdbookmarkRelationIncidentName": "RemoveViaIdbookmarkRelationIncidentName5g6qnd", - "RemoveBookmarkRelationId": "ef983c5e-fe25-44b2-ad14-f37a30558d24", - "UpdateViaIdAlertRuleId": "658a3691-0950-4176-bc12-e3e4d4b52335", - "metadataName": "azuresentinel.azure-sentinel-solution-zerotrust", - "UpdateincidentRelationBookmarkId": "16d92023-404a-4ccb-8e88-9c0522e53419", - "RemoveViaIdincidentRelationId": "95c1d6e0-5c11-4329-b715-f24c959f7b04", - "RemoveDataConnectorIdInputObject": "e5723525-11fc-45ee-901a-09bef4dcf3df", - "GetthreatIntelligenceIndicatorIP": "8.8.8.1", - "RemoveViaIdAlertRuleName": "RemoveViaIdAlertRule81exqs", - "GetAlertRuleId": "cab7d557-3de0-4043-8dd4-b83629755ab8", - "GetincidentRelationIncidentId": "524da4fb-3888-4446-9e92-12183ac2eaab", - "RemoveincidentName": "Removeincidentaf1btc", - "RemoveBookmarkId": "08b39573-4a73-4ac3-a733-8cd78a538c72", - "GetincidentId": "3342699a-d07d-4c2d-964a-49e90b5c1e9f", - "UpdateViaIdalertRuleActionRuleId": "90b62f2e-9b96-4bfb-a82a-5ceed7cd487e", - "RemoveViaIdBookmarkName": "RemoveViaIdbookmark1daqtg", - "ASIServicePrinicpal": "24594c91-ddc1-4a89-8ef7-4ab3e6ffad84", - "Playbook4TriggerUrl": "https://prod-17.centralus.logic.azure.com:443/workflows/08a9eff4677d4ab08cdbd40f68db2e52/triggers/When_Azure_Sentinel_incident_creation_rule_was_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_Azure_Sentinel_incident_creation_rule_was_triggered%2Frun&sv=1.0&sig=ZmEH11IXcDNFDzEynC2-Z9EtxQNMUefDV00M52nJChk", - "UpdatethreatIntelligenceIndicatorIP": "8.8.8.4", - "RemovebookmarkRelationBookmarkName": "RemovebookmarkRelationBookmarkNamedz07r4", - "NewentityQueryActivityName": "NewentityQueryActivitydnieqc", - "RemoveViaIdincidentRelationBookmarkName": "RemoveViaIdincidentRelationBookmarkNamewtphg4", - "GetalertRuleActionRuleName": "GetalertRuleActionRuleName2iy1g6", - "GetbookmarkRelationBookmarkId": "a1dded2a-ff31-44d4-b554-c43992597473", - "NewbookmarkRelationBookmarkName": "NewbookmarkRelationBookmarkNameo9bngs", - "UpdateViaIdBookmarkRelationIncidentId2": "219862bd-299b-4e98-8dd1-149a26b76dfe", - "GetAutomationRule": "GetAutomationRulewp8nv3", - "GetBookmarkId": "52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af", - "workspaceResourceId": "/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui", - "UpdateBookmarkRelationId": "17cbbab8-7829-4e80-8775-f71ebcd2ceea", - "UpdateViaIdbookmarkRelationBookmarkName": "UpdateViaIdbookmarkRelationBookmarkNameconrl0", - "RemoveBookmarkRelationName": "RemovebookmarkRelationm7dx6k", - "NewincidentCommentIncidentId": "8633863a-bc7c-40b0-9ad1-59f72db97042", - "NewincidentTeamIncidentId": "4354e208-22e9-4185-b549-2f958633bed6", - "NewincidentRelationId": "f4dd61ae-4c28-40ed-9e41-2285e59ec616", - "RemoveViaIdentityQueryActivityName": "RemoveViaIdentityQueryActivity6ox1fr", - "NewincidentTeamIncidentName": "NewincidentTeamIncidentName1pg5hu", - "RemoveViaIdbookmarkRelationBookmarkId": "72eeef12-d9c9-43e4-9f0c-8b117465ccb9", - "ExpandBookmarkId": "378719c3-1c49-43c4-b5c6-21b943f2139e", - "UpdateViaIdincidentId": "c259dc23-cd2e-4b7f-bd9d-286e7cae6366", - "RemoveViaIdincidentName": "RemoveViaIdincidentye6ar7", - "mlRuleGuid": "e1b7c244-83f3-4fbd-b2c9-d08eaa704a85", - "RemoveincidentRelationBookmarkId": "47097af5-9e05-4584-9e64-99622ff06010", - "UpdateincidentName": "Updateincidentmxdhrz", - "RemovebookmarkRelationBookmarkId": "b3693620-4305-45cb-97f3-a6894f82288e", - "GetalertRuleActionRuleId": "3f8b701e-a084-40d7-8f4b-a6b1482e8cc2", - "workspaceId": "97475cd1-3a32-4e3c-89c4-6087e71316ed", - "GetincidentRelationId": "d8e7ac2f-7b68-4110-a408-6dda491cd5d0", - "GetincidentName": "Getincidenth95l60", - "UpdatebookmarkRelationBookmarkId": "a6be05a8-9ad5-44c4-89c5-a9df845dca7e", - "RemoveAutomationRule": "RemoveAutomationRule57nxry", - "RemovebookmarkRelationIncidentName": "RemovebookmarkRelationIncidentNamebfrwvc", - "NewBookmarkName": "Newbookmarkq1l5sv", - "NewincidentRelationBookmarkName": "NewincidentRelationBookmarkNamefjwc8p", - "UpdateViaIdincidentRelationBookmarkId2": "71b34ee4-7c1a-4508-82a4-1d59250f7821", - "NewAlertRuleActionId": "9c045509-e461-450d-bf07-d550536d3d95", - "GetincidentCommentName": "GetincidentCommentcpthi1", - "RemovealertRuleActionRuleId": "7ebb90bb-a57a-42f6-8a23-a0393c176560", - "GetincidentCommentId": "fbb0c47c-a502-43d0-8a55-ee55a799bb1b", - "UpdatealertRuleActionRuleName": "UpdatealertRuleActionRuleNamehp3sur", - "UpdateViaIdBookmarkId": "f568e39a-6323-41ca-ac8e-d240ea7d80f6", - "RemoveViaIdincidentRelationName": "RemoveViaIdincidentRelationName4jcumi", - "GetentityQueryActivityName": "GetentityQueryActivitylu3sir", - "RemoveAutomationRuleId": "6e8b42ff-dab7-481f-b764-f853700cc536", - "NewAlertRuleName": "NewAlertRulel98w03", - "RemoveViaIdincidentCommentId": "e0931ced-55b8-4158-b9d7-16ba88c4936b", - "UpdateViaIdincidentCommentIncidentId": "b5e65719-0b65-4dd0-a4b0-da2bbad915a5", - "workspaceName": "asptest4wysui", - "NewincidentCommentName": "NewincidentCommentyo7r3v", - "NewalertRuleActionRuleName": "NewalertRuleActionRuleNamexmy37l", - "RemoveViaIdBookmarkRelationName": "RemoveViaIdbookmarkRelationruvd20", - "GetthreatIntelligenceIndicatorName": "GetthreatIntelligenceIndicatoro4mh0q", - "UpdateincidentId": "905e7dec-fd14-42df-9ed5-c4df09445158", - "disabledRuleGuid": "53274afe-2640-4c50-bd36-78c1c79f102c", - "RemoveDataConnectorId": "fee9b467-294d-476a-a02c-93f178b75533", - "GetincidentRelationName": "GetincidentRelationName8nzh36", - "UpdateViaIdbookmarkRelationIncidentName2": "NewbookmarkRelationIncidentName7zq8cv", - "UpdateBookmarkRelationIncidentId2": "260305a7-5d75-4eb9-bd1d-56d5bc54f96e", - "NewAutomationRule": "NewAutomationRuleaf2x1t", - "GetincidentRelationIncidentName": "GetincidentRelationIncidentName8sjnvu", - "NewbookmarkRelationBookmarkId": "d264025f-7598-40f3-8b21-a78f07d46056", - "GetincidentCommentIncidentId": "8b193352-f109-474f-84ce-3b3908d0e288", - "bookmarkExpansionId": "108e85be-884c-4957-9422-a91b04b9ae67", - "UpdateBookmarkName": "Updatebookmarkd4t6g3", - "UpdateentityQueryActivityId": "105c6ccb-e733-4602-ad28-20c44e2cf4ae", - "GetentityQueryActivityId": "5f4b614d-f1e7-46f5-a0f4-41e428c2237e", - "GetAlertRuleName": "GetAlertRulem37adr", - "UpdateAutomationRuleId": "904a62c7-a082-4674-a749-8dfae3498a35", - "RemoveViaIdthreatIntelligenceIndicatorName": "RemoveViaIdthreatIntelligenceIndicatorty5w74", - "NewBookmarkRelationIncidentId": "b9e4ef3a-221a-49dc-98d8-9bdf1faf8a4f", - "Playbook3LogicAppResourceId": "/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert", - "UpdateincidentCommentName": "UpdateincidentCommentgi1a7c", - "RemoveViaIdincidentCommentName": "RemoveViaIdincidentCommentjd165a", - "updateDataConnectorId": "6d021fce-8f39-437c-9fb4-fc0a3794402d", - "UpdateincidentCommentIncidentId": "71e8df01-919c-45c1-b526-bc145e411eee", - "UpdatebookmarkRelationIncidentName2": "NewbookmarkRelationIncidentNamekefcy9", - "NewincidentId": "3eb00428-aed8-405a-a24b-b665c65173a1", - "RemoveBookmarkRelationIncidentId": "fba327a0-b301-4d1c-918c-23aec8e03323", - "UpdateViaIdAutomationRule": "UpdateViaIdAutomationRulef8mk3y", + "UpdateViaIdbookmarkRelationIncidentName2": "NewbookmarkRelationIncidentNameaweqpf", + "RemoveViaIdincidentCommentId": "49e3a038-5941-417d-954e-01eb28ac04b2", + "GetincidentCommentName": "GetincidentComment0spgja", + "UpdateincidentRelationBookmarkName": "UpdateincidentRelationBookmarkName13j7ac", + "UpdateAlertRuleName": "UpdateAlertRulehfjtyo", + "solarigateRuleGuid": "7d7980a7-4d27-42b8-afa5-e98396b43837", "UpdateViaIdthreatIntelligenceIndicatorIP": "8.8.8.5", - "UpdateViaIdincidentRelationName": "UpdateViaIdincidentRelationNamevahgl8", - "RemoveViaIdentityQueryActivityId": "a165eb76-24f9-47f4-92b2-1238aa5e4248", - "RemoveViaIdthreatIntelligenceIndicatorIP": "8.8.8.3", - "UpdatebookmarkRelationBookmarkName": "UpdatebookmarkRelationBookmarkNamedven41", - "RemoveViaIdthreatIntelligenceIndicatorId": "8bc7c1a2-ceb7-dea2-025b-a90dc873bf63", - "UpdateAlertRuleActionId": "39fd7829-116a-4fa3-8ec5-71501bc5ae11", - "NewAlertRuleId": "12d8cb29-d001-4576-a336-77050c60a1f3", - "UpdateentityQueryActivityName": "UpdateentityQueryActivityasx17y", - "RemoveViaIdBookmarkId": "373872c1-6eda-475c-a5ec-f0bfbd39fdf6", - "UpdateincidentRelationName": "UpdateincidentRelationNamed809fp", - "NewincidentRelationBookmarkId": "bba93c64-4a68-46b3-8015-f129ad1597cf", - "UpdateViaIdAlertRuleActionId": "8f59d838-afdc-4ade-be00-58abc1f3a27f", - "NewincidentRelationIncidentName": "NewincidentRelationIncidentName9m3qew", - "NewbookmarkRelationIncidentName": "NewbookmarkRelationIncidentName49uk0b", - "RemovethreatIntelligenceIndicatorName": "RemovethreatIntelligenceIndicatorzeqho5", - "GetAlertRuleActionId": "0ad3cc1a-0d2e-44cc-854a-f5fa08f86098", - "GetbookmarkRelationBookmarkName": "GetbookmarkRelationBookmarkNamex1qm5r", - "RemoveViaIdAlertRuleId": "b5daebea-1da1-45a1-abb5-94ad8c8da5cb", - "RemoveAlertRuleId": "90872ee6-8ed3-48b8-8e93-2bcb1aa6825d", - "GetBookmarkName": "Getbookmarkzl3she", - "UpdateViaIdincidentName": "UpdateViaIdincidentt6c37h", - "Playbook2TriggerUrl": "https://prod-24.centralus.logic.azure.com:443/workflows/cfea3db4d45a4962b87a8b9c3a8421e9/triggers/When_Azure_Sentinel_incident_creation_rule_was_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_Azure_Sentinel_incident_creation_rule_was_triggered%2Frun&sv=1.0&sig=QdzCxjenPF3s0HhC-EV6p-qpjLj_o0orZrj22vnCquc", - "UpdateincidentRelationIncidentName": "UpdateincidentRelationIncidentNamegz4803", - "RemoveentityQueryActivityId": "803b23e8-9f87-4597-bc9c-d537930dea57", - "UpdateincidentRelationBookmarkName2": "NewincidentRelationBookmarkNames06o1l", - "RemoveincidentRelationIncidentId": "bd3104a8-2b2d-4934-bef4-5fc4c04ef055", - "UpdateViaIdbookmarkRelationBookmarkId": "327d3f42-a5d6-4bc8-99bc-93cf7b2942c7", - "UpdateViaIdthreatIntelligenceIndicatorName": "UpdateViaIdthreatIntelligenceIndicatortefl3d", - "Tenant": "d6eebbdd-d77c-465e-b008-4339027b4006", - "RemoveAlertRuleName": "RemoveAlertRule1qafoy", - "removeOnboardingStateWS": "asptesthqat05", - "GetBookmarkRelationName": "GetbookmarkRelation7859zd", - "newOnboardingStateWS": "asptest15inly", - "UpdateincidentCommentId": "7d4f4a64-ca42-4ab7-8385-f9c2b4d63434", + "RemoveViaIdBookmarkRelationName": "RemoveViaIdbookmarkRelation2uanv0", + "GetthreatIntelligenceIndicatorIP": "8.8.8.1", + "RemoveViaIdBookmarkId": "095360de-bcfe-42e7-ac78-a7a259dabb97", + "Playbook2TriggerUrl": "https://prod-17.centralus.logic.azure.com:443/workflows/6b89638557064ed4a2da93b74b6c3962/triggers/When_Azure_Sentinel_incident_creation_rule_was_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_Azure_Sentinel_incident_creation_rule_was_triggered%2Frun&sv=1.0&sig=d2nSzKEulvmd1M2l7qT0np54dP2w64eoF3Gny2lMUKE", + "GetBookmarkName": "Getbookmarkpdoyf6", + "RemoveViaIdBookmarkRelationId": "e87a0449-54e0-4807-bbfd-780bfbe4e471", + "newOnboardingStateWS": "asptestt7nl0i", + "GetAutomationRuleId": "d8a6f299-eab8-4ef3-ae91-e1c18cb4f997", + "UpdateViaIdBookmarkRelationId": "b24e558b-b0fc-4f9f-9583-1d4853b0600e", + "RemoveincidentName": "Removeincidentsov4b3", + "RemoveViaIdincidentRelationId": "35c38929-6ba9-4b43-a927-697e4b15978b", + "UpdatealertRuleActionRuleId": "0a7c15c8-9257-4a34-9097-b53e070bf76d", + "UpdateBookmarkRelationIncidentId": "53f5c7e4-34eb-4e33-9c57-9445ffc4cd6a", + "UpdateViaIdincidentName": "UpdateViaIdincident6mb13v", + "GetAlertRuleActionId": "a05bb49a-a48a-4284-ae4b-62f2618b2c89", + "RemoveViaIdincidentRelationName": "RemoveViaIdincidentRelationName2h5n0w", + "Playbook1LogicAppResourceId": "/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Alert", + "UpdateincidentRelationId": "6695e672-3f17-446a-a3ea-f7625b45f1bd", + "UpdateViaIdincidentRelationBookmarkId2": "4097ffee-c680-4d8a-b769-e32e0c6f6580", + "RemoveAlertRuleId": "f731873a-1985-4ead-8b08-66136867f476", + "NewincidentCommentName": "NewincidentCommentsob43m", + "UpdateViaIdincidentRelationBookmarkName": "UpdateViaIdincidentRelationBookmarkName10mhan", + "GetincidentRelationBookmarkId": "fd69298f-7839-41cf-85aa-4a0a182790c4", + "UpdateViaIdincidentRelationBookmarkName2": "NewincidentRelationBookmarkNamewqdjeb", + "Tenant": "72f988bf-86f1-41af-91ab-2d7cd011db47", + "UpdateViaIdincidentCommentId": "2da4a7ec-4d79-48a4-a395-19d7977a5fd9", + "RemoveAlertRuleName": "RemoveAlertRuleziu23f", + "RemoveincidentRelationName": "RemoveincidentRelationNamea5hw6u", + "NewincidentRelationId": "da8feb99-eb8e-4920-aaa3-65499e29d020", + "RemoveincidentRelationId": "3a03c37e-24a2-4bb8-b680-8b51b0462387", + "UpdateincidentCommentName": "UpdateincidentCommentnxou8t", + "NewAlertRuleActionId": "2acd3d9d-f30c-4b07-88af-821fa8edbad4", + "GetbookmarkRelationBookmarkName": "GetbookmarkRelationBookmarkName14vcdt", + "NewAlertRuleName": "NewAlertRule38x7ic", + "UpdateincidentRelationIncidentName": "UpdateincidentRelationIncidentNamepxyd1a", + "UpdateincidentCommentId": "913a14cc-cdea-47c1-b706-550befa5853d", + "UpdatebookmarkRelationBookmarkName": "UpdatebookmarkRelationBookmarkNamezbxyi8", + "NewBookmarkRelationId": "f47459d1-5c8a-4810-b394-9f24596dbfe8", + "UpdateincidentRelationBookmarkId": "192e1c76-76b2-4c5b-b177-ae3989058ff5", "GetthreatIntelligenceIndicatorId": "bd45b979-3f35-b698-a82a-23f3058f60bc", - "RemovealertRuleActionRuleName": "RemovealertRuleActionRuleName1ui932", - "GetincidentRelationBookmarkId": "40c54fdc-490c-4164-901e-b95ca08e0a88", - "RemoveViaIdbookmarkRelationBookmarkName": "RemoveViaIdbookmarkRelationBookmarkNamewn153e", - "RemoveViaIdincidentRelationBookmarkId": "8b4c7333-a754-463f-abd4-0b5b023fb24c", - "UpdateViaIdentityQueryActivityId": "023cc70e-538f-416e-af6e-ec0833b69894", - "RemoveincidentCommentIncidentId": "1f6bbf1d-7f2d-4435-84f7-2be61d9e090d", - "NewBookmarkRelationName": "NewbookmarkRelation03ptng", - "UpdateViaIdAutomationRuleId": "409ddeff-88f2-48de-8459-d9170cd1530b", - "UpdateBookmarkId": "4a1c3550-81e9-42ae-8302-a2234a8d3168", - "UpdateViaIdincidentRelationBookmarkId": "00406d21-02f5-485c-a859-19a592ab3f1b", + "Playbook2LogicAppResourceId": "/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Incident", + "UpdateViaIdincidentRelationIncidentName": "UpdateViaIdincidentRelationIncidentName4phdfw", + "RemoveViaIdBookmarkName": "RemoveViaIdbookmarkn8d5yt", + "UpdateViaIdbookmarkRelationBookmarkId": "dc4bf602-cf6f-46e9-b4b6-c43af689a81f", + "UpdateAutomationRuleId": "f7430574-25fa-4e8f-81ba-eb37a11f70db", + "UpdateViaIdAutomationRuleId": "ce6a522b-7974-42a1-8c0d-598efe68d70f", + "NewincidentCommentIncidentName": "NewincidentCommentIncidentlj0gu1", + "GetAlertRuleName": "GetAlertRule9af76e", + "Playbook1TriggerUrl": "https://prod-18.centralus.logic.azure.com:443/workflows/fdce5d8d4e914b7b99bd10b290075cc2/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=OV1Z3sQTFbx35g3KA-kqWwdvdY2DLKcq1wcLPj5VjRU", + "GetentityQueryActivityId": "0893dbbc-9df7-4f10-bcff-01694c52ecb7", + "UpdateViaIdincidentCommentName": "UpdateViaIdincidentCommentpqwe28", + "NewincidentTeamIncidentId": "e4719943-91c5-45c6-a8c1-8dc6698191a6", + "NewalertRuleActionRuleId": "b8a12f56-c73c-4650-a18f-76c331764148", + "NewincidentRelationIncidentName": "NewincidentRelationIncidentNamei7l8jk", + "disabledRuleGuid": "5fa8a509-b73d-4f80-a32c-c6ff8dbbfb07", + "NewAlertRuleId": "d65a3750-5f16-4b60-a0c2-ca1ee7a40899", + "UpdatebookmarkRelationIncidentName2": "NewbookmarkRelationIncidentNamemf3e9o", + "NewentityQueryActivityId": "5f3d0db2-ddba-432a-9dc4-9ac9d078d9f9", + "RemoveentityQueryActivityName": "RemoveentityQueryActivityp903zj", + "UpdateViaIdthreatIntelligenceIndicatorName": "UpdateViaIdthreatIntelligenceIndicatorgchleb", + "RemoveBookmarkRelationName": "RemovebookmarkRelationvhq3lr", + "UpdateViaIdbookmarkRelationBookmarkName": "UpdateViaIdbookmarkRelationBookmarkNamelhfak8", + "RemoveViaIdentityQueryActivityName": "RemoveViaIdentityQueryActivityv6t1f2", + "Playbook4TriggerUrl": "https://prod-10.centralus.logic.azure.com:443/workflows/cfe66b404a2048b88bd594bede9dd3f0/triggers/When_Azure_Sentinel_incident_creation_rule_was_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_Azure_Sentinel_incident_creation_rule_was_triggered%2Frun&sv=1.0&sig=kOsBabp-m2P9np4NqCyLcnuX-OzemCZwC1T4OpwxvTA", + "UpdateViaIdBookmarkId": "9d088d39-1dd3-4a55-99d7-48d28a98573c", + "UpdateViaIdBookmarkRelationName": "UpdateViaIdbookmarkRelationpsk6xw", + "RemovethreatIntelligenceIndicatorId": "aba922f2-cd9e-75df-4232-a8d47c94bc03", + "GetincidentRelationIncidentName": "GetincidentRelationIncidentNamesywphe", + "RemoveViaIdincidentRelationIncidentName": "RemoveViaIdincidentRelationIncidentNametqy1nd", + "UpdateViaIdBookmarkRelationIncidentId": "e0a2f9cf-074f-41f7-9cf7-ee2f76903f3e", + "GetincidentCommentIncidentId": "5009cfac-c645-4f19-8828-f8bef6650f21", + "NewincidentName": "Newincidentpgsxh2", + "RemoveViaIdthreatIntelligenceIndicatorIP": "8.8.8.3", + "NewBookmarkRelationName": "NewbookmarkRelationcfjy1d", + "SubscriptionId": "419581d6-4853-49bd-83b6-d94bb8a77887", + "GetincidentName": "Getincidenthpn4qg", "UpdateViaIdthreatIntelligenceIndicatorId": "4b4270c1-7b75-b9ba-58c7-b8420b7e6291", - "Playbook4LogicAppResourceId": "/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident", - "Playbook3TriggerUrl": "https://prod-22.centralus.logic.azure.com:443/workflows/86d6ec0418794b35bb3b014e5448e0b6/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=fuFAHW0RWBesCKbfQlyAgswWDldw5fwJuUpzpVLjUQw", + "UpdateincidentCommentIncidentId": "9d4e3d1a-e085-4ffc-a5b0-3609e308432d", + "NewincidentId": "00e9d3c0-f5d7-4ad1-95cc-a0c481ce6e17", + "RemoveViaIdbookmarkRelationBookmarkId": "f91b4caf-6e2f-4ba2-bf8d-c8fbde102350", + "NewincidentCommentId": "04881f12-f42e-4359-a1ae-b8f409c0777f", + "RemoveBookmarkRelationId": "2d1c854b-c1d2-4fd0-ba28-e35aaecc924d", + "UpdateViaIdBookmarkName": "UpdateViaIdbookmark9x6s8w", + "UpdateViaIdalertRuleActionRuleId": "c259c27b-4474-427f-8734-a99bee6d5d06", + "RemoveincidentId": "297ebb03-dbd5-45af-855f-ac7a514bd3d2", + "ExpandBookmarkId": "b188b26a-9e43-4383-ad72-23e85170d0f8", + "RemovealertRuleActionRuleId": "fbfa413f-423f-4546-9399-6bb4b234b07b", + "RemovebookmarkRelationIncidentName": "RemovebookmarkRelationIncidentNamejmkt5r", + "NewAutomationRuleId": "efd77672-4626-48fa-8d7b-b0e260443740", + "GetincidentCommentId": "9849e0b9-b7bf-4d56-9403-2993114e46b9", + "mlRuleGuid": "09115ed5-df21-42aa-92a5-d7b72d8b551b", + "GetthreatIntelligenceIndicatorName": "GetthreatIntelligenceIndicator415vxn", + "RemovealertRuleActionRuleName": "RemovealertRuleActionRuleNamer1pwq2", + "UpdateViaIdincidentRelationName": "UpdateViaIdincidentRelationName5nubxs", + "UpdatethreatIntelligenceIndicatorName": "UpdatethreatIntelligenceIndicatoru2047t", + "UpdateViaIdentityQueryActivityId": "87245084-8d74-48a2-a084-2816dbaf541e", + "UpdateViaIdBookmarkRelationIncidentId2": "b910c776-2b42-453f-8180-fc7494264127", + "UpdateViaIdincidentId": "2846cf2f-82ea-43f6-84bd-efb4d3a9d16c", + "RemoveViaIdincidentCommentIncidentId": "0010a620-61dc-4183-8b70-70548c9a4fa4", + "RemoveViaIdbookmarkRelationIncidentName": "RemoveViaIdbookmarkRelationIncidentName3bjron", + "UpdateViaIdincidentRelationId": "9bbb3889-b1ec-4a18-99b0-abface90c56d", + "bookmarkExpansionId": "29198bc7-f3dd-4513-a168-7586949dcf46", + "GetAlertRuleId": "b02e5d36-1e05-445a-a542-a588eb9c88b2", + "UpdateincidentRelationBookmarkName2": "NewincidentRelationBookmarkNamei6d4wr", + "GetBookmarkRelationIncidentId": "72b20fd5-9297-487f-b5c0-16d443ae9bc9", + "Playbook3LogicAppResourceId": "/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert", + "NewentityQueryActivityName": "NewentityQueryActivitystvugk", + "UpdateViaIdincidentRelationIncidentId": "325fdf3f-6dc0-47d2-87b7-cd3a7342672c", + "RemoveincidentCommentIncidentId": "c674c57d-29aa-47de-a24b-79836e85dcd4", + "RemoveBookmarkRelationIncidentId": "fcdbdca2-668e-499f-8911-a98624615adf", + "RemoveentityQueryActivityId": "651de9eb-a83c-4b2d-ab3b-27e8f8d3080e", "RemovethreatIntelligenceIndicatorIP": "8.8.8.2", - "UpdateViaIdincidentCommentName": "UpdateViaIdincidentCommentjf7t0g", - "NewincidentRelationIncidentId": "a56f41af-0d66-44c8-90bc-c8b8e8116984", - "NewincidentName": "Newincidentx3os45", - "RemoveincidentCommentId": "6a5e3b8c-f0f5-4bb7-8685-87961a8a21fe", - "NewAutomationRuleId": "a46bcfa9-0dd0-4856-8b10-10ec6bb12920", - "NewBookmarkId": "fa86b82d-4392-4288-846a-5d886fb4edce", - "RemoveViaIdincidentCommentIncidentId": "ac97c565-75c1-40ab-a8e1-334c04dda7d0", - "UpdateViaIdBookmarkName": "UpdateViaIdbookmarkepkaci", - "UpdatebookmarkRelationIncidentName": "UpdatebookmarkRelationIncidentNamedejagn", - "RemoveincidentRelationId": "f05d7fb2-c166-4ecb-aa6b-b97479976971", - "UpdateViaIdbookmarkRelationIncidentName": "UpdateViaIdbookmarkRelationIncidentNamel2rnui", - "RemoveViaIdAutomationRule": "RemoveViaIdAutomationRule7s6m8t", - "NewentityQueryActivityId": "0e70df5c-6ced-4480-b336-bc8491f9cd33", - "UpdateincidentRelationId": "f56dcb87-d5c9-4996-9916-6502828a3ae2", - "RemovethreatIntelligenceIndicatorId": "aba922f2-cd9e-75df-4232-a8d47c94bc03", - "RemoveincidentRelationName": "RemoveincidentRelationNamebvk5qy", - "resourceGroupName": "aspstest7ptmcr", - "RemoveBookmarkName": "Removebookmark2tw3fg", - "UpdateViaIdincidentRelationIncidentId": "e6be0e56-c636-4b4b-9793-6f3c0f345a46", - "UpdateViaIdincidentRelationId": "903fe51d-b375-49c3-bf17-02b25fab1aa4", - "UpdateViaIdBookmarkRelationName": "UpdateViaIdbookmarkRelation9wj152", - "GetincidentRelationBookmarkName": "GetincidentRelationBookmarkNameu4dakt", - "GetbookmarkRelationIncidentName": "GetbookmarkRelationIncidentName75xtbo", - "RemoveViaIdincidentRelationIncidentId": "b2ae0920-7287-4d85-a609-bf6c7e651630", - "ExpandBookmarkName": "Expandbookmarkvclw27", - "UpdatethreatIntelligenceIndicatorName": "UpdatethreatIntelligenceIndicator6zjacg", - "Playbook1LogicAppResourceId": "/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert", - "UpdateViaIdincidentCommentId": "9be40f82-9aea-4748-93e9-3899fd858d5c", - "UpdateBookmarkRelationIncidentId": "6f90c814-29fb-4d2d-8188-360a8df4a559", - "RemoveViaIdAlertRuleActionId": "5945e422-0352-4aba-9fe7-fbf7567e44c2", - "dataConnectorId": "ef0ed2f1-dd75-4d02-afef-5fc84ded8e03", - "UpdateViaIdalertRuleActionRuleName": "UpdateViaIdalertRuleActionRuleNameyb5ilx", + "Playbook4LogicAppResourceId": "/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident", + "UpdatebookmarkRelationIncidentName": "UpdatebookmarkRelationIncidentNameldmxhn", + "UpdatealertRuleActionRuleName": "UpdatealertRuleActionRuleNamecwvk1g", + "NewincidentCommentIncidentId": "ed30052a-d1e4-4394-9251-3682ea30827c", + "GetincidentRelationBookmarkName": "GetincidentRelationBookmarkNamen4atph", + "GetbookmarkRelationIncidentName": "GetbookmarkRelationIncidentNamektmguy", + "RemoveViaIdAutomationRuleId": "ac54957e-9b2d-40fa-89aa-ccb79edb3289", + "RemoveViaIdincidentRelationBookmarkId": "51635f0a-9319-4e6a-b3d9-45bcdfee1f69", + "resourceGroupName": "aspstest4pr7te", + "RemoveincidentCommentId": "687b5f06-6785-4f7b-b676-e057c4633d74", + "RemoveViaIdalertRuleActionRuleName": "RemoveViaIdalertRuleActionRuleName7jasw6", + "NewAutomationRule": "NewAutomationRulehtax8v", + "RemoveBookmarkId": "71ea1e76-7804-472e-90e6-fee48afe4b2e", + "RemoveViaIdBookmarkRelationIncidentId": "21818327-2522-4bca-a761-889f6ae7387d", + "GetincidentRelationId": "7fb245aa-38d5-4660-ad34-72817ce63eed", + "ASIServicePrinicpal": "df410494-9bdd-4bbe-997f-51bab37e3d91", + "NewDataConnectorId": "c05dcef2-870f-4e2e-82e4-700b377c9cc5", + "RemoveViaIdAlertRuleId": "cc5ff22b-1ea2-46b8-8695-791d141e393f", + "NewincidentRelationIncidentId": "0ae21631-acb7-4c47-be55-a12de58daf93", + "UpdateViaIdentityQueryActivityName": "UpdateViaIdentityQueryActivityojk1f5", + "UpdateViaIdincidentRelationBookmarkId": "a55092cc-24ce-41d4-a016-60c3e5797351", + "RemoveincidentCommentName": "RemoveincidentCommentgp6y5f", + "UpdateViaIdAlertRuleName": "UpdateViaIdAlertRulegtdyv4", + "GetAutomationRule": "GetAutomationRuleuva9py", + "RemoveincidentRelationIncidentName": "RemoveincidentRelationIncidentNameqeb7h3", + "RemovethreatIntelligenceIndicatorName": "RemovethreatIntelligenceIndicatorpf94ha", + "RemoveViaIdbookmarkRelationBookmarkName": "RemoveViaIdbookmarkRelationBookmarkName23c1ow", + "NewBookmarkRelationIncidentId": "59d28eeb-8f1e-4841-9e69-86654e548e74", + "UpdateincidentRelationBookmarkId2": "c2c47dc0-3085-46d4-a419-6ff95a01c603", + "UpdateincidentRelationIncidentId": "9e73b493-03a2-4837-9f25-61a39c8841b8", + "removeOnboardingStateWS": "asptestu3tk19", + "UpdateincidentId": "0bb93d60-a942-42f4-a8de-41d4b42cfd18", + "GetincidentId": "e8b65102-7a7b-49f2-a08b-566ecc2dec39", + "RemoveBookmarkName": "Removebookmark1lcpa3", + "Playbook3TriggerUrl": "https://prod-08.centralus.logic.azure.com:443/workflows/18a59846385f49ef9c9711584ba6162c/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=tBpcYwVJuUNVBAdwMq1K0kfjZJX6coxhaADovea_MMk", + "RemovebookmarkRelationBookmarkId": "5dea8be8-4487-4714-adad-1f935ce6b752", + "RemoveAutomationRule": "RemoveAutomationRuley4paeg", + "UpdateBookmarkId": "2b6690b9-7f3b-4239-b675-41640f710da0", + "UpdateBookmarkRelationName": "UpdatebookmarkRelationxnow1g", + "RemoveDataConnectorId": "87ee73c4-216c-4d82-bcda-555b974a2930", + "workspaceResourceId": "/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3", + "UpdateAutomationRule": "UpdateAutomationRulet3on5c", + "workspaceId": "514a628c-e691-4346-bfaf-4995f84165c7", + "RemoveincidentRelationBookmarkName": "RemoveincidentRelationBookmarkNamequm8ws", + "UpdateAlertRuleActionId": "a5627b08-648e-4278-a68a-86c4f2ed6418", + "UpdateViaIdbookmarkRelationIncidentName": "UpdateViaIdbookmarkRelationIncidentNameft7j0l", + "UpdateBookmarkName": "Updatebookmarkcmzxnh", + "RemoveViaIdentityQueryActivityId": "70e5afd8-83d4-47a8-bde6-3e6eabf9b339", + "RemoveDataConnectorIdInputObject": "877f061e-b79b-4424-a55d-89f4a0030794", + "RemoveViaIdAlertRuleName": "RemoveViaIdAlertRule8z7jhl", + "NewincidentTeamIncidentName": "NewincidentTeamIncidentName7u2zch", + "workspaceName": "asptest4yt0n3", + "UpdateAlertRuleId": "0cbb3d2d-91b5-45c4-8945-37d919707711", + "UpdatebookmarkRelationBookmarkId": "ccaf8264-c8d6-4f67-bba1-b9a29a592313", + "dataConnectorId": "5ae4f003-4029-44eb-8f4b-d65e5280bc42", + "NewincidentRelationBookmarkId": "5720e8cf-09ab-4bc7-9743-d0737ee68203", + "GetincidentRelationIncidentId": "da7f7404-2a4a-4811-9f0e-fa20649928fa", + "NewalertRuleActionRuleName": "NewalertRuleActionRuleNamenbm3jx", + "RemoveViaIdincidentName": "RemoveViaIdincidentzl1g8n", + "RemoveAlertRuleActionId": "a67122b9-ea3d-42b3-8b27-01df9ed1b094", + "GetincidentRelationName": "GetincidentRelationNamefecd57", + "ExpandBookmarkName": "Expandbookmarkv0ifpq", + "NewbookmarkRelationIncidentName": "NewbookmarkRelationIncidentName1iu8hf", + "UpdateViaIdAlertRuleActionId": "e42abba3-1a7a-4b3c-b0c1-aec4c288b59c", + "RemoveViaIdthreatIntelligenceIndicatorName": "RemoveViaIdthreatIntelligenceIndicatorn5hj0p", + "NewbookmarkRelationBookmarkName": "NewbookmarkRelationBookmarkNameonq6pw", + "RemoveViaIdincidentRelationBookmarkName": "RemoveViaIdincidentRelationBookmarkNameq65xz2", + "NewincidentRelationBookmarkName": "NewincidentRelationBookmarkNameaxmcdt", + "RemoveincidentRelationIncidentId": "1a71316d-53cd-4e3e-b964-5089a315a6a7", + "RemoveAutomationRuleId": "513cdba0-0f4e-4c45-80b8-9ef28a66af2d", + "UpdateincidentRelationName": "UpdateincidentRelationNamemkr8ny", + "RemoveViaIdAutomationRule": "RemoveViaIdAutomationRule4e6a0t", + "NewbookmarkRelationBookmarkId": "07f5b7c6-84d9-4c37-a592-ab84c153d2a1", + "UpdateViaIdincidentCommentIncidentId": "869cd3bd-6eb7-4b9b-9afb-6e96d1e7c02b", + "GetBookmarkRelationName": "GetbookmarkRelationup87jh", + "UpdateBookmarkRelationIncidentId2": "0546e063-8fec-46ee-a761-a39d41677120", + "UpdateBookmarkRelationId": "d16e37b8-a295-4b5e-833c-77e25e6b20d5", + "UpdateincidentName": "Updateincidentx72h4y", + "RemoveViaIdincidentCommentName": "RemoveViaIdincidentComment9kqox4", + "UpdateViaIdAlertRuleId": "fec1ccd0-78c5-41d9-b5a8-ec9b4e63ea9a", + "GetentityQueryActivityName": "GetentityQueryActivitypy1z3e", + "GetalertRuleActionRuleId": "ac0954ee-b73d-4e95-8cac-f93c182a1c20", + "RemoveViaIdincidentId": "d34e2b26-c2ca-4e38-b9b2-285fc2bd09c6", + "RemovebookmarkRelationBookmarkName": "RemovebookmarkRelationBookmarkName35mvue", + "UpdateentityQueryActivityName": "UpdateentityQueryActivityudyh0r", + "metadataName": "azuresentinel.azure-sentinel-solution-zerotrust", + "UpdateentityQueryActivityId": "493fd03b-7ed3-473b-817c-539c63bac9ac", + "NewincidentRelationName": "NewincidentRelationNamerzfs9c", + "UpdateViaIdalertRuleActionRuleName": "UpdateViaIdalertRuleActionRuleNameg0clnz", + "location": "Central US", + "GetbookmarkRelationBookmarkId": "c6d903c8-0407-4cef-9c08-0e3c2be798a1", + "GetalertRuleActionRuleName": "GetalertRuleActionRuleNamebocexs", + "GetBookmarkId": "94dfe965-27c2-4232-97cd-5d22a82584d7", + "RemoveincidentRelationBookmarkId": "f46786d6-fcca-42f4-a955-ac942e480594", + "NewBookmarkId": "9d255940-5211-4484-9fe6-7c750f10d111", + "UpdatethreatIntelligenceIndicatorIP": "8.8.8.4", "UpdatethreatIntelligenceIndicatorId": "a40d90cd-3425-dcc7-87c9-8c9298f3641d", - "UpdateViaIdBookmarkRelationIncidentId": "68e94645-a3b4-4595-9bfe-0d5370f5c8dd", - "Playbook1TriggerUrl": "https://prod-05.centralus.logic.azure.com:443/workflows/eb03b1bc818942e0a642c05aeef2614b/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=BiTp33mQqq5owtlDqGQFUmo-TdKtHaQskA16bOn1p8g", - "RemoveViaIdincidentRelationIncidentName": "RemoveViaIdincidentRelationIncidentNameg1b6wx", - "RemoveincidentRelationIncidentName": "RemoveincidentRelationIncidentNamecz4ioj", - "UpdateViaIdentityQueryActivityName": "UpdateViaIdentityQueryActivityt5dm62", - "UpdateAutomationRule": "UpdateAutomationRulefrz5oc", - "UpdateincidentRelationBookmarkId2": "7b6ab18b-3ae4-406a-ade2-d9b2b9cfb774", - "RemoveViaIdAutomationRuleId": "ab65a956-23b7-44a0-8a32-cb8d62d389d8" + "UpdateViaIdAutomationRule": "UpdateViaIdAutomationRulemin70r", + "RemoveViaIdalertRuleActionRuleId": "bfbfe303-5fe5-41b2-a51c-ce1c8cb99b4d", + "RemoveViaIdincidentRelationIncidentId": "edfd97a6-4cb0-4eb8-aa7d-4df47259f318", + "RemoveViaIdAlertRuleActionId": "96edc48e-dfba-405a-b16f-f17cb7a6e8e1", + "RemoveViaIdthreatIntelligenceIndicatorId": "8bc7c1a2-ceb7-dea2-025b-a90dc873bf63", + "GetBookmarkRelationId": "91ae51f6-b3d6-45da-b7c4-9be2a72da2a3", + "NewBookmarkName": "Newbookmark5dsb9l" } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/utils.ps1 b/src/SecurityInsights/SecurityInsights.Autorest/test/utils.ps1 index 548e85da8a9e..55535839eff9 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/utils.ps1 +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/utils.ps1 @@ -78,15 +78,12 @@ function setupEnv() { set-content -Path .\test\deployment-templates\workspace\template.parameters.json -Value (ConvertTo-Json $workspaceParams) $TemplateFile = (Get-ChildItem $TemplatePath\workspace\template.json).FullName $TemplateParametersFile = (Get-ChildItem $TemplatePath\workspace\template.parameters.json).FullName - $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name Workspace -ResourceGroupName $resourceGroupName + $result = New-AzResourceGroupDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name Workspace -ResourceGroupName $resourceGroupName if($result.ProvisioningState -eq "Succeeded"){ $null = $env.Add("workspaceName", $workspaceName) - $url = "https://management.azure.com/"+ ($result.Id) + "?api-version=2021-04-01" - $deployResult = Invoke-RestMethod -Uri $url -Method GET -headers $header - $null = $env.Add('workspaceId', ($deployResult.properties.outputs.workspaceId.value)) - #$null = $env.Add('workspaceKey', ($deployResult.properties.outputs.workspaceKey.value)) - $workspaceKey = ($deployResult.properties.outputs.workspaceKey.value) - $null = $env.Add('workspaceResourceId', ($deployResult.properties.outputs.workspaceResourceId.value)) + $null = $env.Add('workspaceId', $result.Outputs.workspaceId.Value) + $workspaceKey = $result.Outputs.workspaceKey.Value + $null = $env.Add('workspaceResourceId', $result.Outputs.workspaceResourceId.Value) $null = $env.Add("newOnboardingStateWS", $newOnboardingStateWS) $null = $env.Add("removeOnboardingStateWS", $removeOnboardingStateWS) } @@ -118,7 +115,7 @@ function setupEnv() { set-content -Path .\test\deployment-templates\customData\alertRules.parameters.json -Value (ConvertTo-Json $alertRuleParams) $TemplateFile = (Get-ChildItem $TemplatePath\customData\alertRules.json).FullName $TemplateParametersFile = (Get-ChildItem $TemplatePath\customData\alertRules.parameters.json).FullName - $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name CustomData -ResourceGroupName $resourceGroupName + $result = New-AzResourceGroupDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name CustomData -ResourceGroupName $resourceGroupName if($result.ProvisioningState -eq "Succeeded"){ $null = $env.Add(("solarigateRuleGuid"), $solarigateRuleGuid) $null = $env.Add(("disabledRuleGuid"), $disabledRuleGuid) @@ -129,18 +126,24 @@ function setupEnv() { Write-Host "Start to create test playbooks" $TemplateFile = (Get-ChildItem $TemplatePath\playbooks\template.json).FullName $TemplateParametersFile = (Get-ChildItem $TemplatePath\playbooks\template.parameters.json).FullName - $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name Playbooks -ResourceGroupName $resourceGroupName - if($result.ProvisioningState -eq "Succeeded"){ - $url = "https://management.azure.com/"+ ($result.Id) + "?api-version=2021-04-01" - $deployResult = Invoke-RestMethod -Uri $url -Method GET -headers $header - $null = $env.Add('Playbook1LogicAppResourceId', ($deployResult.properties.Outputs.Playbook1LogicAppResourceId.value)) - $null = $env.Add('Playbook1TriggerUrl', ($deployResult.properties.Outputs.Playbook1triggerUrl.value)) - $null = $env.Add('Playbook2LogicAppResourceId', ($deployResult.properties.Outputs.Playbook2LogicAppResourceId.value)) - $null = $env.Add('Playbook2TriggerUrl', ($deployResult.properties.Outputs.Playbook2triggerUrl.value)) - $null = $env.Add('Playbook3LogicAppResourceId', ($deployResult.properties.Outputs.Playbook3LogicAppResourceId.value)) - $null = $env.Add('Playbook3TriggerUrl', ($deployResult.properties.Outputs.Playbook3triggerUrl.value)) - $null = $env.Add('Playbook4LogicAppResourceId', ($deployResult.properties.Outputs.Playbook4LogicAppResourceId.value)) - $null = $env.Add('Playbook4TriggerUrl', ($deployResult.properties.Outputs.Playbook4triggerUrl.value)) + New-AzResourceGroupDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name Playbooks -ResourceGroupName $resourceGroupName + $result = Get-AzResourceGroupDeployment -ResourceGroupName $resourceGroupName -Name 'Playbooks' -ErrorAction SilentlyContinue + if(-not $result -or $result.ProvisioningState -ne "Succeeded"){ + Start-TestSleep -Seconds 30 + New-AzResourceGroupDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name PlaybooksRetry -ResourceGroupName $resourceGroupName + $result = Get-AzResourceGroupDeployment -ResourceGroupName $resourceGroupName -Name 'PlaybooksRetry' -ErrorAction SilentlyContinue + } + if($result -and $result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add('Playbook1LogicAppResourceId', $result.Outputs.playbook1LogicAppResourceId.Value) + $null = $env.Add('Playbook1TriggerUrl', $result.Outputs.playbook1triggerUrl.Value) + $null = $env.Add('Playbook2LogicAppResourceId', $result.Outputs.playbook2LogicAppResourceId.Value) + $null = $env.Add('Playbook2TriggerUrl', $result.Outputs.playbook2triggerUrl.Value) + $null = $env.Add('Playbook3LogicAppResourceId', $result.Outputs.playbook3LogicAppResourceId.Value) + $null = $env.Add('Playbook3TriggerUrl', $result.Outputs.playbook3triggerUrl.Value) + $null = $env.Add('Playbook4LogicAppResourceId', $result.Outputs.playbook4LogicAppResourceId.Value) + $null = $env.Add('Playbook4TriggerUrl', $result.Outputs.playbook4triggerUrl.Value) + } else { + Write-Host "Playbooks deployment failed after both attempts" } @@ -212,7 +215,7 @@ function setupEnv() { set-content -Path .\test\deployment-templates\authorization\template.parameters.json -Value (ConvertTo-Json $authorizationParams) $TemplateFile = (Get-ChildItem $TemplatePath\authorization\template.json).FullName $TemplateParametersFile = (Get-ChildItem $TemplatePath\authorization\template.parameters.json).FullName - $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name Authorization -ResourceGroupName $resourceGroupName + $result = New-AzResourceGroupDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name Authorization -ResourceGroupName $resourceGroupName start-sleep 60 #Create Automation Rule @@ -271,9 +274,10 @@ function setupEnv() { set-content -Path .\test\deployment-templates\dataConnector\template.parameters.json -Value (ConvertTo-Json $dataConnectorParams) $TemplateFile = (Get-ChildItem $TemplatePath\dataConnector\template.json).FullName $TemplateParametersFile = (Get-ChildItem $TemplatePath\dataConnector\template.parameters.json).FullName - $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name dataConnector -ResourceGroupName $resourceGroupName - if($result.ProvisioningState -eq "Succeeded"){ - $null = $env.Add('dataConnectorId', $dataConnectorId) + $result = New-AzResourceGroupDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name dataConnector -ResourceGroupName $resourceGroupName + # Workaround — save dataConnectorId even on partial failure (AzureSecurityCenter succeeds when Office365 fails) + $null = $env.Add('dataConnectorId', $dataConnectorId) + if($result -and $result.ProvisioningState -eq "Succeeded"){ $null = $env.Add('updateDataConnectorId', $updateDataConnectorId) } $null = $env.Add('RemoveDataConnectorId', ((New-Guid).Guid)) @@ -361,7 +365,7 @@ function setupEnv() { set-content -Path .\test\deployment-templates\metadata\template.parameters.json -Value (ConvertTo-Json $metadataParams) $TemplateFile = (Get-ChildItem $TemplatePath\metadata\template.json).FullName $TemplateParametersFile = (Get-ChildItem $TemplatePath\metadata\template.parameters.json).FullName - $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name metadata -ResourceGroupName $resourceGroupName + $result = New-AzResourceGroupDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name metadata -ResourceGroupName $resourceGroupName if($result.ProvisioningState -eq "Succeeded"){ $null = $env.Add('metadataName', 'azuresentinel.azure-sentinel-solution-zerotrust') } diff --git a/src/SecurityInsights/SecurityInsights.sln b/src/SecurityInsights/SecurityInsights.sln index 88a4f42c4982..3da8199370cc 100644 --- a/src/SecurityInsights/SecurityInsights.sln +++ b/src/SecurityInsights/SecurityInsights.sln @@ -21,7 +21,7 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SecurityInsights", "Securit EndProject Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "SecurityInsights.Autorest", "SecurityInsights.Autorest", "{1F2C7E28-510C-0414-601C-25083DE2C7DC}" EndProject -Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Az.SecurityInsights", "..\..\generated\SecurityInsights\SecurityInsights.Autorest\Az.SecurityInsights.csproj", "{82DBBA1D-E938-4B89-86A2-F9A7618C4E69}" +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Az.SecurityInsights", "..\..\generated\SecurityInsights\SecurityInsights.Autorest\Az.SecurityInsights.csproj", "{B7319352-0147-4E15-8AB7-A5FE20E75556}" EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution @@ -117,18 +117,18 @@ Global {F74A1659-4994-47CB-A786-DF83675AD4DF}.Release|x64.Build.0 = Release|Any CPU {F74A1659-4994-47CB-A786-DF83675AD4DF}.Release|x86.ActiveCfg = Release|Any CPU {F74A1659-4994-47CB-A786-DF83675AD4DF}.Release|x86.Build.0 = Release|Any CPU - {82DBBA1D-E938-4B89-86A2-F9A7618C4E69}.Debug|Any CPU.ActiveCfg = Debug|Any CPU - {82DBBA1D-E938-4B89-86A2-F9A7618C4E69}.Debug|Any CPU.Build.0 = Debug|Any CPU - {82DBBA1D-E938-4B89-86A2-F9A7618C4E69}.Debug|x64.ActiveCfg = Debug|Any CPU - {82DBBA1D-E938-4B89-86A2-F9A7618C4E69}.Debug|x64.Build.0 = Debug|Any CPU - {82DBBA1D-E938-4B89-86A2-F9A7618C4E69}.Debug|x86.ActiveCfg = Debug|Any CPU - {82DBBA1D-E938-4B89-86A2-F9A7618C4E69}.Debug|x86.Build.0 = Debug|Any CPU - {82DBBA1D-E938-4B89-86A2-F9A7618C4E69}.Release|Any CPU.ActiveCfg = Release|Any CPU - {82DBBA1D-E938-4B89-86A2-F9A7618C4E69}.Release|Any CPU.Build.0 = Release|Any CPU - {82DBBA1D-E938-4B89-86A2-F9A7618C4E69}.Release|x64.ActiveCfg = Release|Any CPU - {82DBBA1D-E938-4B89-86A2-F9A7618C4E69}.Release|x64.Build.0 = Release|Any CPU - {82DBBA1D-E938-4B89-86A2-F9A7618C4E69}.Release|x86.ActiveCfg = Release|Any CPU - {82DBBA1D-E938-4B89-86A2-F9A7618C4E69}.Release|x86.Build.0 = Release|Any CPU + {B7319352-0147-4E15-8AB7-A5FE20E75556}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {B7319352-0147-4E15-8AB7-A5FE20E75556}.Debug|Any CPU.Build.0 = Debug|Any CPU + {B7319352-0147-4E15-8AB7-A5FE20E75556}.Debug|x64.ActiveCfg = Debug|Any CPU + {B7319352-0147-4E15-8AB7-A5FE20E75556}.Debug|x64.Build.0 = Debug|Any CPU + {B7319352-0147-4E15-8AB7-A5FE20E75556}.Debug|x86.ActiveCfg = Debug|Any CPU + {B7319352-0147-4E15-8AB7-A5FE20E75556}.Debug|x86.Build.0 = Debug|Any CPU + {B7319352-0147-4E15-8AB7-A5FE20E75556}.Release|Any CPU.ActiveCfg = Release|Any CPU + {B7319352-0147-4E15-8AB7-A5FE20E75556}.Release|Any CPU.Build.0 = Release|Any CPU + {B7319352-0147-4E15-8AB7-A5FE20E75556}.Release|x64.ActiveCfg = Release|Any CPU + {B7319352-0147-4E15-8AB7-A5FE20E75556}.Release|x64.Build.0 = Release|Any CPU + {B7319352-0147-4E15-8AB7-A5FE20E75556}.Release|x86.ActiveCfg = Release|Any CPU + {B7319352-0147-4E15-8AB7-A5FE20E75556}.Release|x86.Build.0 = Release|Any CPU EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE @@ -140,6 +140,6 @@ Global {8DD4BC41-DC30-4267-ACBA-93FBD67044D9} = {F3681287-CEBF-4540-A820-B4B174AFF47F} {0FEAB705-FEE4-4B66-A6E1-F3FF3BA6B04C} = {F3681287-CEBF-4540-A820-B4B174AFF47F} {453F081C-D5FD-418E-95AF-231F1BAE1E8C} = {F3681287-CEBF-4540-A820-B4B174AFF47F} - {82DBBA1D-E938-4B89-86A2-F9A7618C4E69} = {1F2C7E28-510C-0414-601C-25083DE2C7DC} + {B7319352-0147-4E15-8AB7-A5FE20E75556} = {1F2C7E28-510C-0414-601C-25083DE2C7DC} EndGlobalSection EndGlobal diff --git a/src/SecurityInsights/SecurityInsights/Az.SecurityInsights.psd1 b/src/SecurityInsights/SecurityInsights/Az.SecurityInsights.psd1 index 63cb874bd265..4bd40c762b0f 100644 --- a/src/SecurityInsights/SecurityInsights/Az.SecurityInsights.psd1 +++ b/src/SecurityInsights/SecurityInsights/Az.SecurityInsights.psd1 @@ -3,7 +3,7 @@ # # Generated by: Microsoft Corporation # -# Generated on: 1/29/2026 +# Generated on: 12/03/2026 # @{ @@ -51,16 +51,16 @@ DotNetFrameworkVersion = '4.7.2' # ProcessorArchitecture = '' # Modules that must be imported into the global environment prior to importing this module -RequiredModules = @(@{ModuleName = 'Az.Accounts'; ModuleVersion = '5.3.0'; }) +RequiredModules = @(@{ModuleName = 'Az.Accounts'; ModuleVersion = '5.3.2'; }) # Assemblies that must be loaded prior to importing this module RequiredAssemblies = 'SecurityInsights.Autorest/bin/Az.SecurityInsights.private.dll' # Script files (.ps1) that are run in the caller's environment prior to importing this module. -# ScriptsToProcess = @() +ScriptsToProcess = @() # Type files (.ps1xml) to be loaded when importing this module -# TypesToProcess = @() +TypesToProcess = @() # Format files (.ps1xml) to be loaded when importing this module FormatsToProcess = 'SecurityInsights.Autorest/Az.SecurityInsights.format.ps1xml' @@ -130,7 +130,7 @@ PrivateData = @{ PSData = @{ # Tags applied to this module. These help with module discovery in online galleries. - Tags = 'Azure','ResourceManager','ARM','PSModule','SecurityInsights' + Tags = 'Azure', 'ResourceManager', 'ARM', 'PSModule', 'SecurityInsights' # A URL to the license for this module. LicenseUri = 'https://aka.ms/azps-license' @@ -155,7 +155,7 @@ PrivateData = @{ } # End of PSData hashtable - } # End of PrivateData hashtable +} # End of PrivateData hashtable # HelpInfo URI of this module # HelpInfoURI = '' diff --git a/src/SecurityInsights/SecurityInsights/help/New-AzSentinelBookmark.md b/src/SecurityInsights/SecurityInsights/help/New-AzSentinelBookmark.md index 33430d373f41..ea08a74350b8 100644 --- a/src/SecurityInsights/SecurityInsights/help/New-AzSentinelBookmark.md +++ b/src/SecurityInsights/SecurityInsights/help/New-AzSentinelBookmark.md @@ -18,8 +18,8 @@ New-AzSentinelBookmark -ResourceGroupName -WorkspaceName [-Id [-SubscriptionId ] [-DisplayName ] [-EventTime ] [-IncidentInfoIncidentId ] [-IncidentInfoRelationName ] [-IncidentInfoSeverity ] [-IncidentInfoTitle ] [-Label ] [-Note ] [-Query ] [-QueryEndTime ] [-QueryResult ] - [-QueryStartTime ] [-DefaultProfile ] [-WhatIf] - [-Confirm] [] + [-QueryStartTime ] [-UpdatedByEmail ] [-UpdatedByName ] [-DefaultProfile ] + [-WhatIf] [-Confirm] [] ``` ### CreateViaJsonFilePath @@ -332,6 +332,36 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -UpdatedByEmail +The email of the user. + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UpdatedByName +The name of the user. + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -WorkspaceName The name of the workspace. diff --git a/src/SecurityInsights/SecurityInsights/help/Update-AzSentinelBookmark.md b/src/SecurityInsights/SecurityInsights/help/Update-AzSentinelBookmark.md index b04bea52b876..2c1937990a9f 100644 --- a/src/SecurityInsights/SecurityInsights/help/Update-AzSentinelBookmark.md +++ b/src/SecurityInsights/SecurityInsights/help/Update-AzSentinelBookmark.md @@ -18,8 +18,8 @@ Update-AzSentinelBookmark -Id -ResourceGroupName [-Subscriptio -WorkspaceName [-DisplayName ] [-EventTime ] [-IncidentInfoIncidentId ] [-IncidentInfoRelationName ] [-IncidentInfoSeverity ] [-IncidentInfoTitle ] [-Label ] [-Note ] [-Query ] [-QueryEndTime ] [-QueryResult ] - [-QueryStartTime ] [-DefaultProfile ] [-WhatIf] - [-Confirm] [] + [-QueryStartTime ] [-UpdatedByEmail ] [-UpdatedByName ] [-DefaultProfile ] + [-WhatIf] [-Confirm] [] ``` ### UpdateViaIdentityExpanded @@ -28,7 +28,8 @@ Update-AzSentinelBookmark -InputObject [-DisplayName [-EventTime ] [-IncidentInfoIncidentId ] [-IncidentInfoRelationName ] [-IncidentInfoSeverity ] [-IncidentInfoTitle ] [-Label ] [-Note ] [-Query ] [-QueryEndTime ] [-QueryResult ] [-QueryStartTime ] - [-DefaultProfile ] [-WhatIf] [-Confirm] [] + [-UpdatedByEmail ] [-UpdatedByName ] [-DefaultProfile ] + [-WhatIf] [-Confirm] [] ``` ## DESCRIPTION @@ -304,6 +305,36 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -UpdatedByEmail +The email of the user. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UpdatedByName +The name of the user. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -WorkspaceName The name of the workspace. From 3cb680c8d4b96d611a18637d243dec24d1c28817 Mon Sep 17 00:00:00 2001 From: hadasi6 Date: Sun, 29 Mar 2026 12:11:58 +0300 Subject: [PATCH 2/2] Redact credentials from test recording headers to fix CredScan --- .../test/Get-AzSentinelAlertRule.Recording.json | 8 ++++---- .../Get-AzSentinelAlertRuleAction.Recording.json | 8 ++++---- .../Get-AzSentinelAlertRuleTemplate.Recording.json | 8 ++++---- .../Get-AzSentinelAutomationRule.Recording.json | 8 ++++---- .../test/Get-AzSentinelBookmark.Recording.json | 8 ++++---- .../Get-AzSentinelBookmarkRelation.Recording.json | 8 ++++---- .../Get-AzSentinelDataConnector.Recording.json | 8 ++++---- .../test/Get-AzSentinelEnrichment.Recording.json | 4 ++-- .../test/Get-AzSentinelEntity.Recording.json | 12 ++++++------ .../Get-AzSentinelEntityActivity.Recording.json | 4 ++-- .../Get-AzSentinelEntityInsight.Recording.json | 4 ++-- .../test/Get-AzSentinelEntityQuery.Recording.json | 8 ++++---- ...et-AzSentinelEntityQueryTemplate.Recording.json | 6 +++--- .../Get-AzSentinelEntityTimeline.Recording.json | 4 ++-- .../test/Get-AzSentinelIncident.Recording.json | 8 ++++---- .../Get-AzSentinelIncidentAlert.Recording.json | 4 ++-- .../Get-AzSentinelIncidentBookmark.Recording.json | 2 +- .../Get-AzSentinelIncidentComment.Recording.json | 4 ++-- .../Get-AzSentinelIncidentEntity.Recording.json | 4 ++-- .../Get-AzSentinelIncidentRelation.Recording.json | 8 ++++---- .../test/Get-AzSentinelMetadata.Recording.json | 8 ++++---- .../Get-AzSentinelOnboardingState.Recording.json | 8 ++++---- .../test/Get-AzSentinelSetting.Recording.json | 4 ++-- ...tinelThreatIntelligenceIndicator.Recording.json | 4 ++-- ...hreatIntelligenceIndicatorMetric.Recording.json | 2 +- ...ThreatIntelligenceIndicatorQuery.Recording.json | 2 +- .../test/New-AzSentinelAlertRule.Recording.json | 2 +- .../New-AzSentinelAlertRuleAction.Recording.json | 4 ++-- .../New-AzSentinelAutomationRule.Recording.json | 2 +- .../test/New-AzSentinelBookmark.Recording.json | 2 +- .../New-AzSentinelBookmarkRelation.Recording.json | 6 +++--- .../New-AzSentinelDataConnector.Recording.json | 2 +- .../test/New-AzSentinelEntityQuery.Recording.json | 2 +- .../test/New-AzSentinelIncident.Recording.json | 2 +- .../New-AzSentinelIncidentComment.Recording.json | 4 ++-- .../New-AzSentinelIncidentRelation.Recording.json | 6 +++--- .../test/New-AzSentinelIncidentTeam.Recording.json | 4 ++-- .../test/Remove-AzSentinelAlertRule.Recording.json | 6 +++--- ...Remove-AzSentinelAlertRuleAction.Recording.json | 6 +++--- .../Remove-AzSentinelAutomationRule.Recording.json | 6 +++--- .../test/Remove-AzSentinelBookmark.Recording.json | 6 +++--- ...emove-AzSentinelBookmarkRelation.Recording.json | 6 +++--- .../Remove-AzSentinelDataConnector.Recording.json | 8 ++++---- .../Remove-AzSentinelEntityQuery.Recording.json | 6 +++--- .../test/Remove-AzSentinelIncident.Recording.json | 6 +++--- ...Remove-AzSentinelIncidentComment.Recording.json | 6 +++--- ...emove-AzSentinelIncidentRelation.Recording.json | 6 +++--- ...Remove-AzSentinelOnboardingState.Recording.json | 2 +- ...Update-AzSentinelAlertRuleAction.Recording.json | 6 +++--- .../Update-AzSentinelAutomationRule.Recording.json | 12 ++++++------ .../test/Update-AzSentinelBookmark.Recording.json | 12 ++++++------ ...pdate-AzSentinelBookmarkRelation.Recording.json | 14 +++++++------- .../test/Update-AzSentinelIncident.Recording.json | 12 ++++++------ ...Update-AzSentinelIncidentComment.Recording.json | 10 +++++----- ...pdate-AzSentinelIncidentRelation.Recording.json | 14 +++++++------- 55 files changed, 168 insertions(+), 168 deletions(-) diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRule.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRule.Recording.json index 1d77cc433a06..9264c4afa0c6 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRule.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRule.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/5cec3b9a-519b-4690-b547-62dc53402cf1" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/5cec3b9a-519b-4690-b547-62dc53402cf1" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "f5749ae0-d175-4463-ad9e-122d4b65f3cc" ], @@ -69,7 +69,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/5c91f677-20b4-4ee7-8628-0217fc8656c7" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/5c91f677-20b4-4ee7-8628-0217fc8656c7" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "e599b720-51cc-40a9-8aec-c313f96ed1a6" ], @@ -114,7 +114,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/dcf0d16b-6f2e-486d-9859-1aa67735e441" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/dcf0d16b-6f2e-486d-9859-1aa67735e441" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "4c1e7748-0738-4c67-8672-1b71521ae158" ], @@ -159,7 +159,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/f21ba371-36fe-4209-8b96-35feb751d7e0" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/f21ba371-36fe-4209-8b96-35feb751d7e0" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "dde0c235-ba42-4cee-921f-70ee60bd2efe" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRuleAction.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRuleAction.Recording.json index 72ec238ea713..94fa2af9009d 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRuleAction.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRuleAction.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/65ef3569-b09d-40f7-ab4d-414d5a3923ac" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/65ef3569-b09d-40f7-ab4d-414d5a3923ac" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "4ecc7669-1945-4435-b850-565046bc6b3d" ], @@ -69,7 +69,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/06640e55-fe9c-4796-af0b-2268358b0a85" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/06640e55-fe9c-4796-af0b-2268358b0a85" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "37aa42fc-9f4f-4b83-bfa0-485600cfb564" ], @@ -114,7 +114,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/f9c18348-ff01-462f-a0a2-defcfca6605f" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/f9c18348-ff01-462f-a0a2-defcfca6605f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "39741283-c449-4ed0-9164-9312bbe8cb5c" ], @@ -159,7 +159,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/e8bc1881-33a3-42c2-bac4-6db90adab166" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/e8bc1881-33a3-42c2-bac4-6db90adab166" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "668c9f94-b909-4f49-b688-0e7c8d0eb78a" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRuleTemplate.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRuleTemplate.Recording.json index ddd67b413082..fe6b58c5178a 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRuleTemplate.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRuleTemplate.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1098" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/642cd481-1d4c-4a12-a7f0-eb5be05314d1" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/642cd481-1d4c-4a12-a7f0-eb5be05314d1" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16498" ], "x-ms-request-id": [ "3b3fa6c6-96c9-471b-a6ea-532e4f938bce" ], @@ -69,7 +69,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/15f557e5-3f31-4cc9-ba8c-be0b626bb1de" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/15f557e5-3f31-4cc9-ba8c-be0b626bb1de" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "48360258-5d3d-475e-9673-2dd4e1b93e4d" ], @@ -114,7 +114,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/dc7d1096-ff68-4c66-a7bc-2fde8261e8c7" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/dc7d1096-ff68-4c66-a7bc-2fde8261e8c7" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "8da523e9-dfa3-416c-af39-5796ace89ab4" ], @@ -159,7 +159,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/bd5ff278-0ee9-4ca4-8253-d05f9440dae4" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/bd5ff278-0ee9-4ca4-8253-d05f9440dae4" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "66860973-747e-4d71-a7d1-691bf7a74892" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAutomationRule.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAutomationRule.Recording.json index 7f28cf721d06..53a6684d31d3 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAutomationRule.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAutomationRule.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/390cf4df-a319-4684-b88c-9e177ff02bf8" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/390cf4df-a319-4684-b88c-9e177ff02bf8" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "eddf7727-6378-4521-94a9-bb895ac6c390" ], "x-ms-correlation-request-id": [ "eddf7727-6378-4521-94a9-bb895ac6c390" ], @@ -68,7 +68,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/2500d3d3-fd2b-44fb-af5a-11da6251bf08" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/2500d3d3-fd2b-44fb-af5a-11da6251bf08" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "24cabcc2-eb0a-4de3-8a34-a80099713143" ], "x-ms-correlation-request-id": [ "24cabcc2-eb0a-4de3-8a34-a80099713143" ], @@ -112,7 +112,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/7cb9eac3-3f47-4381-9d4f-10329b8f5a6a" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/7cb9eac3-3f47-4381-9d4f-10329b8f5a6a" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "c408564f-6c14-4610-bc8d-2e68ce8bdbf9" ], "x-ms-correlation-request-id": [ "c408564f-6c14-4610-bc8d-2e68ce8bdbf9" ], @@ -156,7 +156,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/25f9b82a-1046-41cd-bce1-20d7434e15d4" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/25f9b82a-1046-41cd-bce1-20d7434e15d4" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "63982849-b798-49ac-824f-2e5e5ca4ea69" ], "x-ms-correlation-request-id": [ "63982849-b798-49ac-824f-2e5e5ca4ea69" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelBookmark.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelBookmark.Recording.json index 96d9cedd2d03..45e89d71b1e1 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelBookmark.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelBookmark.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/1b800a52-8d5b-4fca-a44f-40e20606eb76" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/1b800a52-8d5b-4fca-a44f-40e20606eb76" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "38a25193-2168-461d-979a-d7affc5ea333" ], @@ -69,7 +69,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/531c9247-6375-4be0-9917-ce3ee8e5df09" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/531c9247-6375-4be0-9917-ce3ee8e5df09" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "793a6971-d4fd-4f84-ba31-8bc33d43c0d6" ], @@ -114,7 +114,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/43050d5e-4620-4cae-9aaa-48ab06ed04b5" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/43050d5e-4620-4cae-9aaa-48ab06ed04b5" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "a26a9fc7-597b-405e-b941-458f3fd477d9" ], @@ -159,7 +159,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/a6a2b2e4-acbc-4149-a40a-4fa61c4f06bc" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/a6a2b2e4-acbc-4149-a40a-4fa61c4f06bc" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "36c5e6be-e37e-44d4-b2d4-f487acdbad4d" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelBookmarkRelation.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelBookmarkRelation.Recording.json index e539855590c6..09b977d75244 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelBookmarkRelation.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelBookmarkRelation.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/04c92b5a-f017-4eab-88d7-e17b4117bbf0" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/04c92b5a-f017-4eab-88d7-e17b4117bbf0" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "d57a06fc-5bad-4df1-9398-48f96a572038" ], @@ -69,7 +69,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/55e33316-4311-4946-9a24-1a60ef3dcee0" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/55e33316-4311-4946-9a24-1a60ef3dcee0" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "7242ab76-7035-40b4-908e-bef04c9a99ac" ], @@ -114,7 +114,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/c144bff3-71d4-4a90-bef6-894f778405b4" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/c144bff3-71d4-4a90-bef6-894f778405b4" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "f314a4aa-1f75-4da1-bb25-2aba25c4bebc" ], @@ -159,7 +159,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/8c6412ef-b1a7-4588-a424-f19c40ddba71" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/8c6412ef-b1a7-4588-a424-f19c40ddba71" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "6dfcd9d9-295d-4dab-a480-dacbe221ae75" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelDataConnector.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelDataConnector.Recording.json index a29a51cfdbda..79cf6c64896e 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelDataConnector.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelDataConnector.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/c4185397-09c0-4382-b623-bc6f066e9245" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/c4185397-09c0-4382-b623-bc6f066e9245" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "c6724b57-56af-4383-bb09-fdde0f1a8cde" ], "x-ms-correlation-request-id": [ "c6724b57-56af-4383-bb09-fdde0f1a8cde" ], @@ -68,7 +68,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/0fcada71-84af-4981-a471-a4609054acf9" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/0fcada71-84af-4981-a471-a4609054acf9" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "57dc2b02-10a9-4c71-8557-7be3c4f51eda" ], "x-ms-correlation-request-id": [ "57dc2b02-10a9-4c71-8557-7be3c4f51eda" ], @@ -112,7 +112,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/6869c39a-f2bb-4857-b750-c6188e2360fe" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/6869c39a-f2bb-4857-b750-c6188e2360fe" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "7f79ac9f-9ca3-4c54-b3c0-b1146ce1ce67" ], "x-ms-correlation-request-id": [ "7f79ac9f-9ca3-4c54-b3c0-b1146ce1ce67" ], @@ -156,7 +156,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/bead0573-50cb-4649-8244-167a916ade7c" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/bead0573-50cb-4649-8244-167a916ade7c" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "a82026fa-4a09-4162-87a7-b00d44594ee4" ], "x-ms-correlation-request-id": [ "a82026fa-4a09-4162-87a7-b00d44594ee4" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEnrichment.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEnrichment.Recording.json index ebd4fc3a087f..351238678673 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEnrichment.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEnrichment.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1098" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/ff329865-0f0b-46da-93b2-4451f396f492" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/ff329865-0f0b-46da-93b2-4451f396f492" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16498" ], "x-ms-request-id": [ "5d43531a-33f1-4e3b-a263-ebb9e0cc06b7" ], @@ -69,7 +69,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/ba995ec0-f20e-465b-b5cf-dfd2ad23ae68" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/ba995ec0-f20e-465b-b5cf-dfd2ad23ae68" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "e768bc93-29cd-4dd1-96c0-1844b9830ce1" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntity.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntity.Recording.json index 90b42c9f5dfc..0f316b69ad20 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntity.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntity.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/2f89040e-6c9f-409b-a827-1fb0ac8ab0f1" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/2f89040e-6c9f-409b-a827-1fb0ac8ab0f1" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "02f12bcb-4bd1-4487-98f1-f688a83f926c" ], @@ -69,7 +69,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/538dc984-95c9-45bf-90bc-0b772964d777" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/538dc984-95c9-45bf-90bc-0b772964d777" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "8e841758-85d8-4352-a3f6-79b2ed471b09" ], @@ -114,7 +114,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/da311e14-ccd3-4351-a795-02611defec83" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/da311e14-ccd3-4351-a795-02611defec83" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "2036b232-81e8-4d67-a6eb-d5d6cb52e3f7" ], @@ -159,7 +159,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/3b8cbcf8-9a68-40f1-b60b-a1989d3a602e" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/3b8cbcf8-9a68-40f1-b60b-a1989d3a602e" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "0517749f-48b0-40ec-825d-787fd95dd4d9" ], @@ -204,7 +204,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1098" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/a795e51c-a36f-4568-95ef-dd89a3251b61" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/a795e51c-a36f-4568-95ef-dd89a3251b61" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16498" ], "x-ms-request-id": [ "9b109cb2-c2c3-45fc-8ffb-929dca4afcb8" ], @@ -249,7 +249,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/3d57a4c3-08d9-4d54-bdb3-18f764930052" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/3d57a4c3-08d9-4d54-bdb3-18f764930052" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "6d868b0c-bb84-4435-92f7-f9ed0367aba9" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityActivity.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityActivity.Recording.json index 0070a87e6fac..4dc36bf7b66d 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityActivity.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityActivity.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/69001eab-7e43-4486-9634-1ca14d2faf51" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/69001eab-7e43-4486-9634-1ca14d2faf51" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "8cdbe236-e1f4-4534-ab6b-f9d00c0eb712" ], @@ -69,7 +69,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/3b222d09-a0ac-4393-952c-89ae05f6a9ab" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/3b222d09-a0ac-4393-952c-89ae05f6a9ab" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "f46e154b-d9ed-4b58-8524-b729ac6a0f3a" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityInsight.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityInsight.Recording.json index 84072f5754d8..d537c40b3a60 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityInsight.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityInsight.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/e0eac561-6e86-45d2-9e05-04cd25081921" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/e0eac561-6e86-45d2-9e05-04cd25081921" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "59977389-eb13-4a47-bbde-b0f3e23cc95d" ], @@ -64,7 +64,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/14dd244e-093f-4d98-b4fe-5d94da6ebca2" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/14dd244e-093f-4d98-b4fe-5d94da6ebca2" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "33a967a5-c022-44b2-be6e-b5000c82cb98" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityQuery.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityQuery.Recording.json index 33ac51aaf9a8..594353525f6c 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityQuery.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityQuery.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/5c11f4d4-4cf3-480f-9006-bf246bfb5f66" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/5c11f4d4-4cf3-480f-9006-bf246bfb5f66" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "c1ca1d3b-9765-4b35-8b69-8bc6c32c1406" ], @@ -69,7 +69,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/e21c2edb-b16c-464e-938b-5e66faec015f" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/e21c2edb-b16c-464e-938b-5e66faec015f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "f92df29f-ee6e-4292-a5e7-276bb5a03df9" ], @@ -114,7 +114,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/f791a68b-3e49-442e-8538-cd097b670e1e" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/f791a68b-3e49-442e-8538-cd097b670e1e" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "db617224-6952-4e68-917a-6fea3d229f22" ], @@ -159,7 +159,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/3bbb0da1-2aa6-41db-b110-9144ea499439" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/3bbb0da1-2aa6-41db-b110-9144ea499439" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "43c784f1-f818-433f-8a9c-8a3af024437d" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityQueryTemplate.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityQueryTemplate.Recording.json index 3bc8fce4bd35..fddab734ebb8 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityQueryTemplate.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityQueryTemplate.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/19eac245-5793-46d4-a863-fd095c783b80" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/19eac245-5793-46d4-a863-fd095c783b80" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "7849dc70-f619-4faf-bb61-e7bebded67a7" ], @@ -69,7 +69,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/ee491c08-9677-4a58-a255-1e25f620b691" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/ee491c08-9677-4a58-a255-1e25f620b691" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "c469f15f-665c-4409-80f0-1ced9e0cb08a" ], @@ -114,7 +114,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/3b2b553e-08b8-4988-85b3-4f77ec6cd061" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/3b2b553e-08b8-4988-85b3-4f77ec6cd061" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "7d7f9c37-fc0a-4873-b7a5-61bda2ae1479" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityTimeline.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityTimeline.Recording.json index 367c327ea5b6..41d2dd378e35 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityTimeline.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelEntityTimeline.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/fa1eaea9-8789-49fc-83ef-16f1ddd17688" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/fa1eaea9-8789-49fc-83ef-16f1ddd17688" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "f5c6234e-9acc-4d19-8ac7-72a5f8ad71d2" ], @@ -62,7 +62,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/9117cb9c-dd6b-446d-a878-6646ce444752" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/9117cb9c-dd6b-446d-a878-6646ce444752" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncident.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncident.Recording.json index d578b4683c83..fba2233eae2e 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncident.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncident.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/ae536726-8f86-4e95-9636-51f84d31d437" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/ae536726-8f86-4e95-9636-51f84d31d437" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "0f1015ce-d7e9-4b7b-93b6-49531967fa10" ], @@ -69,7 +69,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/a893026c-b66d-4b55-a17a-ce1400eed6dd" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/a893026c-b66d-4b55-a17a-ce1400eed6dd" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "7b9dfbc2-1dbb-4437-891e-43ba0b15ed48" ], @@ -114,7 +114,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/de421bf6-6c99-4572-8636-87e5f9b3ecc1" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/de421bf6-6c99-4572-8636-87e5f9b3ecc1" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "617ec7d0-7c5b-4512-83b1-a76c2599168e" ], @@ -159,7 +159,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/6caf1ef3-cd6e-4384-8477-04215df876a9" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/6caf1ef3-cd6e-4384-8477-04215df876a9" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "bc1e79ce-1c00-4737-8533-f516b6b65c13" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentAlert.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentAlert.Recording.json index a32b6c5a893f..32f7aa8e74d9 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentAlert.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentAlert.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/e65ff1fc-b7fd-4dfa-8bb7-3ac93c203678" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/e65ff1fc-b7fd-4dfa-8bb7-3ac93c203678" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "0f873af3-eb1c-41e8-935a-eeebd62569b0" ], @@ -69,7 +69,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/7f364edf-8f38-4365-9314-ac50fbf76921" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/7f364edf-8f38-4365-9314-ac50fbf76921" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "83f790b9-5e33-4686-808c-af07fa80ac7e" ], "x-ms-correlation-request-id": [ "83f790b9-5e33-4686-808c-af07fa80ac7e" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentBookmark.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentBookmark.Recording.json index 7c02f6e51ffd..6d3eb2a00175 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentBookmark.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentBookmark.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/92d5d857-2ada-4be1-9e06-0af489f424fe" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/92d5d857-2ada-4be1-9e06-0af489f424fe" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "064bc1d6-5732-4532-951f-cb788c9ab2eb" ], "x-ms-correlation-request-id": [ "064bc1d6-5732-4532-951f-cb788c9ab2eb" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentComment.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentComment.Recording.json index 391f4cf89be1..d937d58df0f7 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentComment.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentComment.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/4ba3f04e-2b7c-42f5-a4e5-e8a0efab1cd6" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/4ba3f04e-2b7c-42f5-a4e5-e8a0efab1cd6" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "4ca723a1-7d5c-4035-bf4c-8d5f298884da" ], "x-ms-correlation-request-id": [ "4ca723a1-7d5c-4035-bf4c-8d5f298884da" ], @@ -68,7 +68,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/e33950d8-7dcf-42df-9a7a-650921483a6d" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/e33950d8-7dcf-42df-9a7a-650921483a6d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "2421d642-ff93-4540-abd6-cf46014f1ed6" ], "x-ms-correlation-request-id": [ "2421d642-ff93-4540-abd6-cf46014f1ed6" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentEntity.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentEntity.Recording.json index e686bb6944f8..42781a6c6149 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentEntity.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentEntity.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/5edde32a-df4d-4a5f-a6c9-e5751b8f6462" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/5edde32a-df4d-4a5f-a6c9-e5751b8f6462" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "3ad64e12-924f-4179-8582-828b212e5a7c" ], @@ -69,7 +69,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/039fce24-0924-4650-a00d-75a1cad39459" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/039fce24-0924-4650-a00d-75a1cad39459" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "eacb993e-52a4-4361-93c1-8636f240a3d7" ], "x-ms-correlation-request-id": [ "eacb993e-52a4-4361-93c1-8636f240a3d7" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentRelation.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentRelation.Recording.json index 7f6766cef776..2e83da9dc852 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentRelation.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelIncidentRelation.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/180c2c04-76f0-41e6-9d8e-24bcaaa703bd" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/180c2c04-76f0-41e6-9d8e-24bcaaa703bd" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "b6e072ac-99f8-4656-af59-caaf55514719" ], "x-ms-correlation-request-id": [ "b6e072ac-99f8-4656-af59-caaf55514719" ], @@ -68,7 +68,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/2ca1f19f-e896-4111-ae4d-c2f0fe0a743f" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/2ca1f19f-e896-4111-ae4d-c2f0fe0a743f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "a0e4e32d-11ce-4d8b-ac57-e7d153229d98" ], "x-ms-correlation-request-id": [ "a0e4e32d-11ce-4d8b-ac57-e7d153229d98" ], @@ -112,7 +112,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/850b82e4-cb1a-4a3d-b792-f4ab824c3b50" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/850b82e4-cb1a-4a3d-b792-f4ab824c3b50" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "cdf3f05f-e3dd-4976-88bb-d6ceb5aa6c89" ], "x-ms-correlation-request-id": [ "cdf3f05f-e3dd-4976-88bb-d6ceb5aa6c89" ], @@ -156,7 +156,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1098" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/825f4b98-958e-4cee-a1a7-574132dae508" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/825f4b98-958e-4cee-a1a7-574132dae508" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "1075d844-263f-450a-b494-9567c63ef03b" ], "x-ms-correlation-request-id": [ "1075d844-263f-450a-b494-9567c63ef03b" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelMetadata.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelMetadata.Recording.json index 4e0e12c94b4e..be79607642f2 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelMetadata.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelMetadata.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/b83949c4-9a36-4b37-a761-bd67ddeac771" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/b83949c4-9a36-4b37-a761-bd67ddeac771" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "afdbd5ae-4606-483c-afba-bef96445f78d" ], @@ -69,7 +69,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/3b50c860-1b48-4cc9-9a6b-5ee913cc9a02" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/3b50c860-1b48-4cc9-9a6b-5ee913cc9a02" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "addefe76-344f-423b-b91b-186f55f077e6" ], @@ -114,7 +114,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/4c9cf9d7-7c01-4f47-864f-37944eed2634" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/4c9cf9d7-7c01-4f47-864f-37944eed2634" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "8cba9940-1890-4200-9ce8-642a373385cb" ], @@ -159,7 +159,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/b0b88d28-503d-46d4-bee9-160a4612da50" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/b0b88d28-503d-46d4-bee9-160a4612da50" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "3e94724a-da4d-4458-91b6-a2367940131c" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelOnboardingState.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelOnboardingState.Recording.json index 106b1d8e0063..82ad98f288eb 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelOnboardingState.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelOnboardingState.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/3e2756f0-b427-461d-9a70-9e9cdbd51567" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/3e2756f0-b427-461d-9a70-9e9cdbd51567" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "f8a571f1-074a-4526-be89-528fd3e7e2ca" ], "x-ms-correlation-request-id": [ "f8a571f1-074a-4526-be89-528fd3e7e2ca" ], @@ -68,7 +68,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/a675d6f0-04ea-4b8e-a826-d47f6c898892" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/a675d6f0-04ea-4b8e-a826-d47f6c898892" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "9450d677-ea1e-47c2-b8aa-f466adc2469d" ], "x-ms-correlation-request-id": [ "9450d677-ea1e-47c2-b8aa-f466adc2469d" ], @@ -112,7 +112,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/ecbaf493-eeb9-47b7-a0fa-6a99c4fc5088" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/ecbaf493-eeb9-47b7-a0fa-6a99c4fc5088" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "9409c4e2-9e30-439d-ab20-938b92e2869b" ], "x-ms-correlation-request-id": [ "9409c4e2-9e30-439d-ab20-938b92e2869b" ], @@ -156,7 +156,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/037dfcb0-8bfe-43ed-bfd7-aa575b05fc07" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/037dfcb0-8bfe-43ed-bfd7-aa575b05fc07" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "ae457329-7df9-4265-9b33-b768368073cf" ], "x-ms-correlation-request-id": [ "ae457329-7df9-4265-9b33-b768368073cf" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelSetting.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelSetting.Recording.json index c4df8c510c73..ebf11c1919c2 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelSetting.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelSetting.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/256968e6-9688-4d1b-b7fd-80818c68d58f" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/256968e6-9688-4d1b-b7fd-80818c68d58f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "ea5efa5a-b52d-4063-a533-095472662543" ], @@ -69,7 +69,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/da4b3997-8736-4609-838b-2d10aca07dc9" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/da4b3997-8736-4609-838b-2d10aca07dc9" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "b125a7e0-b0a1-4bef-9df1-8994f050abc6" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelThreatIntelligenceIndicator.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelThreatIntelligenceIndicator.Recording.json index 70b9ac5ebf3c..91964e5bd394 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelThreatIntelligenceIndicator.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelThreatIntelligenceIndicator.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/455dcfad-6a13-40c6-a642-aaa27162007a" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/455dcfad-6a13-40c6-a642-aaa27162007a" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "25d33e72-acb8-463f-9128-a8afbcd4517f" ], @@ -69,7 +69,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/df9d6788-9da1-4c07-9a97-68666143bc1a" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/df9d6788-9da1-4c07-9a97-68666143bc1a" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "3da437f0-79f3-46ec-abeb-3c67be203b42" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Recording.json index e87a58a78d58..b6a4097348b7 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/c935246b-2493-429f-aaca-9c5dd18954a2" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/c935246b-2493-429f-aaca-9c5dd18954a2" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "333c83bf-4668-4a28-b407-93418fe28740" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Recording.json index 6220abe3e7d0..55192c3e7257 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Recording.json @@ -19,7 +19,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/24899ed6-74c5-4270-85e5-6a91ed3814a6" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/24899ed6-74c5-4270-85e5-6a91ed3814a6" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "5393897a-c74b-4f56-934e-29db43ec9e8d" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelAlertRule.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelAlertRule.Recording.json index 4500a814d42b..d5a73b2a2c5e 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelAlertRule.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelAlertRule.Recording.json @@ -17,7 +17,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/f3ed1719-6f4b-40ee-8a2a-e0f6abb472ec" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/f3ed1719-6f4b-40ee-8a2a-e0f6abb472ec" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-writes": [ "799" ], "x-ms-ratelimit-remaining-subscription-global-writes": [ "11999" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelAlertRuleAction.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelAlertRuleAction.Recording.json index 6c923be30e8d..036049818892 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelAlertRuleAction.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelAlertRuleAction.Recording.json @@ -17,7 +17,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/9d2ef7d1-d185-4c60-bb2a-45d3e8c8c1ee" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/9d2ef7d1-d185-4c60-bb2a-45d3e8c8c1ee" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-writes": [ "799" ], "x-ms-ratelimit-remaining-subscription-global-writes": [ "11999" ], @@ -56,7 +56,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/17a9fc58-82fe-44a7-aea0-c0ea0aa3fc06" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/17a9fc58-82fe-44a7-aea0-c0ea0aa3fc06" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], "x-ms-request-id": [ "c9e03116-7edc-4439-a2f3-3607712eccc3" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelAutomationRule.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelAutomationRule.Recording.json index 214ecdd086cf..01f04726819d 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelAutomationRule.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelAutomationRule.Recording.json @@ -17,7 +17,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/373367a3-4791-4ca8-b486-5a56b8fea2b1" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/373367a3-4791-4ca8-b486-5a56b8fea2b1" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], "x-ms-request-id": [ "5b82cd9a-4a58-4eda-a20a-fe08024cffd8" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelBookmark.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelBookmark.Recording.json index 1619753f79d9..34370567698d 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelBookmark.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelBookmark.Recording.json @@ -19,7 +19,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-writes": [ "799" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/ad22d93f-fe07-4106-82db-b962cb424a2d" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/ad22d93f-fe07-4106-82db-b962cb424a2d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-writes": [ "11999" ], "x-ms-request-id": [ "6d812520-f7bd-4997-8638-2b18a2578079" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelBookmarkRelation.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelBookmarkRelation.Recording.json index e26c07b3f06d..7a55af2f6229 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelBookmarkRelation.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelBookmarkRelation.Recording.json @@ -19,7 +19,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-writes": [ "799" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/213c2f63-31ec-4d9b-a459-2864f6bc20c1" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/213c2f63-31ec-4d9b-a459-2864f6bc20c1" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-writes": [ "11999" ], "x-ms-request-id": [ "f61e57c0-71b3-4f57-ac40-781be259d047" ], @@ -57,7 +57,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/f2fdc57c-3092-44d7-ae73-1fad1021bd35" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/f2fdc57c-3092-44d7-ae73-1fad1021bd35" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], "x-ms-request-id": [ "526a01ef-f27e-4979-8106-35fb6cad80d3" ], @@ -97,7 +97,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-writes": [ "799" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/075335e5-cf01-4ddf-b37e-66fc22269ffc" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/075335e5-cf01-4ddf-b37e-66fc22269ffc" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-writes": [ "11999" ], "x-ms-request-id": [ "13d0faed-bc66-4175-a0c6-e05c3d9db3d3" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelDataConnector.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelDataConnector.Recording.json index 8806eaff5d60..9a98447d063c 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelDataConnector.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelDataConnector.Recording.json @@ -17,7 +17,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/16a4677e-929a-465b-bd89-2343a8a9ba1c" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/16a4677e-929a-465b-bd89-2343a8a9ba1c" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], "x-ms-request-id": [ "3e21bcfe-7d8b-49fb-aa50-1403bc7abb10" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelEntityQuery.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelEntityQuery.Recording.json index 20c5c5d59b24..23f5e01bcda9 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelEntityQuery.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelEntityQuery.Recording.json @@ -17,7 +17,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/868696cf-c8d3-459c-afe8-132afa39639d" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/868696cf-c8d3-459c-afe8-132afa39639d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-writes": [ "798" ], "x-ms-ratelimit-remaining-subscription-global-writes": [ "11998" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncident.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncident.Recording.json index fe1f88b788fc..8afbddb8b4f1 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncident.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncident.Recording.json @@ -17,7 +17,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/e740f8cc-807c-4a80-9d2f-c677027290b9" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/e740f8cc-807c-4a80-9d2f-c677027290b9" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], "x-ms-request-id": [ "4c3d709d-e8d0-4d7e-8b82-8ffad00465d5" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncidentComment.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncidentComment.Recording.json index 8a6000685978..ca9e194996be 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncidentComment.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncidentComment.Recording.json @@ -17,7 +17,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/787e471e-9f83-422a-a495-dd273d7c907f" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/787e471e-9f83-422a-a495-dd273d7c907f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], "x-ms-request-id": [ "ffec7b04-66e2-4a6c-880d-ed1287a31a1e" ], @@ -55,7 +55,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/42cd95f5-8d4a-43de-b203-db8bd17a1c5a" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/42cd95f5-8d4a-43de-b203-db8bd17a1c5a" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], "x-ms-request-id": [ "fe76b6c6-9ca4-4fc1-a824-386a73c68bb6" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncidentRelation.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncidentRelation.Recording.json index fe68d3d3b9c3..15a67d9d04cb 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncidentRelation.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncidentRelation.Recording.json @@ -19,7 +19,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-writes": [ "799" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/718b66db-12a2-48ec-b90d-43e8c894d15f" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/718b66db-12a2-48ec-b90d-43e8c894d15f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-writes": [ "11999" ], "x-ms-request-id": [ "d01f2014-517b-4345-b931-930ef67e7022" ], @@ -57,7 +57,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/5fdab8b1-4c39-46ac-ac14-0b3c3fbc9c0d" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/5fdab8b1-4c39-46ac-ac14-0b3c3fbc9c0d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], "x-ms-request-id": [ "18bb9481-de7f-47c1-8b59-b4197af3c6e2" ], @@ -97,7 +97,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/07999c5c-a0f1-44cd-b4a6-6511a4fa4d83" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/07999c5c-a0f1-44cd-b4a6-6511a4fa4d83" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "a627b3b2-9587-43b3-91d0-8a1f35527ceb" ], "x-ms-correlation-request-id": [ "a627b3b2-9587-43b3-91d0-8a1f35527ceb" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncidentTeam.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncidentTeam.Recording.json index 9ca6a0b51f75..f46f85593733 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncidentTeam.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/New-AzSentinelIncidentTeam.Recording.json @@ -17,7 +17,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/ff25c3f9-b0d1-4dcb-8805-73aa9ecb0c8b" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/ff25c3f9-b0d1-4dcb-8805-73aa9ecb0c8b" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], "x-ms-request-id": [ "559e99fb-cf5c-49b4-ab1b-0a6b50c20824" ], @@ -57,7 +57,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-writes": [ "799" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/af46eb85-be58-445b-984c-c8ef0938b91f" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/af46eb85-be58-445b-984c-c8ef0938b91f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-writes": [ "11999" ], "x-ms-request-id": [ "945aa154-ba49-4af2-bc7e-a2de2a08d8b4" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelAlertRule.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelAlertRule.Recording.json index 7f9c611c844d..b8fc7780b33c 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelAlertRule.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelAlertRule.Recording.json @@ -22,7 +22,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/63eaad62-e08e-47c8-9e57-31ab96e5d5cb" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/63eaad62-e08e-47c8-9e57-31ab96e5d5cb" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "799" ], "x-ms-ratelimit-remaining-subscription-global-deletes": [ "11999" ], @@ -68,7 +68,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/2db76989-38e7-4688-825b-6bc2f7402d3c" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/2db76989-38e7-4688-825b-6bc2f7402d3c" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "1d880362-e3e7-4463-8655-8a83c38bb84b" ], @@ -111,7 +111,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/0121e9a3-b6c6-43cc-8b82-594e7918414c" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/0121e9a3-b6c6-43cc-8b82-594e7918414c" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "799" ], "x-ms-ratelimit-remaining-subscription-global-deletes": [ "11999" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelAlertRuleAction.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelAlertRuleAction.Recording.json index 26e6ae84033f..2efa79d3e98e 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelAlertRuleAction.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelAlertRuleAction.Recording.json @@ -22,7 +22,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/d2409ff1-a7d7-4bf1-94b6-2c3a19d60ee0" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/d2409ff1-a7d7-4bf1-94b6-2c3a19d60ee0" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "798" ], "x-ms-ratelimit-remaining-subscription-global-deletes": [ "11998" ], @@ -67,7 +67,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/2b057b6e-bd59-467d-b4d8-1b8ecc78421b" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/2b057b6e-bd59-467d-b4d8-1b8ecc78421b" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "cbf23d1c-7898-473f-ada8-c03c82d32fe7" ], @@ -110,7 +110,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/0ab7b327-0db6-45cb-8649-d7fb27762c45" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/0ab7b327-0db6-45cb-8649-d7fb27762c45" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "799" ], "x-ms-ratelimit-remaining-subscription-global-deletes": [ "11999" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelAutomationRule.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelAutomationRule.Recording.json index 854ea4c23310..f50ea99a6836 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelAutomationRule.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelAutomationRule.Recording.json @@ -22,7 +22,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/2725fb21-f160-4180-ba01-fcb50837ce76" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/2725fb21-f160-4180-ba01-fcb50837ce76" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "799" ], "x-ms-ratelimit-remaining-subscription-global-deletes": [ "11999" ], @@ -68,7 +68,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/593c6c37-5aa0-4c00-bc9a-7367d71f5ee9" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/593c6c37-5aa0-4c00-bc9a-7367d71f5ee9" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "48308be9-6680-41c7-85c7-be5155a508e2" ], "x-ms-correlation-request-id": [ "48308be9-6680-41c7-85c7-be5155a508e2" ], @@ -110,7 +110,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/7a9167b6-07d9-4167-9f60-c42eff954e91" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/7a9167b6-07d9-4167-9f60-c42eff954e91" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "799" ], "x-ms-ratelimit-remaining-subscription-global-deletes": [ "11999" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelBookmark.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelBookmark.Recording.json index 178cf2e911ac..f9fd8021d5d0 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelBookmark.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelBookmark.Recording.json @@ -22,7 +22,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/e886e705-0b79-4ca2-a60a-3d8d47865b6d" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/e886e705-0b79-4ca2-a60a-3d8d47865b6d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "799" ], "x-ms-ratelimit-remaining-subscription-global-deletes": [ "11999" ], @@ -68,7 +68,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/af42a483-8b75-4cb7-81b6-9889b16a3eea" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/af42a483-8b75-4cb7-81b6-9889b16a3eea" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "182c332b-c6b3-4099-ab6c-63a76f753a45" ], @@ -111,7 +111,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/7655f3c9-e053-4c02-89c6-ad4094955187" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/7655f3c9-e053-4c02-89c6-ad4094955187" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "798" ], "x-ms-ratelimit-remaining-subscription-global-deletes": [ "11998" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelBookmarkRelation.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelBookmarkRelation.Recording.json index 5ed8b08759cf..f604b085ba92 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelBookmarkRelation.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelBookmarkRelation.Recording.json @@ -22,7 +22,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/05632fb3-bbe5-46b0-b514-8bc7b68231e4" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/05632fb3-bbe5-46b0-b514-8bc7b68231e4" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "799" ], "x-ms-ratelimit-remaining-subscription-global-deletes": [ "11999" ], @@ -68,7 +68,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/8480afa3-5ccd-42b2-aca6-45c849826e69" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/8480afa3-5ccd-42b2-aca6-45c849826e69" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "79348f1e-c1f7-4de0-acde-6247189bedd4" ], @@ -111,7 +111,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/f0ba3ae5-da0b-4c2f-aaff-676ccddf5e77" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/f0ba3ae5-da0b-4c2f-aaff-676ccddf5e77" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "798" ], "x-ms-ratelimit-remaining-subscription-global-deletes": [ "11998" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelDataConnector.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelDataConnector.Recording.json index 49300a5a8e27..85ec29266e2e 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelDataConnector.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelDataConnector.Recording.json @@ -17,7 +17,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/0af50f8b-533f-474e-92a1-23e62e6be6cb" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/0af50f8b-533f-474e-92a1-23e62e6be6cb" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], "x-ms-request-id": [ "7bc198d7-14c0-4007-b1b3-43409b864bc7" ], @@ -60,7 +60,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/bf544b19-63c3-4117-8f22-ccbc4d221d53" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/bf544b19-63c3-4117-8f22-ccbc4d221d53" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], "x-ms-request-id": [ "829e6c9f-8d5a-4b99-9d36-edcfec8a9821" ], @@ -98,7 +98,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/bed4a884-4259-4d0f-989e-00d9a02baef6" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/bed4a884-4259-4d0f-989e-00d9a02baef6" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], "x-ms-request-id": [ "4165be9e-3da4-4d90-9024-8b35950bf7b2" ], @@ -141,7 +141,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/63e6ceee-5f2d-4962-9784-b295d4034392" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/63e6ceee-5f2d-4962-9784-b295d4034392" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], "x-ms-request-id": [ "2a48e5f7-9bf6-48bb-9b5a-9baedb089327" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelEntityQuery.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelEntityQuery.Recording.json index 4e52b3686d3f..6160b4c1d639 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelEntityQuery.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelEntityQuery.Recording.json @@ -22,7 +22,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/6d618406-eff7-471b-86b1-fed7aa60fc6d" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/6d618406-eff7-471b-86b1-fed7aa60fc6d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "799" ], "x-ms-ratelimit-remaining-subscription-global-deletes": [ "11999" ], @@ -68,7 +68,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/fa6577e5-b86e-4199-a138-c355240dccac" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/fa6577e5-b86e-4199-a138-c355240dccac" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "6ed0f42b-c467-4a01-ab93-7995bed5558d" ], @@ -111,7 +111,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/46a2334a-6d12-4459-b66e-5fdf5b13eb08" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/46a2334a-6d12-4459-b66e-5fdf5b13eb08" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "799" ], "x-ms-ratelimit-remaining-subscription-global-deletes": [ "11999" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelIncident.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelIncident.Recording.json index dd67c51797be..4ac14b405486 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelIncident.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelIncident.Recording.json @@ -22,7 +22,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/0b061d48-5a96-4056-af70-a7463ad6b6b9" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/0b061d48-5a96-4056-af70-a7463ad6b6b9" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "799" ], "x-ms-ratelimit-remaining-subscription-global-deletes": [ "11999" ], @@ -68,7 +68,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/04a31529-2706-40b6-915e-c587242dfa12" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/04a31529-2706-40b6-915e-c587242dfa12" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "633f0784-ed13-49db-8ec0-4e3289ec1304" ], @@ -111,7 +111,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/ffc066d4-6c3c-4c7c-8bbe-25d889914aa7" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/ffc066d4-6c3c-4c7c-8bbe-25d889914aa7" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "799" ], "x-ms-ratelimit-remaining-subscription-global-deletes": [ "11999" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelIncidentComment.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelIncidentComment.Recording.json index 67225ef4634e..d96e5e2f667b 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelIncidentComment.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelIncidentComment.Recording.json @@ -22,7 +22,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/d03745b1-678a-4bf5-8a54-dda50d859273" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/d03745b1-678a-4bf5-8a54-dda50d859273" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], "x-ms-request-id": [ "c4e82808-71e1-481a-9c2d-4eed709b949c" ], @@ -67,7 +67,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/ed635c88-99ae-4c98-bb9d-b47458c76c36" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/ed635c88-99ae-4c98-bb9d-b47458c76c36" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "f0e8fe3c-42d6-4d80-9c00-5f332424dc0d" ], "x-ms-correlation-request-id": [ "f0e8fe3c-42d6-4d80-9c00-5f332424dc0d" ], @@ -109,7 +109,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/9e73f7f7-1a7c-4571-ae7e-fb46788c89d3" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/9e73f7f7-1a7c-4571-ae7e-fb46788c89d3" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], "x-ms-request-id": [ "54a16854-9e95-4762-983d-b0263e07b13f" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelIncidentRelation.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelIncidentRelation.Recording.json index 7988f162d81e..94def46ec124 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelIncidentRelation.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelIncidentRelation.Recording.json @@ -22,7 +22,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/2132f377-a1a3-41d1-a101-46f13074be95" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/2132f377-a1a3-41d1-a101-46f13074be95" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], "x-ms-request-id": [ "ada05923-c188-4310-9038-3d9ad570d6f7" ], @@ -65,7 +65,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/aa4c3090-a618-420b-809c-c7cc779e20bf" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/aa4c3090-a618-420b-809c-c7cc779e20bf" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "89c1f7f2-c2bb-4fb5-903d-158c02e25c5f" ], "x-ms-correlation-request-id": [ "89c1f7f2-c2bb-4fb5-903d-158c02e25c5f" ], @@ -107,7 +107,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/5e4f928e-1ef8-4818-95b8-1da1b5215b58" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/5e4f928e-1ef8-4818-95b8-1da1b5215b58" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], "x-ms-request-id": [ "9c9de74a-3864-4590-8aee-030331fbc269" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelOnboardingState.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelOnboardingState.Recording.json index c3856512ac21..308ebbe15684 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelOnboardingState.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Remove-AzSentinelOnboardingState.Recording.json @@ -22,7 +22,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/710c0aa8-0022-4122-87eb-d1ac2188f20a" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/710c0aa8-0022-4122-87eb-d1ac2188f20a" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "800" ], "x-ms-ratelimit-remaining-subscription-global-deletes": [ "12000" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelAlertRuleAction.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelAlertRuleAction.Recording.json index 1b44aa771ef5..5688d329fe42 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelAlertRuleAction.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelAlertRuleAction.Recording.json @@ -19,7 +19,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/88da709f-d95f-482f-886d-0457d7fe0b2a" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/88da709f-d95f-482f-886d-0457d7fe0b2a" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "3e8222f1-bcfd-415d-aa0b-dc3e30a88f66" ], "x-ms-correlation-request-id": [ "3e8222f1-bcfd-415d-aa0b-dc3e30a88f66" ], @@ -63,7 +63,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/ed4ddc32-27e6-4397-b943-858dd00e89b8" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/ed4ddc32-27e6-4397-b943-858dd00e89b8" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "853e7ae0-3dbe-4c43-bd4c-de2bf61f803c" ], @@ -103,7 +103,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/f454aa2e-9b2c-4c9f-be04-961c82d20ebc" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/f454aa2e-9b2c-4c9f-be04-961c82d20ebc" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "4a2b78ab-e18a-458f-9208-5dcf80030da1" ], "x-ms-correlation-request-id": [ "4a2b78ab-e18a-458f-9208-5dcf80030da1" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelAutomationRule.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelAutomationRule.Recording.json index 83e8521327fe..019e843db38a 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelAutomationRule.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelAutomationRule.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/94604027-5901-45f0-84b7-ba393cf307de" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/94604027-5901-45f0-84b7-ba393cf307de" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "dbdc588f-9ff5-4bd6-bed1-3381daf00454" ], "x-ms-correlation-request-id": [ "dbdc588f-9ff5-4bd6-bed1-3381daf00454" ], @@ -68,7 +68,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/02080e38-f31c-40c9-b01c-c9b39fbac390" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/02080e38-f31c-40c9-b01c-c9b39fbac390" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "68ba2be7-bd39-41b8-8a53-264da70e3d7b" ], "x-ms-correlation-request-id": [ "68ba2be7-bd39-41b8-8a53-264da70e3d7b" ], @@ -107,7 +107,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/d1cb6d53-249d-4276-8547-14c5c8c00dd4" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/d1cb6d53-249d-4276-8547-14c5c8c00dd4" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "206cdccc-1c05-4e03-9a1f-0ec0afcb5319" ], "x-ms-correlation-request-id": [ "206cdccc-1c05-4e03-9a1f-0ec0afcb5319" ], @@ -151,7 +151,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/70f494c5-fcb7-4e88-9698-19943207a6d8" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/70f494c5-fcb7-4e88-9698-19943207a6d8" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "20082464-3616-470f-82a1-85526ad15cd4" ], "x-ms-correlation-request-id": [ "20082464-3616-470f-82a1-85526ad15cd4" ], @@ -195,7 +195,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/4d20e3ac-d3c4-4a18-a1db-3f2e6110ac07" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/4d20e3ac-d3c4-4a18-a1db-3f2e6110ac07" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "0f2f2021-b329-4b92-8761-0cf825cbb099" ], "x-ms-correlation-request-id": [ "0f2f2021-b329-4b92-8761-0cf825cbb099" ], @@ -234,7 +234,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/8e6a8398-6857-4d81-9eb9-865106cbfffd" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/8e6a8398-6857-4d81-9eb9-865106cbfffd" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "b4158de8-edf6-42d9-9297-267d70584553" ], "x-ms-correlation-request-id": [ "b4158de8-edf6-42d9-9297-267d70584553" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelBookmark.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelBookmark.Recording.json index 1f6c6457d009..31073515c3e8 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelBookmark.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelBookmark.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/9e99782e-d828-40e9-9045-32304806a8d0" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/9e99782e-d828-40e9-9045-32304806a8d0" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "ff3ee478-38c0-4525-914f-e18c1c6828d6" ], @@ -69,7 +69,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/d2584004-86ef-4fad-bad1-46ab28fb004b" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/d2584004-86ef-4fad-bad1-46ab28fb004b" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "d86c3caa-e437-44ca-9c68-1557320ede2c" ], @@ -109,7 +109,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-writes": [ "799" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/b32ddd73-b6ce-48bc-a6ad-aa92303966d2" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/b32ddd73-b6ce-48bc-a6ad-aa92303966d2" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-writes": [ "11999" ], "x-ms-request-id": [ "375802ca-fcd2-4f90-af50-495f68f991c6" ], @@ -154,7 +154,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/f6328278-1767-41bb-9552-207ef8396096" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/f6328278-1767-41bb-9552-207ef8396096" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "4614ce3e-73db-431a-a95c-1904ee6c1675" ], @@ -199,7 +199,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/a5c10fbe-da9a-4a00-9f37-98deaec5580e" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/a5c10fbe-da9a-4a00-9f37-98deaec5580e" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "26c34f2a-4b56-40fe-90b7-3949ae2b35d7" ], @@ -239,7 +239,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-writes": [ "799" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/df977f82-8b6b-49e4-8aed-aaf038b46bf4" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/df977f82-8b6b-49e4-8aed-aaf038b46bf4" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-writes": [ "11999" ], "x-ms-request-id": [ "99cd1ca3-b48f-4793-bf30-368e14f2a9c1" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelBookmarkRelation.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelBookmarkRelation.Recording.json index 8541a3412915..25a13ebc1451 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelBookmarkRelation.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelBookmarkRelation.Recording.json @@ -17,7 +17,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/7af46c69-6e59-464d-aa81-cc9e46477aa3" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/7af46c69-6e59-464d-aa81-cc9e46477aa3" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], "x-ms-request-id": [ "28c228b0-5447-460c-a8fd-123bb0057261" ], @@ -62,7 +62,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/6f35e2f7-25ea-48d1-a7ca-bc5caff05f5f" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/6f35e2f7-25ea-48d1-a7ca-bc5caff05f5f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "ee053891-2245-495e-bf44-b34f8a1ff69e" ], @@ -102,7 +102,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-writes": [ "799" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/71635ddb-1d5d-4eaa-bde3-a22b396d0fe8" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/71635ddb-1d5d-4eaa-bde3-a22b396d0fe8" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-writes": [ "11999" ], "x-ms-request-id": [ "f5193e15-ea4d-4078-8e69-351bef051e18" ], @@ -140,7 +140,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/1011280a-922d-4d3e-bfc5-369a6b2afc5f" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/1011280a-922d-4d3e-bfc5-369a6b2afc5f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], "x-ms-request-id": [ "e69e4502-3761-494a-86d3-6bb79b2a6df7" ], @@ -185,7 +185,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/d39d0255-51b5-42c1-8db7-76b49193674c" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/d39d0255-51b5-42c1-8db7-76b49193674c" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "736c9101-5e04-4572-b657-0544bce0c2e9" ], @@ -230,7 +230,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/279038a1-18c1-4edd-a66b-b0219aa7c7ad" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/279038a1-18c1-4edd-a66b-b0219aa7c7ad" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "a4bb84c7-5a35-4fcb-9977-a115cbcb3295" ], @@ -270,7 +270,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-writes": [ "799" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/c6f7ec54-486f-4e87-bc58-981328a857a8" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/c6f7ec54-486f-4e87-bc58-981328a857a8" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-writes": [ "11999" ], "x-ms-request-id": [ "41c99c01-08d6-4c26-acee-720bce818d9a" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelIncident.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelIncident.Recording.json index d906fd7b4224..6f0cafa39ad8 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelIncident.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelIncident.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/cbd4ef1c-acf2-49f7-8683-01a23103fb58" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/cbd4ef1c-acf2-49f7-8683-01a23103fb58" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "95212cc5-5a7c-429f-8460-00995597bd4e" ], @@ -69,7 +69,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/7710dd80-68fd-4215-b411-5e55f75f2111" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/7710dd80-68fd-4215-b411-5e55f75f2111" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "ef2b05a6-0e3c-4e6a-b38c-2ac277d28460" ], @@ -109,7 +109,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/f9e748a7-fc7e-430f-83f0-fef361507f8a" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/f9e748a7-fc7e-430f-83f0-fef361507f8a" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "8659be7f-2629-4a08-866c-861c47cd842c" ], "x-ms-correlation-request-id": [ "8659be7f-2629-4a08-866c-861c47cd842c" ], @@ -153,7 +153,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1098" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/a3001109-5568-4e92-ba51-08d61ec39b32" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/a3001109-5568-4e92-ba51-08d61ec39b32" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16498" ], "x-ms-request-id": [ "82fd37c2-93f3-43ea-8347-10a1d60bad5f" ], @@ -198,7 +198,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/71b36890-5d20-4707-b2aa-d1f0cf9f6027" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/71b36890-5d20-4707-b2aa-d1f0cf9f6027" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], "x-ms-request-id": [ "682b49f9-cb3e-49ac-a359-7f005d0c77c2" ], @@ -238,7 +238,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/0a7fa5a3-5503-409f-8470-3d67c550a78a" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/0a7fa5a3-5503-409f-8470-3d67c550a78a" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "86f4d817-5670-433b-85ec-fd78fad1acff" ], "x-ms-correlation-request-id": [ "86f4d817-5670-433b-85ec-fd78fad1acff" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelIncidentComment.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelIncidentComment.Recording.json index de88dc40dc77..48e7192043f3 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelIncidentComment.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelIncidentComment.Recording.json @@ -24,7 +24,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/d37aab1e-ae2d-43e3-a005-cdf9250f2084" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/d37aab1e-ae2d-43e3-a005-cdf9250f2084" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "258bcd92-1fb2-4f54-b195-48f634d11868" ], "x-ms-correlation-request-id": [ "258bcd92-1fb2-4f54-b195-48f634d11868" ], @@ -63,7 +63,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/ac0676be-9f3d-4755-b550-3abbca25147d" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/ac0676be-9f3d-4755-b550-3abbca25147d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "2f5292bf-7931-4e80-8e87-aa6cc9c91f48" ], "x-ms-correlation-request-id": [ "2f5292bf-7931-4e80-8e87-aa6cc9c91f48" ], @@ -107,7 +107,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/bf36c8fa-e75d-4540-bdf7-3848b4351c38" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/bf36c8fa-e75d-4540-bdf7-3848b4351c38" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "818b6903-c010-4b28-8abb-205dc5242efe" ], "x-ms-correlation-request-id": [ "818b6903-c010-4b28-8abb-205dc5242efe" ], @@ -151,7 +151,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/66b86700-2f34-4d16-8c86-f646e48f5d15" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/66b86700-2f34-4d16-8c86-f646e48f5d15" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "b15c3ea5-0622-4732-91ca-fcc3903ecf2a" ], "x-ms-correlation-request-id": [ "b15c3ea5-0622-4732-91ca-fcc3903ecf2a" ], @@ -190,7 +190,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/321db7ef-5482-4dab-b5e6-435daff5ac69" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/321db7ef-5482-4dab-b5e6-435daff5ac69" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "c8c9029f-b782-44e3-8430-9ffc970b5a99" ], "x-ms-correlation-request-id": [ "c8c9029f-b782-44e3-8430-9ffc970b5a99" ], diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelIncidentRelation.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelIncidentRelation.Recording.json index 4edda727c211..ba0cd5edd961 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelIncidentRelation.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Update-AzSentinelIncidentRelation.Recording.json @@ -19,7 +19,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-writes": [ "799" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/33664864-ced3-409a-9f2c-71338790fb6b" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/33664864-ced3-409a-9f2c-71338790fb6b" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-writes": [ "11999" ], "x-ms-request-id": [ "27be737f-4725-498b-a5df-b0f0cb914a84" ], @@ -64,7 +64,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/dd04337b-edff-41cc-bacf-71cd0c0f635c" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/dd04337b-edff-41cc-bacf-71cd0c0f635c" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "dba2d760-afb7-4caa-a824-ccfcf65e3799" ], "x-ms-correlation-request-id": [ "dba2d760-afb7-4caa-a824-ccfcf65e3799" ], @@ -101,7 +101,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/e3d3fbc9-fc28-4456-a988-c10c3df11bd8" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/e3d3fbc9-fc28-4456-a988-c10c3df11bd8" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], "x-ms-request-id": [ "f604cad1-1599-4466-ad8d-d6c44676f445" ], @@ -141,7 +141,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-writes": [ "799" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/8203c207-5cfe-4fd1-a5ed-b995d0db8ccb" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/8203c207-5cfe-4fd1-a5ed-b995d0db8ccb" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-global-writes": [ "11999" ], "x-ms-request-id": [ "bef5fea4-8a85-4065-9364-cb4ba9a8ec68" ], @@ -186,7 +186,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/5123253e-e19b-44e7-a77c-25686705bf01" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/5123253e-e19b-44e7-a77c-25686705bf01" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "854b5514-5afe-46c2-8274-e93c99bf0f80" ], "x-ms-correlation-request-id": [ "854b5514-5afe-46c2-8274-e93c99bf0f80" ], @@ -230,7 +230,7 @@ "Pragma": [ "no-cache" ], "Vary": [ "Accept-Encoding" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "1099" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/0978c281-b0d5-4f8f-bc19-d5b56b10be87" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/0978c281-b0d5-4f8f-bc19-d5b56b10be87" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-request-id": [ "43635cc0-ad38-4e27-94e3-07e30087c505" ], "x-ms-correlation-request-id": [ "43635cc0-ad38-4e27-94e3-07e30087c505" ], @@ -267,7 +267,7 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-operation-identifier": [ "tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=6a5d8eb9-1ffd-4356-a5aa-f3000bc9a9bb/centralus/004dbed0-7d02-4454-976b-813da9073012" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/004dbed0-7d02-4454-976b-813da9073012" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "799" ], "x-ms-request-id": [ "d1852d8c-debf-46e7-b09f-0567ee452cec" ],